Microsoft Says Hackers Are Attacking Windows Users With a New Unpatched Bug (techcrunch.com) 69
Microsoft says attackers are exploiting a previously undisclosed security vulnerability found in all supported versions of Windows, including Windows 10. From a report: But the software giant said there is currently no patch for the vulnerability. The security flaw, which Microsoft deems "critical" -- its highest severity rating -- is found in how Windows handles and renders fonts, according to the advisory posted Monday. The bug can be exploited by tricking a victim into opening a malicious document. Once the document is opened -- or viewed in Windows Preview -- an attacker can remotely run malware, such as ransomware, on a vulnerable device. The advisory said that Microsoft was aware of hackers launching "limited, targeted attacks," but did not say who was launching the attacks or at what scale.
Re: (Score:1)
Lol, the keyword here is "known" defects. This would be an unknown defect.
Re: (Score:2)
Actually no. This is a "long known recurrent vulnerability" for which exploits has appeared about once a year for the last 30 years.
The mitigation has been the same EVERY SINGLE TIME -- do NOT permit random third-parties to execute fonts on your computer.
Disconnect from the internet? (Score:2)
Every time you read an email, let alone visit a web page (even with Lynx) you are allowing third parties to run an ocean of code on your machine.
In this case, it looks like the code was run in the font engine. So might be just triggered by specially crafted text. Triggering yet another C-based buffer overflow?
Given the vast amount of code in many, many layers, that runs on a machine just to read an email, it is amazing that there is any security at all.
Re: (Score:2)
Hell, Windows itself is an unknown defect! [instantrimshot.com]
Re: (Score:2)
Re: (Score:2)
Re:Microsoft should be held criminally liable (Score:4, Interesting)
Are they withholding a the fix. Or is it the fact they don't have it available yet.
It is like your boss yelling at you to get the project done, that you had just been given the specs for today, because he forgot to put you onto the project.
I like to bash MS as much as the next guy. However the situation is really bad.
1. Many people out of work/not working who are board, and angry. (that makes a small portion get into hacking)
2. Companies with reduced staff that makes applying fixes a slower process.
This reminds be back in 2003 when a Lot of IT workers got canned. And it seemed shortly after that time, a number of dangerous viruses and worms came out to attack Windows.
Re: (Score:2)
I'd be angry too if I were a board.
Re: (Score:2)
They withhold security fixes from Win7 users unless they have a corporate contract and pay. But home users don't even have that option. Yet products are still being released for the WinXP OS. You think Win7 is gone? Win10 has many more problems/crashes than Win7 these days.
They can't even give you the Win7 desktop glassy on Win10. I wanted more features out of a desktop -- not fewer. Why can't Win 10 host a better desktop, or at least the same.
Sometimes when I see a Metro desktop, it looks like a pop-
Re: (Score:1)
i always like to think if i had a billionsdollars company my first press release would read "we have patched a newly discovered bug that was used to
Re: (Score:2)
I'm wondering if Microsoft will leave Windows 7 users vulnerable to this.
Re: (Score:2)
I'm wondering if Microsoft will leave Windows 7 users vulnerable to this.
Are you paying for support? No? Then you get to live with the bug...
Re: (Score:3)
My vehicle is well over 20 years old and I still get safety recall notices.
Yeah, I've been getting those phone messages too, "this is the seventh warning that your warranty for your car is about to expire" something something. Ignore them, they're just spam.
Re: (Score:2)
For failure to correct known defects which put end users at unnecessary risk. This business of holding out patches to those who pay for shit that should never have happened in the first place should be outlawed globally.
My vehicle is well over 20 years old and I still get safety recall notices. This is no different.
So.. Who gets to go to jail? Seriously, you cannot toss a company into jail because it exists, at best, on paper.
MAYBE - just maybe - you really mean CIVILLY liable for not fixing "known bugs"? That's about all you could hope for - But if you signed the ULA, I'd be willing to bet you agreed to hold MS harmless and that you'd take arbitration over taking them to court.
And don't get me started on this 'known" thing.. IF you think holding companies feet to the fire on "known" bugs is going to help you, I s
Re: (Score:1)
So.. Who gets to go to jail?
The CEO, the manager of the team that wrote the security hole, and the programmer who wrote the security hole should all face jail time if they did not follow best practices.
For example, what techniques do you use to avoid XSS vulnerabilities in your code? If you can't name any, you should go to jail.
Re: (Score:2)
So.. Who gets to go to jail?
The CEO, the manager of the team that wrote the security hole, and the programmer who wrote the security hole should all face jail time if they did not follow best practices.
So, who defines what "best practices" is?
There is a wide range of practice that is used in the industry, who's to tell what's the "best" in the current situation and when the code was written? Me? You? The company? The Courts?
The problem with your idea and your criteria is that if you are going to make it a crime, you have to define exactly what is and isn't a crime so that it can be objectively argued by lawyers and decided on by the courts and a jury. I dare say something as subjective as "best practi
Re: (Score:2)
There is a wide range of practice that is used in the industry, who's to tell what's the "best" in the current situation and when the code was written? Me? You? The company? The Courts?
Yes, and politicians as well.
Re: (Score:2)
The market has spoken. Nobody cares. If they did, the Year of the Linux Desktop would be celebrating its 20th anniversary.
I don't get angry at Windows bugs, because by now everyone knows the risk. Because I don't want to get owned, I use Linux whenever I can (at least for the critical stuff). Sure, it may not meet your standard (or mine...) of quality, but if I've learned anything, it is that the common person would rather have something new, shiny, and Next Big Thing(tm) than something trustworthy
A new bug in windows? (Score:2)
And it's being exploited by hackers? No way!
Re: (Score:2)
Newfag opens dodgy file, gets hacked. (Score:1)
This isn't new.
Font vulnerabilities (Score:5, Interesting)
Window's font system - the exploitation vector that just keeps giving and giving. How many font-related vulnerabilities have there been now? I know, nothing can top Adobe Reader, but still, MS is trying their hardest.
Re: (Score:2)
Re:Font vulnerabilities (Score:5, Informative)
I know, nothing can top Adobe Reader, but still, MS is trying their hardest.
The irony to that is Microsoft licensed the Windows font rendering engine/library from Adobe, which is exactly the Windows DLL vulnerable in this advisory....
Re:Font vulnerabilities (Score:4, Insightful)
It doesn't matter how many "layers" of security you have, if each layer is written by someone who writes security holes.
Re: (Score:2)
Shrek: Ogres are like security.
Donkey: They have holes?
Shrek: Yes. No.
Donkey: Oh, they make you insecure.
Shrek: No.
Donkey: Oh, you leave em out on the internet, they get all hacked, start sending spam.
Shrek: No. Layers. Security have layers. Ogres have layers. Security have layers. You get it? We both have layers.
Donkey: Oh, you both have layers. Oh. You know, not everybody like to work in security.
Re:Font C/C++ vulnerabilities (Score:2)
I'd bet pennies to pounds this is another error caused by using C/++. Buffer overflow etc.
For security, just stop using C/++. It was a bad idea when first developed, and a very bad idea now we have oceans of code.
Re: (Score:1)
Re: (Score:2)
This argument has gotten a bit old ... show me a viable operating system, which has not been written in C or C++
PS: with C++ container classes it is all but impossible to write code with buffer overflows
PPS: Aleph1's original paper about buffer overflows and their exploitation is over 20 years old. It speaks to the quality (or lack thereof) of these software teams, that this kind of software bug still pops up in production code.
Re: (Score:1)
Re: (Score:2)
That would also explain why they do not have a fix. They do not have the source or cannot build it!
Re: (Score:3)
Window's font system
Yeah only MS doesn't know how to write a font system. Oh and it seems the open source community can't [mitre.org] do [mitre.org] so [mitre.org] either. [mitre.org]
Thankfully that's just libgraphite's font handling so it's limited to applications that use it, including Android OS, Firefox and Open Office, so every Linux desktop.
Oh wait, I guess libXfont has its share of problems [ubuntu.com] too.
Fortunately OSX's Core Text component is ... Oh For [mitre.org] Fucks [mitre.org] Sake [mitre.org]
Re:Font vulnerabilities (Score:4, Interesting)
Fortunately OSX's Core Text component is ... Oh For [mitre.org] Fucks [mitre.org] Sake [mitre.org]
Ahem.
All 3 of these vulnerabilities were patched long ago. Two of them only affect iOS before 9.1 macOS before 10.11.1 and iTunes before 12.3.1. The other one didn't affect anything other than macOS, and was also patched before 10.11.1.
Also, when they patched El Capitan (10.11) for this vulnerability in 2015, Apple went back and patched that (and other) vulnerabilities clear back to Mavericks (10.9)). So that covers any Intel Mac; since anything that can run Snow Leopard (10.6) can run Mavericks (10.9).
https://support.apple.com/en-u... [apple.com]
As for iOS, the iOS 9.1 should have fixed this, too; which covers iPhones, iPads and iPod Touches back to iPhone 4s, iPad 2, and iPod Touch 5th generation.
https://support.apple.com/en-u... [apple.com]
https://www.igeeksblog.com/ios... [igeeksblog.com]
This might also be one of the times when Apple Updates older versions of iOS. In fact, they even updated iOS 9 about 6 months ago, IIRC.
So, there is absolutely no comparison in the Microsoft instance with Apple's full and complete response to the Vulnerabilites you mentioned; but for some reason, chose not to show Apple's response-to.
Wonder why?
Re: (Score:2)
The thing is, font handling is hard. TrueType fonts are not mere geometric descriptions of characters, but are full fledged turing complete programs. Created in the 90s, of course.
It's why PostScript is Turing Complete - even though all it's supposed to do is describe how to draw some graphics.
Fonts are programs, and they often run in priviledged levels of execution.
And why are they programs? Because the geometric shapes often need adjusting - for small sizes they may need to be "fattened" up so thin stroke
Re: (Score:1)
All 3 of these vulnerabilities were patched long ago.
Yes, that's how bugs work. Except this one to be patched shortly too. Are you going to jump to the defense of MS in a few years then?
Two of them only affect iOS before 9.1 macOS before 10.11.1
And? This buy only affects Windows versions up to 10. Does patching code somehow form an indicator that the underlying code was perfect in the first place?
So, there is absolutely no comparison in the Microsoft instance with Apple's full and complete response to the Vulnerabilites you mentioned; but for some reason, chose not to show Apple's response-to.
Yes, keep telling yourself that Apple's patch handling is magically different from Microsoft's.
Wonder why?
Because you're a fanboi. The rest of us don't wonder anything of the sort. I'm sorry I offended your religion. I'll try and be mo
Re: (Score:2)
"Font vulnerabilities" the new "Flash" ! (Score:2)
Homework for Microsoft's army of engineers while they are at home due to the corona virus.
Re: (Score:2)
I know, nothing can top Adobe Reader, but still, MS is trying their hardest.
Oddly, I think Adobe Flash had a longer monthly stream of critical vulnerabilities than just about any software I can think of. There was a stretch when we were updating Flash multiple times per month.
Forced update to Windows 10 (Score:3, Interesting)
The only fix is to update (not upgrade as it isn't) to Windows 10 when they issue a patch.
How shocking this was discovered only 10 weeks after Windows 7 support was dropped.
Shocking, I say! I am shocked by the purely coincidental timing of these two events! Shocked!
Re: Forced update to Windows 10 (Score:1)
The fact it is a font based attack is completely irrelevant. I didn't say a word about fonts. It could have been anything.
The issue is a huge number of people are happily running win7 or 8, don't want to switch and Microsoft has stated that's the only way to get a fix without reduced functionality.
As the kids say today, "You mad, bro?" (Did I say that right?)
Re: (Score:1)
No, your original fucking comment hinted that the security issue was made to force a fucking upgrade to Windows 10.
But it isn't, as font rendering vulnerabilities have been around, pretty much EVERY YEAR, for the past couple of decades.
Quit being disingenuous, you Republican twit.
Re: Forced update to Windows 10 (Score:1)
Again, sheep, you missed the point. It's not about the flaw. It's about the timing and refusal of Microsoft to ever issue a pre-win10 patch. You are a fucking moron. A true di
Re:Forced update to Windows 10 (Score:4, Insightful)
The only fix is to upgrade to Linux or MacOS ASAP.
Re: (Score:2)
Microsoft has issued security patches for Windows versions past their cutoff dates before, and may well do so again.
Re: Forced update to Windows 10 (Score:1)
They could change that stance of course but for the moment the official line is, "fuck you, biatches! Upgrade to Windows 10!"
Re: (Score:2)
I think they will. But we'll see.
Re: Forced update to Windows 10 (Score:1)
I have an old win7 machine I use for bill paying and light email. No way do I want to mess with it or cha he to 10 for this stuff.
Re: (Score:1)
If you pay bills online you'd better upgrade. Not to Windows 10, though; use Linux. If you like the Windows 7 look (not judging), check out ZorinOS or Linux Mint.
Re: (Score:2)
How shocking this was discovered only 10 weeks after Windows 7 support was dropped.
Shocking, I say! I am shocked by the purely coincidental timing of these two events! Shocked!
Tell me about it. I fully expected that Windows 7 once support was dropped would never have another bug identified. I'm as surprised as you were that that isn't the case. This is a damn conspiracy I tells you.
Re: (Score:2)
Unfortunately, win10 isn't the only vulnerable operating system. These vulnerabilities effect Win7 through win10 and the corresponding server versions.
Re: (Score:2)
They will have to fix this. Otherwise there will be too much damage.
vi is my shepherd (Score:2)
I shall not font.
Re: (Score:3)
I shall not font.
Emacs me lie down by still waters..
so it's not just the font rendering that is (Score:2)
a complete disaster under windows... There are at least 3 different text rendering engines/methods that *I* know of and can recall, all of them incomplete... the generic one, which you get when you render with the gdi graphics, a second one that you see in the new "windows 10" style of windows, another one that is used in cmd.exe... and their new "console", "windows terminal" what they call it, apparently uses *another* one.
Re: (Score:2)
You forgot one. GDI was superceded by Uniscribe during Windows XP days.
Fonts? Seriously? (Score:2)
I don't want to beat the "Macs don't get viruses, only Windoze does" drum too much, but a critical security flaw in how Windows handles and renders fonts that opens the door to remote execution of malware. Fonts? Really? JFC that is hopeless.
Hackers attacking Windows users (Score:3)
Windows Graphics in the kernel (Score:2)
Re: (Score:2)
Morons. Those that do not use sound engineering practices will cause untold damage.