Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Microsoft Security Windows IT

Microsoft Says Hackers Are Attacking Windows Users With a New Unpatched Bug (techcrunch.com) 69

Microsoft says attackers are exploiting a previously undisclosed security vulnerability found in all supported versions of Windows, including Windows 10. From a report: But the software giant said there is currently no patch for the vulnerability. The security flaw, which Microsoft deems "critical" -- its highest severity rating -- is found in how Windows handles and renders fonts, according to the advisory posted Monday. The bug can be exploited by tricking a victim into opening a malicious document. Once the document is opened -- or viewed in Windows Preview -- an attacker can remotely run malware, such as ransomware, on a vulnerable device. The advisory said that Microsoft was aware of hackers launching "limited, targeted attacks," but did not say who was launching the attacks or at what scale.
This discussion has been archived. No new comments can be posted.

Microsoft Says Hackers Are Attacking Windows Users With a New Unpatched Bug

Comments Filter:
  • And it's being exploited by hackers? No way!

  • Font vulnerabilities (Score:5, Interesting)

    by Dan East ( 318230 ) on Monday March 23, 2020 @02:01PM (#59863710) Journal

    Window's font system - the exploitation vector that just keeps giving and giving. How many font-related vulnerabilities have there been now? I know, nothing can top Adobe Reader, but still, MS is trying their hardest.

    • I know, fonts FFS.
    • by dissy ( 172727 ) on Monday March 23, 2020 @02:22PM (#59863758)

      I know, nothing can top Adobe Reader, but still, MS is trying their hardest.

      The irony to that is Microsoft licensed the Windows font rendering engine/library from Adobe, which is exactly the Windows DLL vulnerable in this advisory....

    • by phantomfive ( 622387 ) on Monday March 23, 2020 @02:24PM (#59863764) Journal
      Microsoft is the prime example that shows that security can't be "tacked on" as an afterthought. As a company MS has a huge security team, they do constant red/blue team exercises, they've audited their code multiple times, they have a high-paying bug bounty program (up to $300k for some bugs!), they have multiple layers. From a security standpoint they do a lot of "best practices" but they really need to do more on the developer education side.

      It doesn't matter how many "layers" of security you have, if each layer is written by someone who writes security holes.
      • Shrek: Ogres are like security.
        Donkey: They have holes?
        Shrek: Yes. No.
        Donkey: Oh, they make you insecure.
        Shrek: No.
        Donkey: Oh, you leave em out on the internet, they get all hacked, start sending spam.
        Shrek: No. Layers. Security have layers. Ogres have layers. Security have layers. You get it? We both have layers.
        Donkey: Oh, you both have layers. Oh. You know, not everybody like to work in security.

      • I'd bet pennies to pounds this is another error caused by using C/++. Buffer overflow etc.

        For security, just stop using C/++. It was a bad idea when first developed, and a very bad idea now we have oceans of code.

        • by kmoser ( 1469707 )
          It's C/C++ all the way down--until you hit the chip level, at which point it's microcode the rest of the way down. Unfortunately there are vulnerabilities every step of the way.
        • by Slayer ( 6656 )

          This argument has gotten a bit old ... show me a viable operating system, which has not been written in C or C++

          PS: with C++ container classes it is all but impossible to write code with buffer overflows

          PPS: Aleph1's original paper about buffer overflows and their exploitation is over 20 years old. It speaks to the quality (or lack thereof) of these software teams, that this kind of software bug still pops up in production code.

    • Funny you should mention *Adobe* -- as per the Microsoft Advisory: "that could leverage un-patched vulnerabilities in the Adobe Type Manager Library" all roads/vulnerabilities lead to Adobe!!
      • by gweihir ( 88907 )

        That would also explain why they do not have a fix. They do not have the source or cannot build it!

    • Window's font system

      Yeah only MS doesn't know how to write a font system. Oh and it seems the open source community can't [mitre.org] do [mitre.org] so [mitre.org] either. [mitre.org]

      Thankfully that's just libgraphite's font handling so it's limited to applications that use it, including Android OS, Firefox and Open Office, so every Linux desktop.
      Oh wait, I guess libXfont has its share of problems [ubuntu.com] too.

      Fortunately OSX's Core Text component is ... Oh For [mitre.org] Fucks [mitre.org] Sake [mitre.org]

      • by NoMoreACs ( 6161580 ) on Monday March 23, 2020 @03:57PM (#59864036)

        Fortunately OSX's Core Text component is ... Oh For [mitre.org] Fucks [mitre.org] Sake [mitre.org]

        Ahem.

        All 3 of these vulnerabilities were patched long ago. Two of them only affect iOS before 9.1 macOS before 10.11.1 and iTunes before 12.3.1. The other one didn't affect anything other than macOS, and was also patched before 10.11.1.

        Also, when they patched El Capitan (10.11) for this vulnerability in 2015, Apple went back and patched that (and other) vulnerabilities clear back to Mavericks (10.9)). So that covers any Intel Mac; since anything that can run Snow Leopard (10.6) can run Mavericks (10.9).

        https://support.apple.com/en-u... [apple.com]

        As for iOS, the iOS 9.1 should have fixed this, too; which covers iPhones, iPads and iPod Touches back to iPhone 4s, iPad 2, and iPod Touch 5th generation.

        https://support.apple.com/en-u... [apple.com]

        https://www.igeeksblog.com/ios... [igeeksblog.com]

        This might also be one of the times when Apple Updates older versions of iOS. In fact, they even updated iOS 9 about 6 months ago, IIRC.

        So, there is absolutely no comparison in the Microsoft instance with Apple's full and complete response to the Vulnerabilites you mentioned; but for some reason, chose not to show Apple's response-to.

        Wonder why?

        • by tlhIngan ( 30335 )

          The thing is, font handling is hard. TrueType fonts are not mere geometric descriptions of characters, but are full fledged turing complete programs. Created in the 90s, of course.

          It's why PostScript is Turing Complete - even though all it's supposed to do is describe how to draw some graphics.

          Fonts are programs, and they often run in priviledged levels of execution.

          And why are they programs? Because the geometric shapes often need adjusting - for small sizes they may need to be "fattened" up so thin stroke

        • All 3 of these vulnerabilities were patched long ago.

          Yes, that's how bugs work. Except this one to be patched shortly too. Are you going to jump to the defense of MS in a few years then?

          Two of them only affect iOS before 9.1 macOS before 10.11.1

          And? This buy only affects Windows versions up to 10. Does patching code somehow form an indicator that the underlying code was perfect in the first place?

          So, there is absolutely no comparison in the Microsoft instance with Apple's full and complete response to the Vulnerabilites you mentioned; but for some reason, chose not to show Apple's response-to.

          Yes, keep telling yourself that Apple's patch handling is magically different from Microsoft's.

          Wonder why?

          Because you're a fanboi. The rest of us don't wonder anything of the sort. I'm sorry I offended your religion. I'll try and be mo

    • Specifically this is a font vulnerability, but in general it's an issue where the presence of a malicious file on the file system is security breach. Isn't this a textbook case of what the virus scanner is for? If my virus scanner doesn't protect me against this, then wtf is the point of my virus scanner that is a drag on my system resources?
    • Homework for Microsoft's army of engineers while they are at home due to the corona virus.

    • I know, nothing can top Adobe Reader, but still, MS is trying their hardest.

      Oddly, I think Adobe Flash had a longer monthly stream of critical vulnerabilities than just about any software I can think of. There was a stretch when we were updating Flash multiple times per month.

  • by Way Smarter Than You ( 6157664 ) on Monday March 23, 2020 @02:10PM (#59863732)
    The mitigations provided in the article reduce functionality and one may break third party apps.

    The only fix is to update (not upgrade as it isn't) to Windows 10 when they issue a patch.

    How shocking this was discovered only 10 weeks after Windows 7 support was dropped.

    Shocking, I say! I am shocked by the purely coincidental timing of these two events! Shocked!
    • by ellbee ( 93668 ) on Monday March 23, 2020 @02:29PM (#59863776)

      The only fix is to upgrade to Linux or MacOS ASAP.

    • Microsoft has issued security patches for Windows versions past their cutoff dates before, and may well do so again.

      • The Microsoft article says they won't.

        They could change that stance of course but for the moment the official line is, "fuck you, biatches! Upgrade to Windows 10!"
        • I think they will. But we'll see.

          • I certainly hope so but I'm not holding my breath. I know they've done post-deprecated patches before but they've reaaallly been pushing the win10 thing from day one of launch in a way they haven't anything else in a generation. I think odds are really good pre-win10 users are fucked if they want the real patch from Microsoft and not a third party kludge up.

            I have an old win7 machine I use for bill paying and light email. No way do I want to mess with it or cha he to 10 for this stuff.
            • If you pay bills online you'd better upgrade. Not to Windows 10, though; use Linux. If you like the Windows 7 look (not judging), check out ZorinOS or Linux Mint.

    • How shocking this was discovered only 10 weeks after Windows 7 support was dropped.

      Shocking, I say! I am shocked by the purely coincidental timing of these two events! Shocked!

      Tell me about it. I fully expected that Windows 7 once support was dropped would never have another bug identified. I'm as surprised as you were that that isn't the case. This is a damn conspiracy I tells you.

    • Unfortunately, win10 isn't the only vulnerable operating system. These vulnerabilities effect Win7 through win10 and the corresponding server versions.

    • by gweihir ( 88907 )

      They will have to fix this. Otherwise there will be too much damage.

  • I shall not font.

  • a complete disaster under windows... There are at least 3 different text rendering engines/methods that *I* know of and can recall, all of them incomplete... the generic one, which you get when you render with the gdi graphics, a second one that you see in the new "windows 10" style of windows, another one that is used in cmd.exe... and their new "console", "windows terminal" what they call it, apparently uses *another* one.

  • I don't want to beat the "Macs don't get viruses, only Windoze does" drum too much, but a critical security flaw in how Windows handles and renders fonts that opens the door to remote execution of malware. Fonts? Really? JFC that is hopeless.

  • by notdecnet ( 6156534 ) on Monday March 23, 2020 @08:34PM (#59864986)
    This has to be a new variant how to put a positive spin on yet another breach of that leaky tub known as Microsoft Windows. Tell us how exactly does the malware get into peoples brains.
  • All because MS moved the graphics into the kernel, to speed up Windows.

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...