Stories
Slash Boxes
Comments

SoylentNews is people

posted by LaminatorX on Thursday December 11 2014, @10:47PM   Printer-friendly
from the patchwork-guilt dept.

El Reg reports

Microsoft has patched 25 software vulnerabilities--including bugs that allow hackers to hijack PCs via Internet Explorer, Word and Excel files, and Visual Basic scripts.

Microsoft said its December's edition of Patch Tuesday includes critical fixes for Windows, Office and Internet Explorer as well as a patch for Exchange.

MS14-80: Addresses 14 security flaws in Internet Explorer, including various remote-code execution vulnerabilities and an ASLR bypass. The patch is considered a low risk for Windows Server systems, but critical for desktops, laptops and tablets. All the flaws were privately reported, and credit was given to various independent researchers as well as the HP Zero Day Initiative, Qihoo 360 and VeriSign iDefense Labs.

MS14-81: Two vulnerabilities in Word and Office Web Apps that allow an attacker to remotely execute code on targeted systems if the victims open booby-trapped documents. This update also applies to users running Office for Mac. Credit was given to Google Project Zero researcher Ben Hawkes, who privately reported the flaws to Microsoft. Rated as Critical.

MS14-84: A remote-code execution vulnerability (CVE-2014-6363) in the Windows VBScript engine can be exploited via a specially crafted webpage. Credit for discovery was given to SkyLined and VeriSign iDefense Labs. Rated as Critical.

The article also mentions Adobe software and Linux. Are any Soylentils running that combination?

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Funny) by Anonymous Coward on Thursday December 11 2014, @11:08PM

    by Anonymous Coward on Thursday December 11 2014, @11:08PM (#125295)

    It's nearly 2015 and your Linux boxen were able to be pwned by Bash scripts exploting 25 year old bugs [wikipedia.org] and 23 year old [x.org] and27 year old [theregister.co.uk] X11 vulnerabilities.

    Secure your own shit before throwing stones.

    • (Score: 0) by Anonymous Coward on Thursday December 11 2014, @11:49PM

      by Anonymous Coward on Thursday December 11 2014, @11:49PM (#125306)

      It's nearly 2015 and I have still received spoofed e-mails with someone spoofing my own e-mail (Gmail) address.

    • (Score: 0, Troll) by Anonymous Coward on Friday December 12 2014, @12:06AM

      by Anonymous Coward on Friday December 12 2014, @12:06AM (#125314)

      Wow, Microsoft's rapid response team still gets first post privileges.

      Simple answer: In Linux, these vulns are rare, and cause for intense discussion and activity to work out what went wrong and how to prevent similar failures. With Windows, it's grounds for a sigh, and a business as usual attitude.

      • (Score: 1, Insightful) by Anonymous Coward on Friday December 12 2014, @02:28AM

        by Anonymous Coward on Friday December 12 2014, @02:28AM (#125354)

        I too hate $hills who point out inconvenient facts I try to pretend don't exist.

        • (Score: 0) by Anonymous Coward on Saturday December 13 2014, @01:17AM

          by Anonymous Coward on Saturday December 13 2014, @01:17AM (#125665)

          How about ones that point out the MS has just had to fix 25 vulnerabilities in ONE patch. Shillboy is trying to conflate that with two Linux vulns identified in the past three months.

      • (Score: 2) by mcgrew on Friday December 12 2014, @02:50PM

        by mcgrew (701) <publish@mcgrewbooks.com> on Friday December 12 2014, @02:50PM (#125465) Homepage Journal

        Wow, Microsoft's rapid response team still gets first post privileges.

        Simple answer: In Linux, these vulns are rare, and cause for intense discussion and activity to work out what went wrong and how to prevent similar failures. With Windows, it's grounds for a sigh, and a business as usual attitude.

        That comment was in no way a troll. WTF, Soylent? Obviously, MS shills have mod points today. That comment was 100% true and in no way inflammatory.

        I use both Windows and Linux; I have a W7 notebook, an XP tower and a kubuntu tower. I dread patch Tuesday when my notebook is unusable for half an hour; Linux has no such thing. When there's a bug fix, a message flashes, you click once and keep on working. The few times the kernel needs patching, rather than MS's nagging, it asks if you want to wait, reboot later, or not be reminded again.

        If I wanted to be nagged I'd have stayed married.

        I don't patch the XP box, I just keep it off of the network.

        I've been on Linux ten years and never had a single security problem. Meanwhile, back in the W98 days I was hacked twice and rooted by Sony's XCP malware. Fool me once...

        --
        mcgrewbooks.com mcgrew.info nooze.org
    • (Score: 0) by Anonymous Coward on Friday December 12 2014, @03:17AM

      by Anonymous Coward on Friday December 12 2014, @03:17AM (#125367)

      Don't worry. All these old bugs will be replaced by the more recent bugs in systemd-shell, and systemd-x that will replace these legacy systems you mentioned.

      Aside: no, I'm not the usual systemd troll around here, but couldn't resist in this case.

  • (Score: 0) by Pino P on Thursday December 11 2014, @11:18PM

    by Pino P (4721) on Thursday December 11 2014, @11:18PM (#125298) Journal

    The article also mentions Adobe software and Linux. Are any Soylentils running that combination?

    I use Xubuntu, Firefox, and Adobe Flash Player with the Flashblock extension [mozilla.org]. This lets me view SWF on Newgrounds, Kongregate, Dagobah, Albino Blacksheep, and certain YouTube videos with ads, without Flash ads interfering with my experience on other sites. And until third-party SWF players such as Gnash or Mozilla Shumway mature, I imagine most users of desktop X11/Linux have run Adobe Flash Player at least once within the past 3 months.

    • (Score: 2) by Snotnose on Friday December 12 2014, @12:27AM

      by Snotnose (1623) on Friday December 12 2014, @12:27AM (#125323)

      I've got Kali Linux with Iceweasel. About 2/3 of the webpages throw up a popup "want to install plugin required to render this page correctly: Flash". I always dismiss it, and so far all pages have rendered properly. I'm guessing it's the ads on the pages that want flash.

      Doesn't bother me, I use the lappie for pen testing and writing device drivers. I've got a much more capable system (read: bigger screen) that I use to browse the web with while doing said testing and writing drivers.

      --
      Why shouldn't we judge a book by it's cover? It's got the author, title, and a summary of what the book's about.
    • (Score: 0) by Anonymous Coward on Friday December 12 2014, @01:04AM

      by Anonymous Coward on Friday December 12 2014, @01:04AM (#125330)

      And if ever third-party SWF players such as Gnash or Mozilla Shumway mature

      FTFY

  • (Score: 4, Informative) by dlb on Thursday December 11 2014, @11:20PM

    by dlb (4790) on Thursday December 11 2014, @11:20PM (#125299)
    I knew better than to install the latest MS updates last night, rather than to wait a few days like I usually do. But I did it anyway. And rebooted to find Virtualbox unable to launch any VMs. Wasted over an hour finding and fixing the problem and getting back to normal.

    Heads up if you use Virtualbox: https://forums.virtualbox.org/viewtopic.php?f=6&t=64777&start=60 [virtualbox.org]
    • (Score: 0) by Anonymous Coward on Thursday December 11 2014, @11:58PM

      by Anonymous Coward on Thursday December 11 2014, @11:58PM (#125310)

      Which part of "Microsoft product" did you not understand?

    • (Score: 0) by Anonymous Coward on Friday December 12 2014, @01:43AM

      by Anonymous Coward on Friday December 12 2014, @01:43AM (#125346)

      The virtualbox dudes have really screwed the pooch here. They have basically been broken with respect to this sort of thing for the past 6 months. They have decided a whitelist is the way to go with respect to dlls. I have been stuck on .12 because of this junk. Borderline considering going to go buy me a copy of vmware. They are also shutting down anyone who wants to talk about it other than 'its broken and here is my long'.

    • (Score: -1, Flamebait) by Anonymous Coward on Friday December 12 2014, @06:24AM

      by Anonymous Coward on Friday December 12 2014, @06:24AM (#125388)

      Hairyfeet: "Its not Microsoft, they can do no wrong. VirtualBox is a poorly written software, that or the User has no l33t skillz"

  • (Score: 3, Informative) by Hairyfeet on Thursday December 11 2014, @11:25PM

    by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Thursday December 11 2014, @11:25PM (#125301) Journal

    If you are still running with no protection and allow scripts from just anywhere to run? Then you sir or madam are an idiot and deserve what you get. The exact same thing an be done on Linux with the how to write a Linux virus in 5 easy steps [geekzone.co.nz] showing a perfect example. Trick user with social engineering, run scripts without any sort of protection, get pwned. Its just that simple folks.

    Oh and for those that say "it doesn't work that way in real life"? Look up the KDELook bug, the Ubuntu screensaver bug, sorry if I can't remember the name of it but Linux Insider just the other day was talking about how a former Windows bug now has a multiplatform payload that includes Linux targeted malware. So its nothing to do with any OS, if you are downloading and running strange scripts from third parties without protection and/or sandboxing? Then I'm sorry but you deserve what you get, there is simply no way to make ANY OS 100% moron proof without taking control of the system from them and handing it to corporate and even that doesn't give you 100% protection, see the recent malware in the Apple AppStore.

    --
    ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
    • (Score: 0) by Anonymous Coward on Friday December 12 2014, @01:06AM

      by Anonymous Coward on Friday December 12 2014, @01:06AM (#125332)

      That screensaver bug wasn't in the official repos, it was a download on gnome-look.org and was promptly removed

    • (Score: 0) by Anonymous Coward on Friday December 12 2014, @01:33AM

      by Anonymous Coward on Friday December 12 2014, @01:33AM (#125341)

      Are you really this stupid?

    • (Score: 0) by Anonymous Coward on Friday December 12 2014, @01:42AM

      by Anonymous Coward on Friday December 12 2014, @01:42AM (#125345)

      how to write a Linux virus

      Virus == self-replicating
      Something that doesn't automagically spread from box to box is NOT a virus.

      Malicious script != virus
      PURPOSELY giving something executable privileges then PURPOSELY running it in no way resembles a Windoze drive-by infection.

      You've been told BEFORE that that link's title is crap yet you continue to point to it.
      That is called TROLLING.

      ...and what a crap page (construction-wise).
      It won't allow me to link to my favorite comment there (by diddy).

      Felice right below him hits the points I would have made.

      .
      Now, if Linux *was* so easy to infect, Google (with over 1e6 machines running Linux) would constantly be flat on its face and would be in the headlines for that on a recurring basis.
      Doesn't happen.

      -- gewg_

      • (Score: 2) by mcgrew on Friday December 12 2014, @03:19PM

        by mcgrew (701) <publish@mcgrewbooks.com> on Friday December 12 2014, @03:19PM (#125479) Homepage Journal

        Harryfeet isn't a troll, he's a shill. He fixes Windows computers for a living and lives in fear that Linux will take over.

        --
        mcgrewbooks.com mcgrew.info nooze.org
        • (Score: 0) by Anonymous Coward on Friday December 12 2014, @08:23PM

          by Anonymous Coward on Friday December 12 2014, @08:23PM (#125580)

          I think you are aware that I already know all of that and that you are more in broadcast mode for those who are new here.

          ...but he's actually both.
          When someone says things that he KNOWS aren't true, that's classic trolling and, as I noted, he's been called on this one before.

          -- gewg_

        • (Score: 2) by Hairyfeet on Friday December 19 2014, @03:31AM

          by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Friday December 19 2014, @03:31AM (#127370) Journal

          ROFLcopter with numbers literally lower than "other" [hitslink.com] which is generally accepted to be 98/2K and Chinese Droid knockoffs? You got better odds of winning the powerball 6 times while screwing ScarJo AND getting hit in the balls by a bolt of lightning than Linux EVAR even reaching 5 fucking percent ROFL! In fact in honor of Linux and its "great success" here is a song 4 you [youtube.com] LOL!

          --
          ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
    • (Score: 2) by Marand on Friday December 12 2014, @05:46AM

      by Marand (1081) on Friday December 12 2014, @05:46AM (#125383) Journal

      First off, that link's ridiculously outdated. I know that KDE implemented a first-run warning on new .desktop (the launcher files referred to in the article) years ago. Your first attempt to run a new .desktop file of any kind shows you the command it's attempting to run and forces you to confirm that you want to do it, and if you agree it will remember your choice. It's a user-friendly equivalent to the one-time step of making a file executable.

      This also applies to .desktop files in your Autostart, so if something tries to sneak a new autorun in, on your next login you'll get a suspicious new prompt to run a command that wasn't there before. Just like if something else tries to run a .desktop file to do something similar. Sure, a clueless newbie can still blindly click through and create a mess, but that's not a bad thing.

      It's possible GNOME still silently runs them, but I'd be amazed at the incompetence if it still does, and it would be a good reason to discourage GNOME use (not that GNOME3 needs any more discouragement than just being GNOME3). I can't test because I don't have GNOME3 installed.

      Still, the point here is that it's not a good link to trot out to make your point. It was a bad design decision that got questioned and got fixed, at least by one of the DEs mentioned in the article. Bringing up a 2009 problem when it's almost 2015 is about as relevant as linking to an article about Windows 98's bluescreen problems in a discussion about Windows 7.

      So its nothing to do with any OS, if you are downloading and running strange scripts from third parties without protection and/or sandboxing? Then I'm sorry but you deserve what you get, there is simply no way to make ANY OS 100% moron proof without taking control of the system from them and handing it to corporate and even that doesn't give you 100% protection, see the recent malware in the Apple AppStore.

      I actually agree with this. Unless all you want is an appliance, the risk is just an inherent part of having a flexible system. You can't have flexible, powerful software without having the option to shoot yourself in the foot if you do something stupid.

      • (Score: 2) by Hairyfeet on Saturday December 13 2014, @09:44AM

        by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Saturday December 13 2014, @09:44AM (#125723) Journal

        Uhhh...didn't bother to read TFL? He actually posts a follow up that covers pretty much everything you bitch about and guess what? It STILL works, it works because social engineering is smarter than your OS and it always will be, I'm sorry if that bursts your bubble but that is a fact. I work on Windows PCs 6 days a week and if you removed social engineering? I wouldn't have a job because I haven't seen a bug that didn't use social engineering get any traction in ages. That's just the way it is, robbers go where the money is, malware writers target the weakest link which is ALWAYS gonna be PEBKAC.

        So wave your penguin flag all you want, the ONLY thing that saved Linus and co's ass was security by obscurity, see Shellshock, Heartbleed, the over 2 million infected Android systems for examples. Your OS is just as pwned as everybody else now so welcome to the party pal, coffee and donuts are in the back.

        --
        ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
        • (Score: 2) by Marand on Saturday December 13 2014, @02:47PM

          by Marand (1081) on Saturday December 13 2014, @02:47PM (#125756) Journal

          Uhhh...didn't bother to read TFL? He actually posts a follow up that covers pretty much everything you bitch about

          I actually did read it, smart-ass, and the follow-up is just as outdated and wrong as the original link. He didn't address what I was referring to at all, and you apparently didn't understand what I was saying if you think he did. They changed the .desktop file handling behaviour so that you get a warning/request for any new .desktop file's first run. It adds an extra step to help mitigate accidental runs and the like, and it was changed to do that a few years ago after people realised it was unsafe and attention was drawn to it in a few linux-related news sites.

          It STILL works, it works because social engineering is smarter than your OS and it always will be, I'm sorry if that bursts your bubble but that is a fact

          I never said it stopped people from doing dumb things. In fact, I explicitly said the opposite, pointing out that the change doesn't stop a person that's determined to do something bad. I even said it twice! Since you missed them the first time:

          "Sure, a clueless newbie can still blindly click through and create a mess, but that's not a bad thing."
          "Unless all you want is an appliance, the risk is just an inherent part of having a flexible system. You can't have flexible, powerful software without having the option to shoot yourself in the foot if you do something stupid."

          So wave your penguin flag all you want, the ONLY thing that saved Linus and co's ass was security by obscurity, see Shellshock, Heartbleed, the over 2 million infected Android systems for examples. Your OS is just as pwned as everybody else now so welcome to the party pal, coffee and donuts are in the back.

          Dude. Is it your reading comprehension or your grip on reality that's complete shit? I didn't "wave [my] penguin flag", I didn't compare Linux to Windows in any way, and I didn't make any attempt to suggest it was infallible. All I said is your link is horribly outdated and you should find something more current to make your point, because huge chunks of it are irrelevant now.

          Like I said already, if somebody trotted out a link to an article about bad design, security flaws, and crashing in Windows 98, you'd be all over them telling them how it's irrelevant, outdated, and inaccurate. Same is true here. You can't just keep citing old references, sometimes you have to update them because things change. That's all I'm saying.

          I commented because I'm familiar enough with the OS that I saw the information was terribly outdated and thought you'd want to know and maybe find something newer to use in the future. That was my mistake; I should have just ignored it because now you're just targeting me with your usual crap where you ignore what's actually being said so you can push faulty logic and bad arguments regardless of reality.

    • (Score: 2) by mcgrew on Friday December 12 2014, @03:03PM

      by mcgrew (701) <publish@mcgrewbooks.com> on Friday December 12 2014, @03:03PM (#125470) Homepage Journal

      If you are still running with no protection and allow scripts from just anywhere to run? Then you sir or madam are an idiot

      Only if they've been informed, otherwise they're simply ignorant.

      The exact same thing an be done on Linux with the how to write a Linux virus in 5 easy steps showing a perfect example. Trick user with social engineering, run scripts without any sort of protection, get pwned.

      A trojan is not a virus. Your "write a Linux virus" is an ignorant headline.

      I googled for your KDE-look bug; no dice. Got a link?

      there is simply no way to make ANY OS 100% moron proof

      That is indeed correct. Now if we could make software houses idiot-free...

      --
      mcgrewbooks.com mcgrew.info nooze.org
  • (Score: 0) by Anonymous Coward on Friday December 12 2014, @12:12AM

    by Anonymous Coward on Friday December 12 2014, @12:12AM (#125317)

    Run an always-on background service which is hooks every object which can execute.
    If the object file or folder is not on a specified whitelist, the hooking service will.....
    suspend the object from executing,
    read the binary text strings or lines of code, and write all into a popup message box for your inspection.
    The message box waits,
    at the bottom of the message box you have buttons [continue execution, and exit] [do not execute, and exit] [open containing folder, and wait]

    This solution would give fine-grained control and feedback to power users and average users who have desire to learn more.

    Now that i think about this some more, I feel like I am describing what firewalls do!

    • (Score: 2) by DECbot on Friday December 12 2014, @01:08AM

      by DECbot (832) on Friday December 12 2014, @01:08AM (#125333) Journal

      Not trying to systrolld, but this looks like something worthwhile to add to an init system--if you can trust it.

      --
      cats~$ sudo chown -R us /home/base
    • (Score: 0) by Pino P on Friday December 12 2014, @03:02AM

      by Pino P (4721) on Friday December 12 2014, @03:02AM (#125364) Journal

      In a mechanism to implement an executable whitelist policy, how would you provide for something like Steam, which is designed for the installation of executable code?

      • (Score: 0) by Anonymous Coward on Friday December 12 2014, @08:51AM

        by Anonymous Coward on Friday December 12 2014, @08:51AM (#125410)

        From my reading of the parent post, your scenario is covered. He states 'If the object file or folder is not on a specified whitelist' meaning the object to be whitelisted may be a file or it may be a folder.

        If Steam is programmed to dump files in ever-changing parent directories on the system then that is a problem with Steam's design and not the parent poster's design.

  • (Score: 4, Insightful) by Justin Case on Friday December 12 2014, @12:50AM

    by Justin Case (4239) on Friday December 12 2014, @12:50AM (#125329) Journal

    It seems obvious, but somehow the teeming masses still don't get it... whoever writes programs that run on your thing gets to control what your thing does. Don't run programs from people you don't trust!

    How to distinguish programs from data files?

    How to tell whether a random click will "run" something instead of just "opening" it?

    How to decide which strangers to trust?

    Unsolved problems, all. Computers are still an experimental technology. Who told you they were ready to be relied upon?

    • (Score: 2) by mcgrew on Friday December 12 2014, @03:40PM

      by mcgrew (701) <publish@mcgrewbooks.com> on Friday December 12 2014, @03:40PM (#125486) Homepage Journal

      How to distinguish programs from data files?

      In *nix, if the "execute" bit is set, it's a program, otherwise it's a file. That's actually one of Windows' biggest security problems, that it detects executables by extension, there are several executable extensions, and what's worse, the extentions are hidden by default, so when you send picture.jpg.exe in an email, most Windows users will only see picture.jpg. Stupidly (or uncaringly) dangerous.

      What's worse is that many Windows data files are actually "active content"; you can take over a Windows computer with a wma file, unlike the data-only ogg or mp3.

      --
      mcgrewbooks.com mcgrew.info nooze.org
      • (Score: 0) by Anonymous Coward on Friday December 12 2014, @08:52PM

        by Anonymous Coward on Friday December 12 2014, @08:52PM (#125588)

        there are several executable extensions

        Actually, DOZENS. [googleusercontent.com]
        Scroll down past the As a minimum, we recommend blocking the following file types thing. (orig) [governmentsecurity.org]

        and what's worse, the [extensions] are hidden by default

        In the history of software design, this has to be the most monumentally stupid decision ever.

        Of course, MICROS~1 -had- to do this or the dunderheads who continue to use the most-fragile OS could easily alter the extension while renaming one of those files, requiring a call to the Windoze support crew.

        gewg_

  • (Score: 0) by Anonymous Coward on Friday December 12 2014, @05:49AM

    by Anonymous Coward on Friday December 12 2014, @05:49AM (#125384)

    None of these exploits has any effect on properly set up HIPS.

  • (Score: 3, Insightful) by rts008 on Friday December 12 2014, @05:51AM

    by rts008 (3001) on Friday December 12 2014, @05:51AM (#125385)

    If you are connected, you are vulnerable. Period.

    Hardware and software are currently too complex to fully 'cover your bases' for all use cases.

    Many well thought out plans seem perfect/ideal...until you introduce humans into the equation...then Demon Murphy(of Murphy's Law fame) rules the roost, and all goes to hell in a hand basket.

    There will always be an unexpected edge case that breaks the system enough to be exploited by observent persons.

    We humans have been 'gaming the system' for our benefit since before we had fire or 'civilisation', and computers/networks are different somehow?

    • (Score: 2) by WillR on Friday December 12 2014, @02:56PM

      by WillR (2012) on Friday December 12 2014, @02:56PM (#125468)
      And as Stuxnet taught the world, if you think you are not connected... you are probably still connected.
  • (Score: 1) by broggyr on Friday December 12 2014, @03:09PM

    by broggyr (3589) <broggyrNO@SPAMgmail.com> on Friday December 12 2014, @03:09PM (#125473)

    It's nearly 2015 and we're still using 'pwned'.

    --
    Taking things out of context since 1972.
    • (Score: 0) by Anonymous Coward on Friday December 12 2014, @07:05PM

      by Anonymous Coward on Friday December 12 2014, @07:05PM (#125552)

      Would you prefer PwN3d?