SoylentNews is people
SoylentNews
Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich claim to have found a critical vulnerability in Windows. The details of the flaw will likely be disclosed in 90 days from now even if a patch is not available.
Ormandy announced over the weekend on Twitter that he and Silvanovich had discovered "the worst Windows remote code exec [vulnerability] in recent memory."
The expert has not shared any details, but he has clarified that the exploit they created works against default Windows installations, and the attacker does not need to be on the same local area network as the victim. He also said the attack is "wormable."
[Ed - According to ghacks.net and ArsTechnica the vulnerability was in Windows Defender and has been patched by Microsoft - fnord]
(Score: -1, Flamebait) by Anonymous Coward on Tuesday May 16 2017, @02:27AM
I os so Insightfull
Mod ^up Agree +10
(Score: 2) by butthurt on Tuesday May 16 2017, @02:56AM (1 child)
RCE appears to be short for "remote code execution".
http://www.abbreviations.com/serp.php?st=RCE&p=99999 [abbreviations.com]
(Score: 0) by Anonymous Coward on Tuesday May 16 2017, @11:13AM
The abbreviation RCE is used in the title of this story.
Hmmm … but what to do for those who don't read comments either? :-)
(Score: 2, Insightful) by Anonymous Coward on Tuesday May 16 2017, @07:48AM (7 children)
The details of the flaw will likely be disclosed in 90 days from now
So in 90 days, we will be allowed to know which services to disable, which ports to block on the firewall and which business processes to start looking for workarounds for. All because irresponsible companies want to have 90 days for marketing to do damage control before the potential victims get told what they need to protect themselves against.
(Score: 2, Insightful) by anubi on Tuesday May 16 2017, @08:26AM (2 children)
This is a business grade system, not one that is supported by the user community.
If it was OUR thing, whether it be our computer, our kid, our car, our house, whatever, if something's amiss, we want to address the problem NOW! We are fully aware that a tiny thing can get big fast if not addressed in a timely manner. Not only is it our responsibility to manage our stuff, we also take the direct financial hit personally for our decisions.
Now business-men have a luxury we don't have. They have the dollar and the luxury of delegation that comes with it; they do not need to know how their stuff works. Any problems can wait until business hours. No-one is going to be asked to personally sacrifice their stuff because of a loss.
A lot of us are highly annoyed when we don't know ( especially if we are actively *prevented* from knowing ) how our stuff works. We often do not want to have to call a repair person into our home all the time. Service calls are inconvenient, expensive, and comes directly out of my *own* pocket. I fix my own stuff. I have *never* had to take my computer, TV, or any other electrical appliance to the repair shop. ( Albeit I admit a visit by a plumber regarding a stuck shower valve ). One of the main drivers behind my getting a 20 year old van is I understood how it worked - and with that came the trust I need to have for anything I have in my life. If I can't trust it, I try like the dickens to not involve myself with it. If it fux me over royally, I end up taking the financial hit *personally*
However, if the business-man gets fuxor'd by misplaced trust, its nothing more than a line-item on some report. The decision-maker will not be asked to pay the bill for his bad decision. How about that other story today here about "run coal!".
When these guys get that high up in business, its not what they do, or what they know, its who they know, and the ability to convince a higher-up businessman that they are more valuable than someone else that might actually give a damm what happens and be able to do something about it!
Empirical evidence seems to suggest that as far as management of computer stuff goes, ignorance is bliss.
And that paradigm does not go over very well in this crowd....
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by PiMuNu on Tuesday May 16 2017, @08:34AM (1 child)
> Now business-men have a luxury we don't have. They have the dollar and the luxury of delegation that comes with it;
> they do not need to know how their stuff works. Any problems can wait until business hours. No-one is going to be
> asked to personally sacrifice their stuff because of a loss.
Yeah and thank goodness for that - would you want boss phoning you at 3 am in the morning because some google f*cker posted an exploit on windows without give microsoft a chance to make a patch?
(Score: 1) by anubi on Tuesday May 16 2017, @10:55AM
Very true!!! Can you imagine the problems businessmen would have getting anyone to implement "business-grade" systems if things like that happened?
If I did a bad job plumbing my water heater, about the last thing I want is a 3AM call to fix the thing!
Nobody wants to have to attend to this kind of stuff. Nobody.
I avoid it like the plague. By design. As that's all I really have to work with. Because if I do not do it right, its ME that has to MAKE it right!
Personal Responsibility has a hell of an impact on my mindset. I can't just simply delegate it to someone else. Neither can most of the rest of us. Poorly done crap and lack of knowing what we are doing comes directly our of our hide.
Even though a rubber hose may be the cheapest and most universal solution, I won't use one on the water heater. For that reason.
When I take my time to implement something, I usually mean it to last. Latest example, I flat insisted on BERU glow plugs for my diesel van... previous study on the internet told me people were having problems with the other brands of glow plugs... namely getting them back out if they ever fail.
I try to think ahead, at least by 20 years, as things I do today can have a helluva effect on my bottom line in a few years.
My mentor at Chevron stressed to me the very same thing.
If I thought just for maximizing for the present quarter, I would be up to my arse in yesterday's poorly implemented crap.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Tuesday May 16 2017, @08:36AM
you forget, some 'responsible' businesses use that time to develop and deploy a patch for the hole, before every scriptkiddie in the world makes you wannecry some more
those rules are there for the good guys, bad guys abuse the rules for personal gain instead of improving the world
(Score: 3, Interesting) by TheRaven on Tuesday May 16 2017, @11:28AM (1 child)
It sounds like it was the one that was disclosed last week. Remember a year or two ago there was a vulnerability in Norton Antivirus where it decided to decode untrusted images in a component running with kernel privileges and so a maliciously crafted image could exploit a bug in the decoder library and cause arbitrary code execution in the kernel? It turns out Microsoft used almost exactly the same antipattern, only in their case it was a JavaScript engine (which runs anything that comes over the network and looks like it might be JavaScript).
It's pretty depressing that either of them managed to ship this. Anyone writing software should know to always try decoding untrusted data with minimal privileges. Ideally, you'd do it in a sandbox with something else monitoring the sandbox and looking for any suspicious behaviour.
sudo mod me up
(Score: 3, Interesting) by TheB on Tuesday May 16 2017, @08:35PM
Yep, that bug is so last week.
Here is today's windows bug.
Uses Windows Task Scheduler to bypass UAC on Win10
https://tyranidslair.blogspot.co.uk/2017/05/exploiting-environment-variables-in.html [blogspot.co.uk]
(Score: 0) by Anonymous Coward on Tuesday May 16 2017, @11:48AM
...can't mod insightful without an account though, so have some spam to the same end.
(Score: 2) by PiMuNu on Tuesday May 16 2017, @08:39AM (2 children)
... just saying.
(Score: 2, Insightful) by anubi on Tuesday May 16 2017, @11:30AM (1 child)
I think the problem is someone trying to control stuff after they have sold it.
In my mind, the only way such a thing should happen is if the new owner deliberately runs a program that allows this to happen.
Likewise, the new owner should have the power to revoke continued access at any time.
Plumbing analogy: In my mind, a plumber has no right to enter my home at any hour of the day or night, unannounced, to "upgrade" my water heater. If his services are needed, I will pre-arrange a time and place to do the deed. I will unlock the door, invite him in, and watch. When the deed is done, I pay him, and he goes away.
He does not stay in my house. Poking into everything.
In today's business scenarios, way too many "plumbers" have been given "rights" by the "homebuilder" to come in willy-nilly and many have been up to no good - messing with things they have no business messing with. If he thinks he needs to go through my tax files, I want to see him try and I need an explanation right then as to why he needs this... instead of letting him into everything behind my back.
Businessmen seem to tolerate this kind of crap.
I won't.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by PiMuNu on Tuesday May 16 2017, @12:52PM
> I think the problem is someone trying to control stuff after they have sold it.
I agree with most of your comment (and interestingly, I sort of agree with the other one above). But I believe it is possible to turn off/suppress windows update by tinkering (for example, enterprise customers run their own patch cycle).
(Score: 1) by anubi on Wednesday May 17 2017, @07:03AM
Believe me, I did.... and thoroughly backed up via CloneZilla just in case they override and zonk me anyway.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]