SoylentNews is people
SoylentNews
Kaspersky Labs researcher Anton Ivanov says an advanced threat group was exploiting a Windows zero day vulnerability before Microsoft patched it last week.
Microsoft says the graphics device interface vulnerability (CVE-2016-3393) allowed attackers to gain remote code execution and elevation of privilege powers.
Ivanov's analysis reveals a hacking group dubbed FruityArmor was exploiting the vulnerability in chained attacks, using a True Type Font to trigger the bug.
[...] The attack saw browser sandboxes broken and higher privileges attained before a second payload executed with the newly-acquired higher access privileges.
Windows 10's efforts to push font processing into a special user mode that restricts privileges did not stop the exploit.
This discussion has been archived.
No new comments can be posted.
FruityArmor Hacking Group Juiced by Microsoft's October Patch Parade
|
Log In/Create an Account
| Top
| 13 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
TOO BAD YOU CAN'T BUY a voodoo globe so that you could make the earth spin
real fast and freak everybody out.
-- Jack Handey, The New Mexican, 1988.
(Score: 3, Insightful) by SomeGuy on Sunday October 23 2016, @03:56AM
I've noticed the fad the last few years of web sites using automatically downloadable fonts for all kinds of crap. Especially for symbols and crap that should be images instead. Oh, sure don't worry about it, no possible security hazards here, just drop whatever you want in to this internal Windows system that probably hasn't been cleaned up since Windows 2000. what could possibly go wrong?
And very annoying visiting web sites on machines where that "feature" is sensibly not available.
(Score: 2, Informative) by Anonymous Coward on Sunday October 23 2016, @05:06AM
What makes me laugh is that I've noticed on more than a few occasions that the icon font is larger than if they just included them as images. Which means that someone went through all the hard work of creating the custom font and getting all the frontend people to use it and they don't actually save any space or alleviate any design problems.
(Score: 3, Informative) by acharax on Sunday October 23 2016, @06:26AM
It all stems from the faulty presumption of many web 2.0 hacks ("designers") that webpages should appear 100 % identical to every client, these are the same people that previously insisted on using PDF's for their overdesigned pages when they discovered that the junk they assembled in their warez copy of Dreamweaver didn't look exactly the same when they loaded it in Netscape and IE.
...and fonts, a lot of people assume they're just simple graphic files like old bitmap fonts were but they're actually series of bytecode instructions fed to an interpretter to correctly render glyphs, yeah nothing at all can go wrong there if you allow bytecode from a remote location to execute unchecked in an interpretter in which many safeguards were sacrificed on the altar of performance back in decades past.
(Score: 0) by Anonymous Coward on Sunday October 23 2016, @06:31AM
It is frustrating when managers etc. approve something, and then the client bungles it to hell. WYSIWYG is a good thing that has been ruined by the flow-tards at the "standards" committees. Screw them! WYSIWYG doesn't mutate into shit like the flow-tard's "standards".
(Score: 2) by acharax on Sunday October 23 2016, @07:10AM
WYSIWYG is an utopia, even formats like PDF that are heralded as such are not truly WYSIWYG when you come down to it, the same viewer software renders them ever so slightly different on Windows, OSX and Linux in reality.
That being said, it is not as much evil as it is the proverbial road to hell paved with the best of intentions. The WYSIWYG HTML editors of yore were aggressively marketed in particular to an audience of non technically inclined designers for whom they offered a layer of abstraction to something they scarcely if at all understood. This opened the flood gates for what we get to experience on the glorious nu-internet each and every day anew.
(Score: 3, Insightful) by tibman on Sunday October 23 2016, @04:11PM
WYSIWYG only works if everyone is using the exact same implementation of the standard. Because usually the standard will have holes in it where implementors have to improvise. In the case of html/css the implementors are often ahead of the standard too.
Anyways, WYSIWYG is garbage for a lot of reasons. Screen size being one of the biggest reasons. It would be like a shoe designer building a size 10 shoe that everyone (no matter foot size) has to wear.
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Sunday October 23 2016, @06:46PM
to correctly render glyphs
I must be going to very different sites.
I block webfonts, yet the text in the pages I visit is completely readable.
...or you're talking about unnecessary chintz.
yeah, nothing at all can go wrong there if you allow bytecode from a remote location to execute unchecked in an [interpreter]
In my AdBlocker, I include the filters
*/font/
*/webfonts/
fonts*js
I also don't run Windoze--a product from a marketing company that dabbles in software.
Being run by salesmen and marketing types, that operation thought it was a good idea to execute user-supplied data (like fonts) in Ring0. [googleusercontent.com] (orig) [wikipedia.org]
It demonstrates just how out of their depth M$ management is.
-- OriginalOwner_ [soylentnews.org]