SoylentNews

It's March 2018 and Your Windows PC Can Be Pwned By a Web Article

posted by cmn32480 on Saturday March 17 2018, @06:17PM   
from the patch-these-75-holes dept.

-- OriginalOwner_ writes:

El Reg reports

The March edition of Patch Tuesday lands just hours before researchers are expected to flaunt their latest and greatest exploits at the CanSecWest Pwn2Own hacking competition in Vancouver.

Hopefully nobody was planning to use any of the 75 CVE-listed vulnerabilities Microsoft addressed today, including several for the Edge and Internet Explorer browsers that would allow remote code execution.

The fixed bugs include nine remote code execution (RCE) flaws in the Chakra scripting engine in Edge. Microsoft says the scripting bugs (such as CVE-2018-0874[1]) would allow an infected webpage to run code with the logged-in user's clearance level.

The Edge scripting engine was also the subject of four memory corruption RCE flaws, as well as an information disclosure bug, CVE-2018-0839[1], that allows an attack page to view objects in memory.

Just two of the 75 Microsoft bugs squashed this month have been publicly disclosed. They include an elevation of privilege bug in Exchange (CVE-2018-0940[1]) exploited via email. Dustin Childs of the Zero Day Initiative said that the bug is perfectly set up to facilitate a spear phishing attack.

[1] All content at portal.msrc.microsoft.com is behind scripts. Attempts to have archive.is run the scripts results in a EULA page.

---

Original Submission

• Re:What Windows PC? Re:What Windows PC? (Score: 4, Informative) by RamiK on Saturday March 17 2018, @07:32PM (1 child)

  by RamiK (1813) on Saturday March 17 2018, @07:32PM (#654188)

  According to VMWare ( https://kb.vmware.com/s/article/52245 [vmware.com] ) you need guest, host and hw microcode patches to mitigate Meltdown/Spectre style speculative attacks. Or in other words, you still need to trust Microsoft and Intel to do their job and do it well. Which to me, defeats the purpose of running Windows in a VM in the first place compared to a separate, dedicated machine (or not at all).

  To spice it up:

  Virtualization seems to have a lot of security benefits.

  You've been smoking something really mind altering, and I think you should share it.

  x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit.

  You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

  You've seen something on the shelf, and it has all sorts of pretty colours, and you've bought it.

  That's all x86 virtualization is.

  https://marc.info/?l=openbsd-misc&m=119318909016582 [marc.info]

  --
  compiling...

  Parent

  Starting Score:	1		point
  Moderation		+2
  Interesting=1, Informative=1, Total=2
  Extra 'Informative' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		4

• Re:What Windows PC? (Score: 3, Interesting) by arslan on Sunday March 18 2018, @10:24PM

  by arslan (3462) on Sunday March 18 2018, @10:24PM (#654606)

  Great quote! Now if someone can write me something similar with regards to containers! I've been trying to warn folks that putting yet another layer of virtualization on top of your virtualization is rather stupid - especially so if the argument is to simplify the app by shrink wrapping it in a container so the ugly innards are hidden.. I'd rather they just rewrite the app properly.

  Not that containers don't have its place, but it seems to have open up this whole new world for lazy ass engineers to impress their PHB.

  Parent