Stories
Slash Boxes
Comments

SoylentNews is people

It's March 2018 and Your Windows PC Can Be Pwned By a Web Article

posted by cmn32480 on Saturday March 17 2018, @06:17PM   Printer-friendly
from the patch-these-75-holes dept.

-- OriginalOwner_ writes:

El Reg reports

The March edition of Patch Tuesday lands just hours before researchers are expected to flaunt their latest and greatest exploits at the CanSecWest Pwn2Own hacking competition in Vancouver.

Hopefully nobody was planning to use any of the 75 CVE-listed vulnerabilities Microsoft addressed today, including several for the Edge and Internet Explorer browsers that would allow remote code execution.

The fixed bugs include nine remote code execution (RCE) flaws in the Chakra scripting engine in Edge. Microsoft says the scripting bugs (such as CVE-2018-0874[1]) would allow an infected webpage to run code with the logged-in user's clearance level.

The Edge scripting engine was also the subject of four memory corruption RCE flaws, as well as an information disclosure bug, CVE-2018-0839[1], that allows an attack page to view objects in memory.

Just two of the 75 Microsoft bugs squashed this month have been publicly disclosed. They include an elevation of privilege bug in Exchange (CVE-2018-0940[1]) exploited via email. Dustin Childs of the Zero Day Initiative said that the bug is perfectly set up to facilitate a spear phishing attack.

[1] All content at portal.msrc.microsoft.com is behind scripts. Attempts to have archive.is run the scripts results in a EULA page.

Original Submission

 
This discussion has been archived. No new comments can be posted.
It's March 2018 and Your Windows PC Can Be Pwned By a Web Article | Log In/Create an Account | Top | 18 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Azuma Hazuki on Sunday March 18 2018, @03:10AM (2 children)

    by Azuma Hazuki (5086) on Sunday March 18 2018, @03:10AM (#654331) Journal

    Look, I know virtualization isn't a panacea. You think I haven't been keeping track of all the hypervisor escapes and such for the last few years? But it's better than nothing, and I already had a policy in place of never letting that VM talk to any other node or have anything more important than, say, my arrangement of the Kirby's Dreamland 3 deep-water stages' BGM on it.

    It's like NAT. NAT is not a firewall. By itself, it doesn't add much security. But it *is* handy to have your devices not directly accessible from the WAN side, and that alone provides a passive layer of protection that's better than nothing. Same with virtualization for Windows OSes.

    --
    I am "that girl" your mother warned you about...
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 3, Insightful) by HiThere on Sunday March 18 2018, @05:15PM (1 child)

    by HiThere (866) Subscriber Badge on Sunday March 18 2018, @05:15PM (#654539) Journal

    I think at least one of his points was that when they've copied your bank account access data, restoring from backup doesn't solve the problem.

    --
    Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.

    • (Score: 2) by Azuma Hazuki on Sunday March 18 2018, @05:33PM

      by Azuma Hazuki (5086) on Sunday March 18 2018, @05:33PM (#654542) Journal

      Well, yes, which is why I don't do anything of any importance on the VM. It's just for making music.

      --
      I am "that girl" your mother warned you about...