SoylentNews is people
SoylentNews
from the Alt-right-plot-to-rule-the-world-through-Windows-exploitables dept.
This was just too funny not to submit. Do you not have the latest keyboard-logging Windows 10 on your, um computer? Not your computer, you know. But now, it turns out, according to the formerly great tech journal ZDNet, you are at risk! "Awake! Fear! Fire! Foes! Awake!"
But, wait for it, only if you run Windows.
Over half of applications installed on Windows PCs are out-of-date, potentially putting the security of users at risk through flaws in software that have already been patched by vendors.
Around 55 percent of software installed on PCs across the globe is in the form of an older version of the application, according to research by security company Avast — and that number has risen from 48 percent in their previous report.
Based upon anonyimized[sic] and aggregated data from 163 million devices around the world, Avast's PC trends report also suggests that almost one in six Windows 7 users and one in ten Windows 10 users are running out-of-date versions of their operating system, also leaving them open to exploitation of system-level security vulnerabilities.
Some of the programs most commonly left out-of-date include Adobe Shockwave, VLC Media Player, Skype, Java Runtime Environment, and 7-Zip Filemanager.
Putting off installing updates and running outdated applications can cause bugs and incompatibility problems for users, but more significantly, running out-of-date software can provide an open door for hackers to take advantage of holes left in programs that haven't had critical security updates applied.
Well, there it is. If you run Windows, you are running a security risk. Funny they would think how current your capitulation to the "Dark Side" is would make any difference. But on the other hand, the advice in general is good, just do not run anything out of Redmond, where the Dark Lord rules, and keep up to date on security patches. Except on my Android Phone. They ask me to do security upgrades, and I think, "Why?" I cannot remove the goddamned bloat-ware they put on goddamned thing, and they want me to approve upgrades? Hell no! I will rot in hell with my aging Android phone, with a version of Android nearly as old as I am, because the bastards will not allow me to upgrade to a more current version!
If Linux did shit like this, systemd aside, I would be BSD all the way. Sorry, too much commentary for a submission. But, really? Am I wrong?
P.S. When exactly did ZDNet take the tumble? Does anyone remember? Was it with the review of the new Microsoft Disk Compression Utility?
(Score: 3, Informative) by looorg on Wednesday January 23 2019, @09:44AM (6 children)
I admit that I rarely upgrade things unless I have to. If things work and does what I want I usually don't bother. New versions are not necessarily better versions, yes they might fix bug but more of then not they seem to add "features" that I do not want that only seem to bloat the software in question. That said there is also the case of newer things quite often breaking things. There is a reason you don't allow mission critical or just generally important things to auto-update, Windows comes to mind. Just this autumn there have been how many almost horribly system breaking patches and updates that have deleted user content or just broken the system? At least two I seem to recall from the top of my head.
Then there is also that question of why would these programs need internet access? Why does 7-zip need internet access to compress (or decompress) files? VLC doesn't need it either to play audio and video, you might need it if you want it to grab and play stuff from online but beyond that. As a stand alone media player it sure as hell doesn't. They, just as more or less every application, shouldn't have permission to communicate with the internet, there really is no reason for them to have that when it comes to their primary function. There are way to many applications these days that do seem to phone home under the guise of checking for updates. As long as they do that I'll keep blocking them since it's not a needed function of the software to perform the primary function.
(Score: 2, Funny) by Anonymous Coward on Wednesday January 23 2019, @10:02AM (3 children)
I have a feeling it is because quantum ethnoscientists are at the verge of revealing humans are quad-dimensional primates, who gain consensus via holographic mammalian belief systems. Good luck making sense of that without connecting 7zip to the internet.
(Score: 0) by Anonymous Coward on Wednesday January 23 2019, @12:18PM (2 children)
Dude, really? Let me tell you how I know your idea is bogus: you didn't mention the lizard people.
(Score: 0) by Anonymous Coward on Wednesday January 23 2019, @02:27PM (1 child)
You mean the reptilians?
https://pbs.twimg.com/media/Dwb888dVYAAaFX8?format=jpg&name=small [twimg.com]
(Score: 0) by Anonymous Coward on Wednesday January 23 2019, @07:59PM
Those are Red Dresses, technically speaking anyway.
(Score: 0) by Anonymous Coward on Wednesday January 23 2019, @12:40PM
Direct Internet access by an outdated application isn't the only vector for exploit. If they process files which you've _downloaded_ from the Internet, then there is still a risk.
For example for 7-zip, you might unknowingly download a malicously malformed archive, which when decompressed _locally_ with a vulnerable 7-zip version, can exploit the vulnerability and possibly run arbitrary code depending on the severity of exploit and may be able to chain further exploits in e.g. the underlying OS. I'd expect a patched version of 7-zip would fail to process such maliciously malformed archive, either noisily, or silently discarding the bad bits.
Similar for media players like VLC. There may be vulnerabilities in various codec implementations (and there have been), with which a malicious media file can exploit when played _locally_ on the machine.
(Score: 2) by ElizabethGreene on Friday January 25 2019, @05:20PM
VLC embeds into Firefox. You click a link and a movie is embedded into the page. Embedded VLC launches to render it. Your vulnerable version is now exploited.
You download a .zip from a place you trust implicitly. The hotspot you are connecting to is compromised and that non-https downloaded zip is replaced transparently by version that exploits your vulnerable version of 7-zip.
In either of these cases malicious code is now running on your machine. If they then chain in an elevation of privilege vulnerability you are pwned... and if you are on a network where you use those same creds on another machine, that machine is an easy lateral traversal move away from being pwned too.