SoylentNews is people
SoylentNews
SandboxEscaper Drops Three More Windows Exploits, IE Zero-Day:
On the heels of releasing a Windows zero-day exploit on Wednesday, developer SandboxEscaper has dropped exploit code for four more flaws on Thursday morning.
On Wednesday, she dropped a Windows zero-day exploit that would allow local privilege-escalation (LPE), by importing legacy tasks from other systems into the Task Scheduler utility – and she promised four more unpatched bugs while she was at it.
SandboxEscaper held true to that promise, on Thursday releasing on GitHub the proof-of-concepts (PoCs) for another three Windows LPE flaws, and a sandbox-escape zero-day vulnerability impacting Internet Explorer 11. One of them however turns out to already be patched.
The exploits:
[...] a Windows Error Reporting (WER) bug (CVE-2019-0863), was actually patched earlier this month in Microsoft's May Patch Tuesday fixes
[...] zero-day impacting Internet Explorer 11, which could enable bad actors to inject a dynamic link library (DLL) into Internet Explorer."
[...] a bypass for a previously released patch addressing a Windows permissions-overwrite, privilege-escalation flaw (CVE-2019-0841)."
[...] A final flaw is an "installer bypass" issue in Windows update
Not just one's own personal machines need to be considered; it's all the other Windows-based systems that we interact with, too. Might be best to hold off on non-essential transactions for a while?
(Score: 3, Funny) by RamiK on Thursday May 23 2019, @11:34PM (17 children)
As long as typing "download chrome" into the address bar doesn't compromise anything, who cares?
compiling...
(Score: 0) by Anonymous Coward on Friday May 24 2019, @12:48AM (16 children)
Only your privacy. You'll end up with a persistent spying application on your computer and your web browsing behavior will be tracked completely.
(Score: 2, Interesting) by epitaxial on Friday May 24 2019, @01:35AM (10 children)
Show me packet logs of this spying. I keep hearing people say that but they clam up when I ask for proof of what is sent.
(Score: 3, Interesting) by RamiK on Friday May 24 2019, @01:46AM
Google doesn't hide it: https://www.google.com/chrome/privacy/whitepaper.html [google.com]
compiling...
(Score: 3, Interesting) by Runaway1956 on Friday May 24 2019, @01:52AM (4 children)
Sorry, don't have a lot of time to go looking for examples, but here's a quicky - https://www.srware.net/forum/viewtopic.php?f=18&t=49388&sid=f9692c76ee7dec51abbaa22377aec44d [srware.net]
Persistent connections to Google? WTF for?
But, Google spies on you, no matter what browser you're using. Have you blocked Google Analytics, and all the rest of their stuff?
In my mind, every bit of data leaving and entering my network, should be data that I actually WANT to leave or enter my network. Google (and others) shouldn't be snooping around, analyzing every page I visit, in an effort to "guide" me to a product. Or, whatever the hell else they do with that data. We've already seen how Facebook has been used multiple times for political schemes. We also know that Google has a liberal bias. Why do we want to encourage Google to continue with it's social engineering of America? What makes Google qualified to perform such engineering?
When I sign out of Soylent, and close the browser tab, Soylent no longer recieves any data from my network, in any form. Signing out of Google accounts means - nothing.
(Score: 2) by epitaxial on Friday May 24 2019, @11:31AM (1 child)
Still waiting on packet logs. None of these people can use Wireshark?
(Score: 0) by Anonymous Coward on Friday May 24 2019, @10:34PM
They can capture the packets just fine. It's the modern TLS 1.2 encryption that is the problem. Unless you know a handy way to break TLS that your everyday security researcher can utilize to get at the encrypted data. And no, a MITM proxy won't work because Chrome checks the certificate chain.
(Score: 2) by PiMuNu on Friday May 24 2019, @12:35PM (1 child)
I was shocked at just how many websites use google analytics - the only ones that don't are SN and bbc (at least in uk where advertising does not fund).
(Score: 2) by Freeman on Friday May 24 2019, @01:52PM
Google analytics is almost everywhere.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by Runaway1956 on Friday May 24 2019, @01:59AM
https://sputniknews.com/science/201804041063197557-chrome-files-scanning-concerns/ [sputniknews.com]
(Score: 0) by Anonymous Coward on Friday May 24 2019, @03:25AM (2 children)
Your post is a transparent attempt to trick me into running Chrome. Not falling for it, sorry.
(Score: 0) by Anonymous Coward on Friday May 24 2019, @04:04AM (1 child)
Chrome is opaque, not transparent.
(Score: 0) by Anonymous Coward on Friday May 24 2019, @06:55PM
Chrome is reflective, not opaque
(Score: 5, Informative) by RamiK on Friday May 24 2019, @02:00AM (4 children)
if you have a choice between IE and Chrome, Windows is already doing the "persistent spying" and you obviously don't care enough about your privacy to do anything meaningful about it.
Personally I use Firefox on GNU/Linux and keep Chromium handy just-in-case.
compiling...
(Score: 3, Disagree) by ilsa on Friday May 24 2019, @03:32PM (3 children)
I find attitudes like yours extremely frustrating. I DO care about my privacy. Yet I am using Windows on my laptop. Why? Because Desktop Linux is shit. Unless you are using a very basic beige box generic desktop computer, and your work is limited to using LibreOffice and other basic desktop apps, you are going to run into a never ending stream of difficulties. I won't list all the issues here because I could be writing for the next several hours and still not be done. You can only put up with all that nonsense for so long before you eventually throw your hands up in the air.
So I could use a Mac? Sure! I'll just spend 6 grand on a machine that has the specs of a 2.5k machine, with no way to upgrade anything AND the single worst keyboard ever invented since the 80s.
So I am forced to use Windows, because it is literally the best option out there. Thankfully I have a 2nd m.2 slot so I am able to dual-boot linux for those times when Windows flat out isn't good enough, but I am more than frustrated by the whole situation.
People like you are no better than single-issue voters. The world cannot be reduced to single problems with single solutions. As far as the state of general desktop computing goes, there are NO good options. Just options that piss you off the least.
(Score: 0) by Anonymous Coward on Friday May 24 2019, @06:10PM
Desktop Linux just works nowadays, just grab a distro that does the work for you. If your hardware is obscure or brand new you might have to edit a text file, install a library, or wait for drivers to get written, but I have a much better experience on Linux than Windows. Suspend/resume just works, sound just works, function keys just work, boot time is less than 5 seconds, responsiveness is head and shoulders above ms bs, and between wine and qemu I can run just about anything I will need with no problems.
(Score: 2) by RamiK on Friday May 24 2019, @07:46PM (1 child)
Clearly no more than your convenience. Have you considered using a KVM switch between multiple machines and not ever installing a browser on the Windows one in the first place? A CIFS share is all you need to get the workflow going. Syncthing if you don't trust Windows to handle the networking would work too for most. You can even use Synergy [symless.com] to smooth it all out.
Don't give me cheap excuses about the workloads either. Most lab and CAD machines out there are air-gaped using this KVM setup with USB sticks doing the to-and-fro.
Dual booting is what we did when we were kids. Nowadays you can stack 3 NUCs for gaming, work and browsing if you really need it and it will take the same space as a single ATX tower.
Fact of the matter is, most people just don't give security and privacy more than a moment's thought. They shrug their shoulders like you saying "Desktop Linux is shit" and leave it at that. Then they'll install a smart TV in every room, connect them all to streamers on the wifi and buy a tablet and smartphone for each kid...
No good options my ass.
compiling...
(Score: 2) by ilsa on Monday May 27 2019, @04:59PM
You seriously expect the average person to have a multi-computer setup with a KVM and Synergy to bounce between everything?
Your argument, while technically correct, is completely ridiculous. Not everyone has the resources for that kind of setup. Even if they had the money, they likely don't have the expertise. Just because YOU know how to do that doesn't mean every single person on the planet does. If they did, us IT folk wouldn't have jobs because we wouldn't be needed.
And even if the technical skill is there, there is ALSO the matter of opportunity. Setting this kind of stuff up takes time. MAINTAINING this stuff takes even more time, especially in todays environment where developers think it's completely acceptable to throw the baby out with the bathwater and the user just has to suck it up. Maybe you have the free time to do such things, but I can very much assure you that you are definitely in the minority.
Your perspective is arrogant and completely divorced from the realities involved with defending one's privacy, and your attitude accomplishes nothing but breed acrimony.