Shaun Nichols at El Reg notes the latest Patch Tuesday
Microsoft has today patched two dozen CVE-classified security vulnerabilities in its software. People are urged to install them as soon as possible.
The US giant said the October edition of Patch Tuesday includes three critical fixes to address flaws in Internet Explorer, the .NET Framework and Windows kernel-mode driver.
[...]
MS14-061 - An 'important' rated vulnerability (CVE-2014-4117) in Office that allows an attacker to use malicious Word files to achieve remote code execution at the level of the logged-in user. The flaw can be mitigated by limiting the access rights of user accounts. The flaw is also present in Office for Mac. The discovery is credited to 35 Labs via the HP Zero Day Initiative.
[...]
And Adobe's software is still riddled with holes.
Adobe, meanwhile, has released its own monthly patch update. That patch will include a fix for three remote-code execution flaws in Flash Player for Windows, OS X, and Linux. Adobe is also patching a trio of flaws in ColdFusion allowing elevation of privilege and security control bypass.
[Update 1]: Corrected title as these vulnerabilities are not restricted to Windows.
[Update 2]: There are also reports of remote code execution and privilege elevation vulnerabilities across Solaris, Linux and Windows, via Java and Oracle: http://threatpost.com/java-reflection-api-woes-resurface-in-latest-oracle-patches/108847.
(Score: 2) by kaszz on Thursday October 16 2014, @06:45PM
Just common wisdom ;-)
Any reports on other systems?
(Score: 2) by Arik on Thursday October 16 2014, @10:45PM
Java does run on (some) linux systems, although it is not Free.
Libre systems are unaffected.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Nerdfest on Thursday October 16 2014, @11:45PM
I believe there are open and free Java implementations for Linux (and others).
(Score: 2) by Nerdfest on Thursday October 16 2014, @11:49PM
I should add that these are not necessarily affected by the same implementation specific bug though.
(Score: 2) by mcgrew on Friday October 17 2014, @03:51PM
Java isn't even on my Windows 7 notebook, let alone the Linux tower. Microsoft Word? I use Open Office. Flash? I only allow it on a very limited number of sites.
Carbon, The only element in the known universe to ever gain sentience
(Score: 2) by hemocyanin on Thursday October 16 2014, @06:46PM
I made the switch to linux in the Windows ME days, and then later, when I wanted to have frustration free options for watching online video, I got a Mac laptop. I've been running linux on my desktops and on one laptop, and OSX on my main laptop for a decade. So in reading the summary, it sounds like there is flaw that affects MS Office whether running in Windows or OSX, and an adobe flaw that is basically universal. Then of course we have the BASH flaw that's been around for years and years.
And who cares if these flaws only affect user accounts -- the user account is where people store all of their information. Compromising a user account is at least a 90% win.
Computers are so complex and run so much varied software that flaws are inevitable. And so while I used to be in the "haha I run linux [or OSX]" crowd -- over the last several years I've piped down. Because the truth is, every system is undoubtedly deeply flawed and I now look at all of my systems as disease ridden traps so long as they are connected to the internet.
(Score: 2) by hemocyanin on Thursday October 16 2014, @06:50PM
Well, the math is wrong here. Went 100% linux desktop around 2000, added a linux laptop 2004ish, OSX laptop since 2006ish.
(Score: 2) by kaszz on Thursday October 16 2014, @06:51PM
Adding new functionality all the time is the culprint and complexity of course.
(Score: 2) by sudo rm -rf on Thursday October 16 2014, @07:09PM
I ... try hard ... not to... mention ... the you-know-what daemon ...
(Score: 2) by kaszz on Thursday October 16 2014, @07:45PM
The daemon author is possessed by RedHat? ;-)
(Score: 2) by tibman on Friday October 17 2014, @12:42AM
I heard recently that it went the other way around.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by kaszz on Friday October 17 2014, @01:12AM
Must be really bad then. Makes you wonder who has possessed him..
(Score: 2) by Arik on Thursday October 16 2014, @10:42PM
It's bigger than that, but that's a big part, yeah.
But even if they were somehow pursuaded to freeze a spec instead of constantly throwing in whatever marketing wants, dont imagine they would put all that suddenly idle developer power to work re-architecting a sane system. They would just cut manpower costs instead.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by kaszz on Friday October 17 2014, @12:42AM
Sounds like a control loop. So the problem is the group of people that decides the parameters of said system.
(Score: 0) by Anonymous Coward on Thursday October 16 2014, @09:36PM
Then of course we have the BASH flaw that's been around for years and years
...which made headlines because it's such a *rare* event.
Meanwhile, this month alone, M$ admits to TWENTY-FOUR flaws[1] for which they produced patches--3 of which it admits are critical.
Now, how many exploits were written against each of those?
How many Windoze boxes were exploited while folks waited for Patch Tuesday to roll around?
Now, how many flaws does M$ -know- about but won't patch?
Now, let's look back at the critical flaws M$ admits to for all of 2014. [google.com]
Feel free at this point to mention all the critical flaws in competing ecosystems which made headlines because of their severity.
(Now would be a good time to compare time-to-patch as well.)
...and, of course, media reaction to -actual- exploits against M$'s numerous flaws (even when they are widespread) is muted because those are not only common, they are EXPECTED.
-- gewg_
(Score: 2) by el_oscuro on Friday October 17 2014, @01:35AM
On Linux, there is a way to protect your user account from these types of compromises:
1. Install and configure ssh server
2. Create an unprivileged account (nobody?) to run the browser in
3. Set up passwordless authentication using ssh-copy-id to connect to unprivileged account on localhost
4. Set up a desktop shortcut which ssh's to that account and runs firefox or whatever browser you use.
5. Use that shortcut to browse teh Interwebs. That way if get pwned by a userland exploit, it only affects the nobody account, not your real account.
Only use the regular browser shortcut for things like banks, amazon, paypal, etc.
SoylentNews is Bacon! [nueskes.com]
(Score: 0) by Anonymous Coward on Friday October 17 2014, @04:40PM
this is why i'm still more comfortable using windows than linux or mac osx. anti-virus software for windows seems much more advanced and mature.
(Score: 3, Insightful) by Snow on Thursday October 16 2014, @06:47PM
Way to keep things professional guys...
(Score: 0) by Anonymous Coward on Thursday October 16 2014, @07:03PM
ok it wasnt just me then :)
(Score: 0) by Anonymous Coward on Thursday October 16 2014, @07:08PM
El Reg: "It's 2014 and you can still own a Windows box using a Word file or font"
Soylent: "It's 2014 and You Can Still Pwn a Windoze Box Using a Word File or Font"
Come on, Soylent...
(Score: 0) by Anonymous Coward on Thursday October 16 2014, @07:34PM
It's gewg submission. Did you honestly expect it to be free of childish stupidity or political bias?
(Score: 0) by Anonymous Coward on Thursday October 16 2014, @08:47PM
Did you honestly expect
Honestly? No. Not a chance.
Let's see:
A company that couldn't come up with a unique, non-generic name for its flagship product--at a time when Big Pharma had already demonstrated how to do that over and over again (Tylenol, Bufferin, Kaopectate).
...and that same company thinks it's perfectly normal to try to paste on security as an afterthought.
...then there's their corrupt business model, addressed by kaszz below.
-- gewg_
(Score: 2) by martyb on Thursday October 16 2014, @07:38PM
Both mistakes were in the original submission and we failed to catch it. Title has been corrected.
Thank you for bringing it to our attention!
Wit is intellect, dancing.
(Score: 1, Insightful) by Anonymous Coward on Thursday October 16 2014, @09:02PM
Changing "Pwn" to "Own" changes the meaning entirely. When I read the headline "You can still own a box using a Word file, a TTF font, or Flash" my only thought was "Well duh. Microsoft dominates, so pretty much everybody owns a box (computer of some sort) and can use a Word file. TTF files are basically the standard, and you have almost no choice but to have Flash installed because so many stupid websites insist on using it to serve up content."
Who doesn't own a box that meet some of those criteria?
(Score: 2) by _NSAKEY on Friday October 17 2014, @01:57AM
Isn't the point of having editors to catch things like this and fix them before they go live?
On another note, why is the Twitter bot tweeting the story out every time the headline gets changed? (Links below)
https://twitter.com/SoylentNews/status/522834690592358400 [twitter.com]
https://twitter.com/SoylentNews/status/522849978197102593 [twitter.com]
https://twitter.com/SoylentNews/status/522917752697536513 [twitter.com]
(Score: 2) by kaszz on Thursday October 16 2014, @07:43PM
One of the largest corporations in the world behaves like an royal asshole for more than two decades and expect to not have any negative feedback?
(Score: 2) by mcgrew on Friday October 17 2014, @03:59PM
It was a typo, they misspelled WindoZe. Windoze, because I can boot my ancient Linux tower in less time than it takes the much faster hardware on my much newer notebook running Windows 7 to come out of hibernation. It's Win Doze, as in almost asleep. It has to do with Windows' shocking lack of speed, not its insecurity.
And someone mentioned "professional", I want to point out that the only one getting paid is S/N's web host.
Carbon, The only element in the known universe to ever gain sentience
(Score: 1) by martyb on Thursday October 16 2014, @07:35PM
Ugh. That was in the original submission and we did not catch that. I've changed "Pwn" to "Own" and "Windoze" to "Windows".
Wit is intellect, dancing.
(Score: 3, Insightful) by mhajicek on Thursday October 16 2014, @09:28PM
That's to bad. The original was more meaningful.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 0) by Anonymous Coward on Thursday October 16 2014, @09:38PM
pwn is a more accurate term in this context. Windoze is bait term.
(Score: 4, Informative) by MrGuy on Thursday October 16 2014, @07:34PM
TFH is misleading.
Yes, the first flaw describes is in a Microsoft product. But it is NOT limited to Windows machines.
The second flaw is NOT in a Microsoft product, and is ALSO not limited to Windows.
It's 2014, and you can still own a computer REGARDLESS of the OS with a Word file. The two exploits in TFS aren't about Windows - they're cross-OS issues, one of which is in a non-Windows Microsoft product (Word) and the other of which is in a non-MS product (Flash).
(Score: 2) by choose another one on Thursday October 16 2014, @08:08PM
Seconded, posting to add that of course, as usual/always you can also own various boxes via Java and Oracle:
http://threatpost.com/java-reflection-api-woes-resurface-in-latest-oracle-patches/108847 [threatpost.com]
Yep, remote code execution and privilege elevation, across Solaris, Linux and Windows.
"Microsoft Windows Security - never quite as bad as Oracle and Adobe".
(Score: 0) by Anonymous Coward on Thursday October 16 2014, @09:40PM
That's only because they don't write as much stuff that runs on Solaris and Linux ;).
(Score: 2) by mcgrew on Friday October 17 2014, @04:07PM
Yes, the first flaw describes is in a Microsoft product. But it is NOT limited to Windows machines
Microsoft doesn't make the machines, they make the software. If you're running MS Office on your Mac, you're running Microsoft software.
It isn't OS specific, true, but it is vendor specific; Microsoft, Oracle, Adobe. The only affected software I run is Flash, and only allow it on a few sites. I write PDFs with Open Office and read them with FireFox.
I do wish there was a decent open source spreadsheet, Open Office Calc is a pile of effluent. Glad I seldom need a spreadsheet.
Carbon, The only element in the known universe to ever gain sentience
(Score: 0) by Anonymous Coward on Saturday October 18 2014, @02:55PM
VIDEO:- Chaos Conference 2010, "OMG WTF PDF" by security researcher Julia Wolf [media.ccc.de]
"OMG WTF PDF": What you didn't know about Acrobat - Ambiguities in the PDF specification means that no two PDF parsers will see a file in the same way. This leads to many opportunities for exploit obfuscation.