Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday October 23 2016, @12:34AM   Printer-friendly
from the stopped-in-their-tracks dept.

Kaspersky Labs researcher Anton Ivanov says an advanced threat group was exploiting a Windows zero day vulnerability before Microsoft patched it last week.

Microsoft says the graphics device interface vulnerability (CVE-2016-3393) allowed attackers to gain remote code execution and elevation of privilege powers.

Ivanov's analysis reveals a hacking group dubbed FruityArmor was exploiting the vulnerability in chained attacks, using a True Type Font to trigger the bug.

[...] The attack saw browser sandboxes broken and higher privileges attained before a second payload executed with the newly-acquired higher access privileges.

Windows 10's efforts to push font processing into a special user mode that restricts privileges did not stop the exploit.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Sunday October 23 2016, @02:46AM

    by Anonymous Coward on Sunday October 23 2016, @02:46AM (#417716)

    SN has some pretty good editors, but also some lousy ones. Perhaps some new volunteers would do good.

    • (Score: 2) by Runaway1956 on Sunday October 23 2016, @03:07AM

      by Runaway1956 (2926) Subscriber Badge on Sunday October 23 2016, @03:07AM (#417720) Journal

      We need to open up staff positions to AC. Go ahead, PM the staff and tell them that you want in!

      • (Score: 0) by Anonymous Coward on Sunday October 23 2016, @03:45AM

        by Anonymous Coward on Sunday October 23 2016, @03:45AM (#417736)

        Not a bad idea. Run a system like pipedot pipe voting to cull the crap.

    • (Score: 4, Insightful) by janrinok on Sunday October 23 2016, @12:38PM

      by janrinok (52) Subscriber Badge on Sunday October 23 2016, @12:38PM (#417821) Journal

      I can support your call for new editors - I've been doing this from the start and I am finding it very tiring at times. However, we can't have ACs as editors. We cannot give the necessary privs on the site to unnamed individuals, plus you have to be contactable on email and IRC.

      Run a system like pipedot pipe voting to cull the crap

      The problem with this suggestion is that it does not give everyone a chance to submit - trolls and group-think types can suppress stories that they do not want to see. That is why every story has to go through 2 editors (not 1) to make sure that no single individual can affect the output on the front page.

      Finally, you do realise that Arthur T Knackerbracket is only a bot? We have to use it when nobody can be bothered to make submissions. What you are expecting is that each editor is also responsible for making submissions and doing the editorial task. It might surprise you that we have lives and families and jobs, and that we do this job for pleasure. Nobody here gets paid a dime. If you don't like the quality of the stories the solution is in your hands. Likewise, if you don't like the quality of the editing, feel free to step up to the plate and let me have a break. I have posted 3000+ stories since I started as an editor, I will happily let someone else have a chance it they want it.

      • (Score: 0) by Anonymous Coward on Sunday October 23 2016, @01:55PM

        by Anonymous Coward on Sunday October 23 2016, @01:55PM (#417838)

        Nope, AC editor is no good. Let's recruit more editors so editing can be more fun/interesting rather than being a chore.

        An idea, though. If you find nothing decent is in the queue, but feel some fresh meat is in need of posting, why not consider a personal write-up/editorial of editor's choice? Like "meta" posts about SN itself, but widen the scope to any subject an editor fancies and thinks it might be of interest to others. Such post, marked as such ("op-ed", "a not so deep thought", whatever), if posted once in a while, may add an interesting color to this site. Besides, it seems a reasonable perk for editors.

        • (Score: 2) by janrinok on Sunday October 23 2016, @03:30PM

          by janrinok (52) Subscriber Badge on Sunday October 23 2016, @03:30PM (#417865) Journal

          The op-ed idea has merit but might not be the whole solution. This weekend at least 12 of the approx 32 stories we need to fill the pages are from Arthur. There is nothing the 3 available eds could do to fill those slots if we have to write complete articles from scratch. The output from Arthur is far from ideal, but at least it does identify stories that are roughly in line with our aims and interests. And those editors are only available for a limited time each day - they have their own lives to live too.

          Let's recruit more editors so editing can be more fun/interesting rather than being a chore.

          We will probably make another bid for editors in the next few weeks. However, they each need individual training by an existing editor. While the job is not difficult and is interesting, getting to grips with the process is time consuming. But we accept that as simply being a part of the job. Although we might train 4 new editors, experience suggests that the likelihood of them all remaining as eds for longer than a couple of months is remote. If we can keep 1 we would be happy, and 2 would make life so much more easy for us. There is an expectation that each would make a contribution on an almost daily basis; this is quite a commitment to give and is even harder to achieve over weekends when people want to do other things.

          There are only 4 regular active editors at present which isn't many for 24/7 operating. A few more help when they can depending on other commitments. Of course, you might think that the solution is to only fill part of the day but which part? I'm in Europe, and I'm not going to support a site that is targeted only at our US audience. The full SN team is spread worldwide, as is our community, and everyone wants the opportunity to take part in discussions 'live' rather than look at what was said by any one particular geographic region. With over 6000 members I would hope that a few will be up for the challenge.

  • (Score: 3, Insightful) by SomeGuy on Sunday October 23 2016, @03:56AM

    by SomeGuy (5632) on Sunday October 23 2016, @03:56AM (#417740)

    I've noticed the fad the last few years of web sites using automatically downloadable fonts for all kinds of crap. Especially for symbols and crap that should be images instead. Oh, sure don't worry about it, no possible security hazards here, just drop whatever you want in to this internal Windows system that probably hasn't been cleaned up since Windows 2000. what could possibly go wrong?

    And very annoying visiting web sites on machines where that "feature" is sensibly not available.

    • (Score: 2, Informative) by Anonymous Coward on Sunday October 23 2016, @05:06AM

      by Anonymous Coward on Sunday October 23 2016, @05:06AM (#417759)

      What makes me laugh is that I've noticed on more than a few occasions that the icon font is larger than if they just included them as images. Which means that someone went through all the hard work of creating the custom font and getting all the frontend people to use it and they don't actually save any space or alleviate any design problems.

    • (Score: 3, Informative) by acharax on Sunday October 23 2016, @06:26AM

      by acharax (4264) on Sunday October 23 2016, @06:26AM (#417772)

      It all stems from the faulty presumption of many web 2.0 hacks ("designers") that webpages should appear 100 % identical to every client, these are the same people that previously insisted on using PDF's for their overdesigned pages when they discovered that the junk they assembled in their warez copy of Dreamweaver didn't look exactly the same when they loaded it in Netscape and IE.

      ...and fonts, a lot of people assume they're just simple graphic files like old bitmap fonts were but they're actually series of bytecode instructions fed to an interpretter to correctly render glyphs, yeah nothing at all can go wrong there if you allow bytecode from a remote location to execute unchecked in an interpretter in which many safeguards were sacrificed on the altar of performance back in decades past.

      • (Score: 0) by Anonymous Coward on Sunday October 23 2016, @06:31AM

        by Anonymous Coward on Sunday October 23 2016, @06:31AM (#417774)

        It is frustrating when managers etc. approve something, and then the client bungles it to hell. WYSIWYG is a good thing that has been ruined by the flow-tards at the "standards" committees. Screw them! WYSIWYG doesn't mutate into shit like the flow-tard's "standards".

        • (Score: 2) by acharax on Sunday October 23 2016, @07:10AM

          by acharax (4264) on Sunday October 23 2016, @07:10AM (#417780)

          WYSIWYG is an utopia, even formats like PDF that are heralded as such are not truly WYSIWYG when you come down to it, the same viewer software renders them ever so slightly different on Windows, OSX and Linux in reality.

          That being said, it is not as much evil as it is the proverbial road to hell paved with the best of intentions. The WYSIWYG HTML editors of yore were aggressively marketed in particular to an audience of non technically inclined designers for whom they offered a layer of abstraction to something they scarcely if at all understood. This opened the flood gates for what we get to experience on the glorious nu-internet each and every day anew.

        • (Score: 3, Insightful) by tibman on Sunday October 23 2016, @04:11PM

          by tibman (134) Subscriber Badge on Sunday October 23 2016, @04:11PM (#417875)

          WYSIWYG only works if everyone is using the exact same implementation of the standard. Because usually the standard will have holes in it where implementors have to improvise. In the case of html/css the implementors are often ahead of the standard too.

          Anyways, WYSIWYG is garbage for a lot of reasons. Screen size being one of the biggest reasons. It would be like a shoe designer building a size 10 shoe that everyone (no matter foot size) has to wear.

          --
          SN won't survive on lurkers alone. Write comments.
      • (Score: 0) by Anonymous Coward on Sunday October 23 2016, @06:46PM

        by Anonymous Coward on Sunday October 23 2016, @06:46PM (#417920)

        to correctly render glyphs

        I must be going to very different sites.
        I block webfonts, yet the text in the pages I visit is completely readable.
        ...or you're talking about unnecessary chintz.

        yeah, nothing at all can go wrong there if you allow bytecode from a remote location to execute unchecked in an [interpreter]

        In my AdBlocker, I include the filters
        */font/
        */webfonts/
        fonts*js

        I also don't run Windoze--a product from a marketing company that dabbles in software.
        Being run by salesmen and marketing types, that operation thought it was a good idea to execute user-supplied data (like fonts) in Ring0. [googleusercontent.com] (orig) [wikipedia.org]
        It demonstrates just how out of their depth M$ management is.

        -- OriginalOwner_ [soylentnews.org]