El Reg reports
The March edition of Patch Tuesday lands just hours before researchers are expected to flaunt their latest and greatest exploits at the CanSecWest Pwn2Own hacking competition in Vancouver.
Hopefully nobody was planning to use any of the 75 CVE-listed vulnerabilities Microsoft addressed today, including several for the Edge and Internet Explorer browsers that would allow remote code execution.
The fixed bugs include nine remote code execution (RCE) flaws in the Chakra scripting engine in Edge. Microsoft says the scripting bugs (such as CVE-2018-0874[1]) would allow an infected webpage to run code with the logged-in user's clearance level.
The Edge scripting engine was also the subject of four memory corruption RCE flaws, as well as an information disclosure bug, CVE-2018-0839[1], that allows an attack page to view objects in memory.
Just two of the 75 Microsoft bugs squashed this month have been publicly disclosed. They include an elevation of privilege bug in Exchange (CVE-2018-0940[1]) exploited via email. Dustin Childs of the Zero Day Initiative said that the bug is perfectly set up to facilitate a spear phishing attack.
[1] All content at portal.msrc.microsoft.com is behind scripts. Attempts to have archive.is run the scripts results in a EULA page.
Related Stories
Windows 11, Tesla, Ubuntu, and macOS hacked at Pwn2Own 2023:
On the first day of Pwn2Own Vancouver 2023, security researchers successfully demoed Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model 3.
The first to fall was Adobe Reader in the enterprise applications category after Haboob SA's Abdul Aziz Hariri (@abdhariri) used an exploit chain targeting a 6-bug logic chain abusing multiple failed patches which escaped the sandbox and bypassed a banned API list on macOS to earn $50,000.
The STAR Labs team (@starlabs_sg) demoed a zero-day exploit chain targeting Microsoft's SharePoint team collaboration platform that brought them a $100,000 reward and successfully hacked Ubuntu Desktop with a previously known exploit for $15,000.
Synacktiv (@Synacktiv) took home $100,000 and a Tesla Model 3 after successfully executing a TOCTOU (time-of-check to time-of-use) attack against the Tesla – Gateway in the Automotive category. They also used a TOCTOU zero-day vulnerability to escalate privileges on Apple macOS and earned $40,000.
Oracle VirtualBox was hacked using an OOB Read and a stacked-based buffer overflow exploit chain (worth $40,000).
Last but not least, Marcin Wiązowski elevated privileges on Windows 11 using an improper input validation zero-day that came with a $30,000 prize.
Throughout the Pwn2Own Vancouver 2023 contest, security researchers will target products in enterprise applications, enterprise communications, local escalation of privilege (EoP), server, virtualization, and automotive categories.
[...] After zero-day vulnerabilities are demoed and disclosed during Pwn2Own, vendors have 90 days to create and release security fixes for all reported flaws before Trend Micro's Zero Day Initiative publicly discloses them.
During last year's Vancouver Pwn2Own contest, security researchers earned $1,155,000 after hacking Windows 11 six times, Ubuntu Desktop four times, and successfully demonstrating three Microsoft Teams zero-days.
Previous:
Critical Zoom Vulnerability Triggers Remote Code Execution Without User Input
Work from Home Pwn2Own Hackers Make $130,000 in 48 Hours from Windows 10 Exploits
It's March 2018 and Your Windows PC Can Be Pwned By a Web Article
(Score: 5, Insightful) by c0lo on Saturday March 17 2018, @06:36PM (4 children)
It will soon be April 2018 and you computer will still be pwnable by a Web simple page.
It happened in 2017 [zerodayinitiative.com] too and even on Mac (3 different ways) [securityzap.com]
and in 2012 [zdnet.com], for multiple browser/OSes [arstechnica.com]
My points:
- what's the point of highlighting Windows when all the other platforms are vulnerable too?
- what's the point of mentioning "march 2018" when the experience shows the same happened in the past and it is highly probable will happen in the future?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 5, Insightful) by Justin Case on Saturday March 17 2018, @06:45PM (3 children)
It's any month and Your Windows PC Can Be Pwned By a Web Article
Windows has always been as easy to penetrate as a tissue paper, thanks to their obsession with integrating everything and letting all processes talk to each other. It was designed for Personal Computers with the ignorant idea that only one person would be using it so why put any safeguards between processes or programs?
Other OS are doing their best to keep up in the race to the bottom, so they can sometimes be exploited too... especially by executable code in a document formatting language which has always been and forevermore will be a stupid idea.
(Score: 4, Insightful) by shortscreen on Saturday March 17 2018, @10:33PM (2 children)
Developers would have us believe that the web browser is the OS now. The concept of a personal computer with one user in control is gone. Instead it's a "device" controlled by remote entities: MS, Apple, Google, data miners, ad networks, whoever.
(Score: 0) by Anonymous Coward on Sunday March 18 2018, @02:27AM (1 child)
Developers is a strange way to spell capitalists.
(Score: 1) by khallow on Sunday March 18 2018, @03:09PM
Because that's not. For example, it's not a capitalist impulse to create encryption with backdoors or hoover metadata on html requests that can be exploited by governments. Yet both of those are ways to compromise web browsers.
(Score: 5, Insightful) by Azuma Hazuki on Saturday March 17 2018, @06:37PM (8 children)
Oh, my Win7 VM? Whoop-de-stupid-doo, I'll just roll back to a nightly snapshot. Windows has long since proven that it's too insecure and fragile to be installed on the bare metal. If MS is smart, they'll make the user component of Windows 11 or whatever a virtual machine inside a very slim, stripped-down hypervisor and incorporate automatic snapshots into it.
I am "that girl" your mother warned you about...
(Score: 5, Insightful) by jmorris on Saturday March 17 2018, @07:11PM (5 children)
And that solves what problem? If viewing a webpage allows access to all of the information stored on the machine, including any network shares, rolling back a snapshot accomplishes what?
Windows and the entire computing philosophy it embodies, which now dominates the industry, must go. Must be declared unsafe at any patch level, with any possible sandboxing, VM or other band aids. Forbidden under pain of cruel and unusual punishment to be connected to any network where important information is dealt with. Not just classified or life critical computing, any information that the disclosure or modification would impact the economy or privacy. It has been decades now where not a day has passed where multiple zero day exploits haven't lurked for any actor with resources to exploit them. Enough. It isn't ever going to get fixed because it can't be fixed. And assuming some new breakthrough permitted fixing the current mess it is mutating at such a rate nobody can even keep up.
We see the same defective design patterns up and down the stack, from CPUs designed to marketing specs and actual security is an afterthought, to chipset design where multiple microprocessors can be inserted with zero auditing and no way to fix the inevitable problems that WILL arise, defective firmware everywhere and no attempt for anyone anywhere to ever actually know enough about any of it to audit it or fix it if a defect is discovered. Then the operating systems are defective by design, all patterned on the defective DOS/Windows patterns, it is quickly infecting Linux too; systemd. It impacts the stack above too. "Office" type crap where pretty much every document hosts executable content. Who thought that was a good idea? And the top layer, the modern Internet, is a frigging nightmare of stupidity that space forbids the enumeration of even the most stupid ideas.
(Score: 2) by Azuma Hazuki on Saturday March 17 2018, @09:42PM (4 children)
Eh, I only ever use the VM a couple hours a month to run my MIDI sequencer, so no big deal if it gets pwn3d, really. Still, less for security purposes than for purposes of "shit, dad downloaded something bad off that porn site again" I think we should have snapshots integrated right into the OS and the OS should be virtualized.
I am "that girl" your mother warned you about...
(Score: 0) by Anonymous Coward on Saturday March 17 2018, @10:23PM (3 children)
i expected someone else to make your original comment. you are better than that sort of arrogance through ignorance! but i guess if you didnt know... well ignorance is better than arrogance, because ignorance can be cured.
(Score: 2) by Azuma Hazuki on Sunday March 18 2018, @03:10AM (2 children)
Look, I know virtualization isn't a panacea. You think I haven't been keeping track of all the hypervisor escapes and such for the last few years? But it's better than nothing, and I already had a policy in place of never letting that VM talk to any other node or have anything more important than, say, my arrangement of the Kirby's Dreamland 3 deep-water stages' BGM on it.
It's like NAT. NAT is not a firewall. By itself, it doesn't add much security. But it *is* handy to have your devices not directly accessible from the WAN side, and that alone provides a passive layer of protection that's better than nothing. Same with virtualization for Windows OSes.
I am "that girl" your mother warned you about...
(Score: 3, Insightful) by HiThere on Sunday March 18 2018, @05:15PM (1 child)
I think at least one of his points was that when they've copied your bank account access data, restoring from backup doesn't solve the problem.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by Azuma Hazuki on Sunday March 18 2018, @05:33PM
Well, yes, which is why I don't do anything of any importance on the VM. It's just for making music.
I am "that girl" your mother warned you about...
(Score: 4, Informative) by RamiK on Saturday March 17 2018, @07:32PM (1 child)
According to VMWare ( https://kb.vmware.com/s/article/52245 [vmware.com] ) you need guest, host and hw microcode patches to mitigate Meltdown/Spectre style speculative attacks. Or in other words, you still need to trust Microsoft and Intel to do their job and do it well. Which to me, defeats the purpose of running Windows in a VM in the first place compared to a separate, dedicated machine (or not at all).
To spice it up:
https://marc.info/?l=openbsd-misc&m=119318909016582 [marc.info]
compiling...
(Score: 3, Interesting) by arslan on Sunday March 18 2018, @10:24PM
Great quote! Now if someone can write me something similar with regards to containers! I've been trying to warn folks that putting yet another layer of virtualization on top of your virtualization is rather stupid - especially so if the argument is to simplify the app by shrink wrapping it in a container so the ugly innards are hidden.. I'd rather they just rewrite the app properly.
Not that containers don't have its place, but it seems to have open up this whole new world for lazy ass engineers to impress their PHB.
(Score: 4, Informative) by c0lo on Saturday March 17 2018, @07:03PM
Pwn2Own 2018:
- day 1 [thezdi.com] - along the bugs in other software, in the browser category: Safari on Mac, Edge on Windows and again Safari on Mac
- day 2 [thezdi.com] - browsers: Firefox on Windows fell first, followed by Safari on Mac (on the 4-th attempt, thus no prize) and again a Safari on Mac (sandbox escape)
Overview of the 2 days [thezdi.com]
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Saturday March 17 2018, @07:53PM
Mah nishtanah, ha-laylah ha-zeh, mi-kol ha-leylot?
Just sayin'.
(Score: 0) by Anonymous Coward on Sunday March 18 2018, @03:12AM
archive.is is clearly not up to date when it comes to app-webs or whatever is called this new web in which to render a plain doc you need to run lots of crap (hint for webdevs: it normally also means slow & batt draining).
Dunno, maybe they should run some kind of virtual desktop and real browser inside, to try to fake everything (mouse motion, etc) and get to something that can be captured (FF Ctrl+F2, then inject "screenshot --fullpage /path/file.png" as if really typed).
Do you have any better idea about how to implement this? It seems scrappers are special tools, while what is needed is some kind of "all looks real", like a cousin of Turing Test, where the server and the "app" can't tell they are being observed by a machine or by real human.
(Score: 1, Interesting) by Anonymous Coward on Sunday March 18 2018, @08:39AM
Did a mini study on the subject and looks like GNU/Linux was a target in 2008 and didn't fall although one participant boasted that his method would have taken only hours to refine to successfully attack GNU/Linux. The stance since has been to not include GNU/Linux since all individual distros have such a small slice of the entire PC userbase. Featured again in 2017 and this take taken down. Since Micro$oft is a sponsor since this year, I don't think we'll see GNU/Linux any time soon. However they did have the Apache and NGINX web servers as well as OpenSSL as targets which is nice.