Microsoft's Jet crash: Zero-day flaw drops after deadline passes:
The Zero Day Initiative has gone public with an unpatched remote-code execution bug in Microsoft's Jet database engine, after giving Redmond 120 days to fix it. The Windows giant did not address the security blunder in time, so now everyone knows about the flaw, and no official patch is available.
The bug, reported to Microsoft on May 8 with a 120-day deadline before full disclosure, was described on Thursday by ZDI, here. It was discovered by Lucas Leong of Trend Micro Security Research.
The bad news: it's a remote-code execution vulnerability, specifically, an out-of-bounds memory write. The good news is that an attacker can only trigger the bug by tricking the victim into opening a specially crafted Jet file, and any arbitrary malicious code smuggled in the document is executed only with the user's privileges (we've all made sure that users don't have admin privilege, right?) The booby-trapped Jet file can also be opened using JavaScript, so someone could be fooled into viewing a webpage that uses JS to open the file, causing the code to run if it's picked up by the database.
The other good news is that the Jet database engine is not terribly well deployed: it's mostly associated with Microsoft Access and Visual Basic. However, if you are using it, you probably will want to stop users from opening any maliciously rigged files.
(Score: 0) by Anonymous Coward on Saturday September 22 2018, @02:11AM (18 children)
It's time corporate america swtich to linux/bsd. MS got nothing to offer them.
(Score: 0) by Anonymous Coward on Saturday September 22 2018, @02:40AM (13 children)
Wake up sleepyhead. Corporate globalists are making bank on Linux. The entire Internet of Things is built around embedded Linux systems which you have no control over. Your corporate overlords deny you the freedom to modify Linux in devices you own. Worry not about how they paid exactly zero cents for the free Linux they use to spy on you. Do not concern yourself when corporate interests had Linus fired from Linux. Keep giving money to your corporate masters. Profits are sky high ever since Linux morons like you created free Linux and lowered software costs to zero for evil corporations. You have only yourself to blame.
(Score: 1) by khallow on Saturday September 22 2018, @02:48AM (7 children)
Funny how that was supposed to bother us. Guess another troll fail.
(Score: -1, Troll) by Anonymous Coward on Saturday September 22 2018, @02:58AM (6 children)
Corporate billionaires making billions by taking the hard work of volunteers who got paid nothing doesn't bother khallow. Khallow is the living embodiment of psychotic avarice. Another example of defective human garbage.
(Score: 2, Touché) by khallow on Saturday September 22 2018, @04:05AM (2 children)
Yep.
Nope.
(Score: -1, Troll) by Anonymous Coward on Saturday September 22 2018, @04:45PM (1 child)
Yep. Khallow is a selfish megalomaniac who likes seeing the downtrodden get trampled by the rich and the powerful. Khallow desperately wants billionaire status for himself and trampling everyone else is his way to get there. Khallow is sick. Khallow needs to be put down.
(Score: 1) by khallow on Sunday September 23 2018, @04:06AM
No downtrodden or trampling in the scenario given. We're supposed to care because something freely given gets freely used by billionaires?
That's why I post on SN. Lots of trampling opportunities here.
"We're sorry but your pet soylentil has contracted a terminal case of billionairitus. He'll keep biting ankles until someone gives him a billion dollars and that just isn't going to happen."
(Score: 5, Interesting) by MichaelDavidCrawford on Saturday September 22 2018, @09:16AM (2 children)
I get psychotic all the time.
The reason I'm a coder at all is that I can write good code even when I'm delusional.
I realized that was the case back in 1988, when I was all alone in my building when the NAZIs started having Panzer maneuvers in the parking lot.
Looked out the window... just an empty parking lot.
Looked back at my terminal, NAZIs were in the parking lot again.
But that night's code was damn good.
Yes I Have No Bananas. [gofundme.com]
(Score: -1, Troll) by Anonymous Coward on Saturday September 22 2018, @04:49PM (1 child)
Considering your preferred method of marketing your skills is waxing quixotic and sucking cock until you land the gig, I have to wonder, don't your prospective bosses worry about how you might go psychotic and bite their dicks off?
(Score: 3, Interesting) by MichaelDavidCrawford on Monday September 24 2018, @08:43AM
I don't tell my employers until I've actually worked for them long enough that I can accurately gauge how they'll react to my informing them of my mental illness.
My experience with doing so has been overwhelmingly positive. I don't tell everyone but I do tell most of them.
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Insightful) by Anonymous Coward on Saturday September 22 2018, @02:58AM (4 children)
These concerns were actually expressed by Richard Stallman and were the subject of GPLv3. Stallman was worried about Tivo like devices (now smartphones), that take away users freedom by denying the user the ability to install their own operating system or have any control over the software the device runs. Torvalds was very resoundingly opposed to GPLv3 especially since Linux is funded by Google et al.
(Score: 0) by Anonymous Coward on Saturday September 22 2018, @03:24AM (1 child)
Richard Stallman began the GNU Project with the explicitly stated goal of lowering programmer salaries to the level of sales clerks. He very nearly is succeeding. On average he has succeeded already when the vast numbers of unpaid free software programmers are counted. There are yet some few millennial hipster douchebags who earn pay in the six figure range and are deluded enough to believe they deserve to get paid for coding work. This state of affairs is not economically sustainable and professional coder pay will be corrected to zero by the invisible hand of capitalism. On the subject of Mr Torvalds all I can say is I hope he enjoys his new career of selling coffee.
(Score: 0) by Anonymous Coward on Saturday September 22 2018, @06:09AM
Interesting. Can I subscribe to your newsletter?
Will he enjoy selling coffee? With $150m in the bank, he just may.
(Score: 2) by MichaelDavidCrawford on Saturday September 22 2018, @09:18AM (1 child)
-loaders.
Usually it's just a simple command in adb.
That's how one does Android Platform Development - you just unlock your phone, roll a firmware image then upload it to your phone.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Saturday September 22 2018, @04:39PM
IoT is more than just smartphones. Go to the electronics section of any big box store, Walmart, Target, Best Buy, pick one, and almost every product for sale is running Linux. Launch the web browser on a TV and check the user agent string and you'll see Linux mentioned. Buy a Wi-Fi router and look in the packaging for a full printed copy of the GPL.
You don't have the freedoms granted to you by the GPL when you buy products containing Linux. Companies have the freedom to take Linux and sell it to you in a locked down black box which you are not allowed to modify.
The free software movement in theory gives you the freedom to modify your software. In practice the only thing free software accomplishes is enriching billionaires who made their billions by taking free software for free and denying you your freedoms.
By gifting labor to capitalists for free, free software is making the future much worse, not better.
(Score: 0) by Anonymous Coward on Saturday September 22 2018, @06:12AM
Just in time when control of Linux is up for grabs.
(Score: 4, Interesting) by MichaelDavidCrawford on Saturday September 22 2018, @09:13AM (2 children)
"Nobody can figure out how to copy a file."
Not my words, but the founder and President of that vendor.
Linux might actually be ready for the Desktop, but you're going to have to overcome decades of sloth such as a certain release of Slackware whose gEdit lost all the text that was not displayed in the window.
That is, if you wrote a chapter of your Great American Novel then shrunk the window to just a few inches high, most of your chapter just vanished into the Ether.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by kazzie on Saturday September 22 2018, @01:12PM (1 child)
Whenabouts was that? I've been dabling with Slackware for well over a decade and can't recall hearing of this.
(Score: 2) by MichaelDavidCrawford on Saturday September 22 2018, @07:04PM
2002 or so
The befit bug wasn't Patrick's fault but he shouldn't have included Vedic in his release
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by Gaaark on Saturday September 22 2018, @03:27AM (3 children)
When will people stop being stupid?
What will it take? Seriously.....what will it REALLY take to get people to stop being stupid?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: -1, Troll) by Anonymous Coward on Saturday September 22 2018, @03:29AM
Unfortunately a bullet in the head is the only possible cure for khallow.
(Score: 2) by MostCynical on Saturday September 22 2018, @06:35AM
When not-stupid is easier than stupid.
Stupid is often lazy plus uninformed, but laziness feeds ignorant, so..
Won't even happen when stupid causes death (already happened)
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by Freeman on Monday September 24 2018, @04:44PM
I'm not stupid, or uniformed, I'm just stuck with an either / or situation and so far it's been me using Windows. They have definitely nearly pushed me out of the Microsoft camp entirely with the recent Win10 built-in spyware, though. All it would take is them announcing some subscription based model and I'm 100% out. The unfortunate part is that I hear VR on Linux isn't well supported. I don't have enough skin in the game to not dump it, if necessary though.
Most of the reason why I don't have Linux on my current box is, because of ease of use. It would take more effort to switch everything over to Linux than I want to spend, right now. I have limited free time and don't want to take the effort to switch to Linux. Assuming, I knew that I would have a seamless transition and the few games I am currently playing ran well. I would make the switch. There's no guarantee that I wouldn't be stuck distro hopping only to find out that something, something, have to build something, because something. Sure, I can figure it out and maybe it would just work. I don't have tons of free time anymore. I have a wife and kid and they both need and want my attention. So, at the end of the day, I just want to relax and that doesn't involve switching graphic drivers, because it doesn't work on this game.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Saturday September 22 2018, @07:02AM
says is all
(Score: 3, Interesting) by MichaelDavidCrawford on Saturday September 22 2018, @08:38AM (3 children)
If it's used by Microsoft Access, then it is _exceedingly_ well deployed.
This flaw could be quite a serious problem, potentially a national emergency.
I'd rather not point out where all those Access installs are, but I'm going to drop a dime to a software vendor that's been building their product on Access for decades.
Yes I Have No Bananas. [gofundme.com]
(Score: 4, Interesting) by MichaelDavidCrawford on Saturday September 22 2018, @09:10AM
Dime Dropped. The guy I emailed is generally good about his email.
The software in question is quite cool as well as quite popular, but yes I was appalled when they explained it was built on top of Access.
Yes I Have No Bananas. [gofundme.com]
(Score: 4, Interesting) by digitalaudiorock on Saturday September 22 2018, @01:45PM
As I recall, it was used in Diebold voting machines at least at one point.
(Score: 2, Informative) by Anonymous Coward on Saturday September 22 2018, @08:17PM
Every version of Windows in modern use has the Jet DB engine included. MSJET*.DLL etc. So "not terribly well deployed" is absolutely false since it's only a part of practically every single 32/64-bit Windows machine that exists. In fact, I just confirmed by fishing through the CAB files that Windows 95 OSR2 (aka Win95B) has MSJT3032.DLL which is Jet 2.0, so yeah, it's literally deployed even on ancient Win95 machines.