One moderate vulnerability that's already exploited impacts the Windows SmartScreen Security Feature:
Microsoft on Tuesday disclosed 56 vulnerabilities, including six critical ones and one moderate vulnerability that has been exploited.
The patches released address common vulnerabilities and exposures (CVEs) in: Microsoft Windows and Windows Components; Azure; Office and Office Components; SysInternals; Microsoft Edge (Chromium-based); SharePoint Server; and the .NET framework.
The one exploited CVE disclosed on Patch Tuesday impacts the Windows SmartScreen Security Feature. To exploit it, an attacker could craft a malicious file that would evade Mark of the Web (MOTW) defenses.
[...] The six critical CVEs disclosed on Tuesday were all Remote Code Execution (RCE) vulnerabilities. They impact: Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises), Microsoft SharePoint Server, PowerShell, and Windows Secure Socket Tunneling Protocol (SSTP).
(Score: 3, Insightful) by driverless on Saturday December 17, @11:08AM (4 children)
In other words, to do the normal everyday things you do all the time on a computer. Can we just stop pretending this is a mitigating factor? I mean, it's not quite as bad as "this attack takes effect as soon as the victim takes their computer online", but it's a bare minimum step above it.
(Score: 2) by canopic jug on Saturday December 17, @11:54AM (2 children)
Yes, stop blaming the victim for using the software as advertised. Anyway, how was any of this news? M$ products are simply not fit for any regular usage, and maybe not even for a few fringe, air-gapped use cases. Remember prior to the arrival of M$ Outlook that it was basically impossible to spread malware via e-mail. Then MSIE, along with its metastasization throughout the OS, brought a new world of exploits. Before either of those, you have had M$ Word and M$ Excel macro-based malware spreading around sneakernet within and between work places. Then the core OS has endless remote exploits, some decades old. The answer is to remove the problem staff, and mangers, which brought M$ products into the work place to begin with.
It's a bigger problem than just M$ alone nowadays because Bill in particular has made bad engineering acceptable. It is now to the point that non-M$ software is finding acceptance in bloat and poor quality, notably the two remaining web browsers Firefox and Chromium. Neither of the two are safe to use on the net, yet there they are. Or, to poke a nerve, look at systemd with its gratuitous bloat, complexity, and half-baked re-implementations of established technologies. Just complexity alone is incompatible with security (confidentiality, integrity, and availability).
Money is not free speech. Elections should not be auctions.
(Score: 2) by Gaaark on Saturday December 17, @02:57PM
Yup!
At best, Windows is a gaming platform.
At worst....... "Oh yeah "Ooh, aah", that's how it always starts. But then there's running and screaming."
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by turgid on Saturday December 17, @04:46PM
A few years back I switched to using palemoon for my browsing on my Slackware machines. I've noticed in the last year or so that a lot of web sites have stopped working with it. Menus and so on don't work. I can't view my repos on gitlab.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by ElizabethGreene on Saturday December 17, @05:18PM
I respectfully disagree.
"This vulnerability impacts machines just sitting there turned on." is significantly worse than "This vulnerability impacts machines where userX opens a [website|email] with content prepared by the attacker."
Would we still remember Nimda, Slammer, or Code Red if they required the user to do something instead of just having a PC connected to the internet?