Stories
Slash Boxes
Comments

SoylentNews is people

It's 2014 and You Can Still Pwn a Box Using a Word File, a TTF Font, or Flash

posted by LaminatorX on Thursday October 16 2014, @06:32PM   Printer-friendly
from the separation-of-concerns dept.

gewg_ writes:

Shaun Nichols at El Reg notes the latest Patch Tuesday

Microsoft has today patched two dozen CVE-classified security vulnerabilities in its software. People are urged to install them as soon as possible.

The US giant said the October edition of Patch Tuesday includes three critical fixes to address flaws in Internet Explorer, the .NET Framework and Windows kernel-mode driver.
[...]
MS14-061 - An 'important' rated vulnerability (CVE-2014-4117) in Office that allows an attacker to use malicious Word files to achieve remote code execution at the level of the logged-in user. The flaw can be mitigated by limiting the access rights of user accounts. The flaw is also present in Office for Mac. The discovery is credited to 35 Labs via the HP Zero Day Initiative.
[...]
And Adobe's software is still riddled with holes.

Adobe, meanwhile, has released its own monthly patch update. That patch will include a fix for three remote-code execution flaws in Flash Player for Windows, OS X, and Linux. Adobe is also patching a trio of flaws in ColdFusion allowing elevation of privilege and security control bypass.

[Update 1]: Corrected title as these vulnerabilities are not restricted to Windows.

[Update 2]: There are also reports of remote code execution and privilege elevation vulnerabilities across Solaris, Linux and Windows, via Java and Oracle: http://threatpost.com/java-reflection-api-woes-resurface-in-latest-oracle-patches/108847.

 
This discussion has been archived. No new comments can be posted.
It's 2014 and You Can Still Pwn a Box Using a Word File, a TTF Font, or Flash | Log In/Create an Account | Top | 35 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Thursday October 16 2014, @07:08PM

    by Anonymous Coward on Thursday October 16 2014, @07:08PM (#106765)

    El Reg: "It's 2014 and you can still own a Windows box using a Word file or font"
    Soylent: "It's 2014 and You Can Still Pwn a Windoze Box Using a Word File or Font"

    Come on, Soylent...

  • (Score: 0) by Anonymous Coward on Thursday October 16 2014, @07:34PM

    by Anonymous Coward on Thursday October 16 2014, @07:34PM (#106775)

    It's gewg submission. Did you honestly expect it to be free of childish stupidity or political bias?

    • (Score: 0) by Anonymous Coward on Thursday October 16 2014, @08:47PM

      by Anonymous Coward on Thursday October 16 2014, @08:47PM (#106794)

      Did you honestly expect

      Honestly? No. Not a chance.

      Let's see:
      A company that couldn't come up with a unique, non-generic name for its flagship product--at a time when Big Pharma had already demonstrated how to do that over and over again (Tylenol, Bufferin, Kaopectate).

      ...and that same company thinks it's perfectly normal to try to paste on security as an afterthought.

      ...then there's their corrupt business model, addressed by kaszz below.

      -- gewg_

  • (Score: 2) by martyb on Thursday October 16 2014, @07:38PM

    by martyb (76) on Thursday October 16 2014, @07:38PM (#106779) Journal

    Both mistakes were in the original submission and we failed to catch it. Title has been corrected.

    Thank you for bringing it to our attention!

    --
    Wit is intellect, dancing.

    • (Score: 1, Insightful) by Anonymous Coward on Thursday October 16 2014, @09:02PM

      by Anonymous Coward on Thursday October 16 2014, @09:02PM (#106796)

      Changing "Pwn" to "Own" changes the meaning entirely. When I read the headline "You can still own a box using a Word file, a TTF font, or Flash" my only thought was "Well duh. Microsoft dominates, so pretty much everybody owns a box (computer of some sort) and can use a Word file. TTF files are basically the standard, and you have almost no choice but to have Flash installed because so many stupid websites insist on using it to serve up content."

      Who doesn't own a box that meet some of those criteria?

    • (Score: 2) by _NSAKEY on Friday October 17 2014, @01:57AM

      by _NSAKEY (16) on Friday October 17 2014, @01:57AM (#106871)

      Isn't the point of having editors to catch things like this and fix them before they go live?

      On another note, why is the Twitter bot tweeting the story out every time the headline gets changed? (Links below)

      https://twitter.com/SoylentNews/status/522834690592358400 [twitter.com]

      https://twitter.com/SoylentNews/status/522849978197102593 [twitter.com]

      https://twitter.com/SoylentNews/status/522917752697536513 [twitter.com]

  • (Score: 2) by kaszz on Thursday October 16 2014, @07:43PM

    by kaszz (4211) on Thursday October 16 2014, @07:43PM (#106780) Journal

    One of the largest corporations in the world behaves like an royal asshole for more than two decades and expect to not have any negative feedback?

  • (Score: 2) by mcgrew on Friday October 17 2014, @03:59PM

    by mcgrew (701) <publish@mcgrewbooks.com> on Friday October 17 2014, @03:59PM (#107064) Homepage Journal

    It was a typo, they misspelled WindoZe. Windoze, because I can boot my ancient Linux tower in less time than it takes the much faster hardware on my much newer notebook running Windows 7 to come out of hibernation. It's Win Doze, as in almost asleep. It has to do with Windows' shocking lack of speed, not its insecurity.

    And someone mentioned "professional", I want to point out that the only one getting paid is S/N's web host.

    --
    Carbon, The only element in the known universe to ever gain sentience