back to article Microsoft releases temporary fix for critical Windows bug

Microsoft has issued a temporary fix for a critical Windows vulnerability that has already been exploited to install highly sophisticated malware that targeted manufacturers of industrial systems. In an advisory issued late Thursday, Microsoft said the previously unknown flaw in the Win32k TrueType font-parsing engine affected …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Ha!

"Microsoft has issued a temporary fix for a critical Windows vulnerability"

Isn't that always the news from MS? The fix is temporary and someone else will find a way around it in a few nano-seconds...

What they need to do is think about security before they release the software in the first place!

4
7
Anonymous Coward

Err...

Just like Linux then... Release a fix in a few nano seconds, stick it in the nightly unstable releases, observe that it screws with loads of stuff, someone else writes another fixed fix, rinse and repeat and it ends up in the stables somewhere between a week and a month later.

Hopefully you don't get anything that breaks stuff into the stable releases, but as my Arduino IDE hasn't worked on my linux laptop for nearly a month now, due to a botched update to GCC, that's obviously not always the case.

1
1
Bronze badge

strange comparison

How much did you pay for Adruino, Linux and gcc? How much do your the Adruino's developers make? And btw, did you get any malware installed on your Linux laptop sue to that problem? The idea is that M$ guarantees everything, free software do not, or wait, it is the other way around.

I myself never had problem with gcc on emacs ...

2
2
Anonymous Coward

err...

You can't have it both ways, either Linux is great or you should put up with problems a d shut up. Which is it?

0
0
FAIL

What the hell?

The flaw was in the "Win32k TrueType font-parsing engine" and "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode".

Seriously? Why the hell is the font parsing engine running in kernel mode???

5
0
LDS
Silver badge

Because the bug is actually in a kernel driver

The vulnerability is actually in a kernel driver - and to access display devices some code has to run in the kernel, user code can't access hardware devices.

2
0
FAIL

Kernel driver should be only needed for hardware acceleration...

So, they used hardware acceleration for font rendering... Acceleration... Optimizations... Those usually mean "drop the unnecessary exception handling routines". Aha! security hole.

1
1
Bronze badge

Com'on, this is Microsoft. They are known to stick the file and web browser (explorer) deep into the kernel in the past. They are experts in that regard.

0
0

i agree

We should all go back to 40 column 25 line amber monitors that use 5x8 pixel fonts that sit in rom. Try and hack those ....

0
0
Unhappy

Well, this sucks: Exploitable as non-admin.

Pretty impressive. TrueType is actually program code so it's not subject to no-execute protection. Attack the kernel through a user-accessible DLL with access to the kernel.

Disabling embeddable TrueType fonts in documents, as the workaround does, closes that hole handily until it gets fixed. You can bet MS is hunting for similar vulnerabilities in other bits of user-to-kernel code as we comment about this.

0
0
Big Brother

Does this mean

The spooks have upgraded Stuxnet and no longer need this security hole, so now M$ is allowed to fix it?

0
0
This topic is closed for new posts.

Forums