Microsoft has issued a temporary fix for a critical Windows vulnerability that has already been exploited to install highly sophisticated malware that targeted manufacturers of industrial systems. In an advisory issued late Thursday, Microsoft said the previously unknown flaw in the Win32k TrueType font-parsing engine affected …
"Microsoft has issued a temporary fix for a critical Windows vulnerability"
Isn't that always the news from MS? The fix is temporary and someone else will find a way around it in a few nano-seconds...
What they need to do is think about security before they release the software in the first place!
Just like Linux then... Release a fix in a few nano seconds, stick it in the nightly unstable releases, observe that it screws with loads of stuff, someone else writes another fixed fix, rinse and repeat and it ends up in the stables somewhere between a week and a month later.
Hopefully you don't get anything that breaks stuff into the stable releases, but as my Arduino IDE hasn't worked on my linux laptop for nearly a month now, due to a botched update to GCC, that's obviously not always the case.
How much did you pay for Adruino, Linux and gcc? How much do your the Adruino's developers make? And btw, did you get any malware installed on your Linux laptop sue to that problem? The idea is that M$ guarantees everything, free software do not, or wait, it is the other way around.
I myself never had problem with gcc on emacs ...
You can't have it both ways, either Linux is great or you should put up with problems a d shut up. Which is it?
What the hell?
The flaw was in the "Win32k TrueType font-parsing engine" and "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode".
Seriously? Why the hell is the font parsing engine running in kernel mode???
Because the bug is actually in a kernel driver
The vulnerability is actually in a kernel driver - and to access display devices some code has to run in the kernel, user code can't access hardware devices.
Kernel driver should be only needed for hardware acceleration...
So, they used hardware acceleration for font rendering... Acceleration... Optimizations... Those usually mean "drop the unnecessary exception handling routines". Aha! security hole.
Com'on, this is Microsoft. They are known to stick the file and web browser (explorer) deep into the kernel in the past. They are experts in that regard.
We should all go back to 40 column 25 line amber monitors that use 5x8 pixel fonts that sit in rom. Try and hack those ....
Well, this sucks: Exploitable as non-admin.
Pretty impressive. TrueType is actually program code so it's not subject to no-execute protection. Attack the kernel through a user-accessible DLL with access to the kernel.
Disabling embeddable TrueType fonts in documents, as the workaround does, closes that hole handily until it gets fixed. You can bet MS is hunting for similar vulnerabilities in other bits of user-to-kernel code as we comment about this.
Does this mean
The spooks have upgraded Stuxnet and no longer need this security hole, so now M$ is allowed to fix it?
- Does Apple's iOS 7 make you physically SICK? Try swallowing version 7.1
- Pics Indestructible Death Stars blow up planets with glowing KILL RAY
- Hands on Satisfy my scroll: El Reg gets claws on Windows 8.1 spring update
- Video Snowden: You can't trust SPOOKS with your DATA
- 166 days later: Space Station astronauts return to Earth