back to article Microsoft releases temporary fix for critical Windows bug

Microsoft has issued a temporary fix for a critical Windows vulnerability that has already been exploited to install highly sophisticated malware that targeted manufacturers of industrial systems. In an advisory issued late Thursday, Microsoft said the previously unknown flaw in the Win32k TrueType font-parsing engine affected …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Ha!

    "Microsoft has issued a temporary fix for a critical Windows vulnerability"

    Isn't that always the news from MS? The fix is temporary and someone else will find a way around it in a few nano-seconds...

    What they need to do is think about security before they release the software in the first place!

    1. Anonymous Coward
      Anonymous Coward

      Err...

      Just like Linux then... Release a fix in a few nano seconds, stick it in the nightly unstable releases, observe that it screws with loads of stuff, someone else writes another fixed fix, rinse and repeat and it ends up in the stables somewhere between a week and a month later.

      Hopefully you don't get anything that breaks stuff into the stable releases, but as my Arduino IDE hasn't worked on my linux laptop for nearly a month now, due to a botched update to GCC, that's obviously not always the case.

      1. eulampios

        strange comparison

        How much did you pay for Adruino, Linux and gcc? How much do your the Adruino's developers make? And btw, did you get any malware installed on your Linux laptop sue to that problem? The idea is that M$ guarantees everything, free software do not, or wait, it is the other way around.

        I myself never had problem with gcc on emacs ...

        1. Anonymous Coward
          Anonymous Coward

          err...

          You can't have it both ways, either Linux is great or you should put up with problems a d shut up. Which is it?

  2. John Riddoch
    FAIL

    What the hell?

    The flaw was in the "Win32k TrueType font-parsing engine" and "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode".

    Seriously? Why the hell is the font parsing engine running in kernel mode???

    1. Anonymous Coward
      Anonymous Coward

      Because the bug is actually in a kernel driver

      The vulnerability is actually in a kernel driver - and to access display devices some code has to run in the kernel, user code can't access hardware devices.

      1. ~mico
        FAIL

        Kernel driver should be only needed for hardware acceleration...

        So, they used hardware acceleration for font rendering... Acceleration... Optimizations... Those usually mean "drop the unnecessary exception handling routines". Aha! security hole.

    2. eulampios

      Com'on, this is Microsoft. They are known to stick the file and web browser (explorer) deep into the kernel in the past. They are experts in that regard.

    3. vincent himpe

      i agree

      We should all go back to 40 column 25 line amber monitors that use 5x8 pixel fonts that sit in rom. Try and hack those ....

  3. Gordon Fecyk
    Unhappy

    Well, this sucks: Exploitable as non-admin.

    Pretty impressive. TrueType is actually program code so it's not subject to no-execute protection. Attack the kernel through a user-accessible DLL with access to the kernel.

    Disabling embeddable TrueType fonts in documents, as the workaround does, closes that hole handily until it gets fixed. You can bet MS is hunting for similar vulnerabilities in other bits of user-to-kernel code as we comment about this.

  4. Johan Bastiaansen
    Big Brother

    Does this mean

    The spooks have upgraded Stuxnet and no longer need this security hole, so now M$ is allowed to fix it?

This topic is closed for new posts.

Other stories you might like