back to article Hyper-V guest escape, drive-by PDF pwnage, Office holes, SMB flaws – and more now patched

After taking a month off, Microsoft's Patch Tuesday is back – and it's a blockbuster edition. There are 18 bundles of patches covering 140 separate security vulnerabilities. These flaws range from a hypervisor escape in Hyper-V, remote-code execution via PDF and Office files and malicious SMB traffic, to the usual barrage of …

Silver badge

make sure you install them ASAP before miscreants start exploiting them in the wild:

Nope.. I'll wait a week in case there's any booby traps in that mess. Meantime, I'll just keep my eyes and ears open to what others find. Hopefully it all works and there's no surprises. Meantime, I'll use the Linux box....

12
4
Anonymous Coward

Microsoft's had an extra month to get things right

There is a lot riding on these patches, MS has had an extra month to get them right. If any of these cause issues it really doesn't bode much confidence in their new delta patch process.

3
0
Silver badge
Trollface

Godwin's law?

Perhaps we should have a new version of Godwin's law - the number of posts on a Microsoft news story before Linux is mentioned?

16
1
Anonymous Coward

Re: Godwin's law?

Given Windows 10 now includes Bash (Unix shell), with more and more Linux features / sub-sets of Linux distributions being attached to Windows sub systems, from likes of Ubuntu and Suse, not sure why you'd seem somewhat surprised that Linux gets mentioned on "Patch Tuesday'" postings.

Linux is today, a rock solid OS, and if you live in the browser like Firefox/Chrome, most people would be hard pressed to know/notice the underlying OS. I use multiple OSs, Windows 10, Windows 7, Linux Mint 18.1, and macOS Sierra/iOS and quite often of late, it's not until minimise the browser that I remember I started my work in Linux that morning.

The hardest thing is remembering where I saved a document, if I was in a rush, so you have to be fairly disciplined in that regard.

9
1
FAIL

Followed by Rollback Wednesday

Yep. Wait a while before installing them. Microsoft seems to be doing little QA or testing on their patches.

Most of the recent patch Tuesdays in our office have resulted in blue screens, broken stuff and rollbacks.

1
0

"and now Redmond has its official patch out, and so sysadmins can get their fix from the horse's mouth."

Ok, quick poll:

How many think of that end of the horse when Microsoft is mentioned? []

The other? []

18
2
FAIL

Hello new bot nets

Put in a turing complete rendering tool and it opens up remote exploits. The Uniscribe one could be live in all versions of windows back to Win 98. Combined with with older versions of the OS loading the font cache in Ring 0, and there will be compete and total p0wnage.

The scary thing is just how much new equipment still gets shipped with WinCE.

9
0
Silver badge

Pretty sad

That Internet Explorer is apparently Microsoft's most secure browser. I guess they must have thought "rewritten from scratch" means it will be more secure, when in fact you have to rewrite it from scratch with security in mind in everything you do. Apparently they missed that last part.

8
0
Silver badge
Coffee/keyboard

Re: Pretty sad

when in fact you have to rewrite it from scratch with security in mind in everything you do. Apparently they missed that last part.

In fact, they re-wrote Edge in partnership with Adobe, yes, seriously!

6
0
Anonymous Coward

Re: Pretty sad

Frankly, it didn't look that Windows 10 focus was protecting user data from exfiltration...

5
0
Anonymous Coward

Re: Pretty sad

Show me a mainstream browser that is secure.

More secure != Secure

0
3

Re: Pretty sad

Edge is not a rewrite and was not claimed to be. It's more like a re-mix. And a new UI, that's where Adobe was involved.

2
1
Silver badge
Windows

It is 2017 and a PDF or Link can 0wn your forest

cf title

6
2
Unhappy

Reboot, Reboot, Reboot

Well after installing that lot on my home machines last night, I can expect to spend today at work rebooting all those 3 times too.

5
2
Alert

Re: Reboot, Reboot, Reboot

WSUS doesn't work on Windows 10???

0
0

Re: Reboot, Reboot, Reboot

Who said anything about Windows 10? Windows 7 and 8.1 are reboot happy enough.

0
0
FAIL

'...Secure programming is hard, kids'

From reading the descriptions of most Windows related vulnerabilities, the developers would only have needed to type, size, bounds and sanity check inbound data. All incoming data, every time. This is hardly news, and is certainly less difficult than the time some suits at a former unnamed employer decided it would be a nifty idea to mix big and little endian app servers in a n-tier SAP environment. "Well, the marketing rep SAID it would work..."

0
0

Re: '...Secure programming is hard, kids'

s/Windows/software/

There isn't really any significant difference in the type of vulnerabilities that pop up in comparable (language, environment, etc) stuff written by the various major actors.

Though often they are not as easy to avoid or spot as you might think, even when the actual fixes are just an added check or two.

0
0

just assume its always vunerable

I use a setup where I have two machines - my main machine is Ubuntu and I remote desktop to my windows 7 machine for windows only stuff, so its semi-seamless between the two. I only use my browsers on the ubuntu side and try my best to not do any internet access from the windows side and avoid inserting strange USB sticks, etc, since my windows work involves a lot of USB debuggers and devices, so I can't just put glue in all the ports. Not that I assume Ubuntu is not vulnerable to anything but odds are much lower, if nothing else than from relative obscurity. I do periodic windows backups and git source control to a local linux server, to avoid ransomware.

0
0
FAIL

Still living in C++ Wonderland

Microsoft is still living in the C++ Wonderland, where the code is so hard to figure out that boss doesn't know what the programmers are doing. That's why programmers love C++. That's why remote execution bugs continue to abound. Simple, straight-forward, fully-tested, well-documented, and secure code? "Pah, that's for the ordinary folks, and we're far above the ordinary!" The old saying still holds, If houses were built like software is written, one woodpecker would destroy all civilization.

0
1

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018