back to article Roses are red, Windows error screens are blue. It's 2018, and an email can still pwn you

Serious security flaws in Outlook and Edge are headlining a busy Microsoft Patch Tuesday. The Redmond giant has issued the February edition of its monthly security update, addressing a total of 50 CVE-listed vulnerabilities in its products. Adobe has also posted an update for flaws in Reader and Experience Manager. Microsoft, …

Silver badge
Pint

"...a total of 50 CVE-listed vulnerabilities..."

Under your chair you will find a pair of boots.

Outside, you walk past a giant haystack, miles high.

You examine it and can see 50 needles.

Estimate how many needles (in total) are in the haystack.

28
0
Silver badge

Re: "...a total of 50 CVE-listed vulnerabilities..."

How many? Why, all of them, of course!

12
0
Anonymous Coward

Re: "...a total of 50 CVE-listed vulnerabilities..."

I don't need to estimate for I bring my mighty magnet. All hail the power of magnetism,

8
0
Silver badge
Windows

Re: "...a total of 50 CVE-listed vulnerabilities..."

Mighty magnet? Many of the needles have been in the haystack for years and are still like new, so they are probably made from Austenitic steel (non magnetic).

8
0
Silver badge

Re: "...a total of 50 CVE-listed vulnerabilities..."

The mighty magnet is Windows in the middle of the haystack. That's why it's full of needles.

21
0

Re: "...a total of 50 CVE-listed vulnerabilities..."

And the some of the needle people do not wish their needles to be found, so their needles are deliberately crafted from non-magnetic materials. Meanwhile, the needle-finding folk are finding oodles of needles with their magnets and sincerely believe they are making progress against the needle plague.

8
0
Bronze badge

Re: "...a total of 50 CVE-listed vulnerabilities..."

Sometimes the haystack just needs to be burnt to the ground and leave the needles in it's ashes.

12
0
Silver badge
Devil

Re: "...a total of 50 CVE-listed vulnerabilities..."

"Many of the needles have been in the haystack for years and are still like new, so they are probably made from Austenitic steel (non magnetic)."

unless you're near the ocean... Austenitic stainless steel has a high susceptibility to certain kinds of chloride pitting corrosion...

But Outlook and Edge having vulnerabilities... (in the voice of Iago the parrot, as done by Gilbert Godfried)

"THAT's a big SURPRIIIIIISE!!!"

4
1
Silver badge

Adobe didn't release any flash fixes?

Surely some kind of oversight, there's no chance a month could go by without another bucketful of flash flaws, right? Or did the last person using it finally give up?

14
0
Silver badge

Reading this forum brings flashbacks of old text based adventure games.

It only follows that my response be that security isn’t xyzzy.

Come on Microsoft, hire some decent developers and perhaps consider putting a QA / Test department into your company, then we won’t laugh at you as much.

5
0

Windows has a QA / Test department, they just outsourced most of the work to the users.

9
0
Anonymous Coward

You awake in a blue room, not just any room but a room with windows, its broken.

18
0
Facepalm

Strike Bill

>You strike Bill!

>Bill's privately funded secret 'charity' Army, hunt you down.

>You are dead

>You have mastered 3% of this adventure

7
0
Silver badge
Windows

FOutlook is still a thing

What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution.

He must have been frightened for decades ... Emails with embedded VBS, anyone ? They fixed that over 15 years ago ...

Outlook, are people still using it??!! :-O

5
4
Silver badge

Re: FOutlook is still a thing

Yes, the Preview Pane has always been a nasty attack vector. Issues with it were being raised back in 2000 on Vuln-Dev, so you're right about "over 15 years ago".

But many people are stuck with Outlook. It's the required MUA at many corporations that bought into Exchange and aren't inclined to move on.

1
0
Silver badge
Devil

Re: FOutlook is still a thing

"many people are stuck with Outlook. It's the required MUA at many corporations that bought into Exchange and aren't inclined to move on"

a good opportunity for a consulting gig: prove to them why it's costing MORE than hiring you to fix it.

I can think up a few things that might work, things that include Linux, T-bird e-mail clients, T-bird's calendar, and everything else done with an in-house web server using a simple interface. "Wow, you can share docs using links to files?" etc. (as in right-click the link to the file and get something you can paste into an e-mail)

3
1

I take it the Skype bug isn't a thing if you use the app rather than the desktop software?

0
1
Silver badge
Windows

Preview pane?

I suppose the average punter uses this without much thought, but why would you want to automatically open an email before checking it?

4
0
Silver badge
Terminator

Re: Preview pane?

I am lazy, anything obviously spam is deleted (StrongBadEmail style, except without the Lappie 486), anything with something work related look in the preview, hit the archive button to make it disappear into a random folder.

1
0
Silver badge
Devil

Re: Preview pane?

"why would you want to automatically open an email before checking it"

an intelligently designed mail reader will allow you to 'preview' a mail rather than open it, and you'll see all of the TEXT content without activating any HTML-related things, embedded content, external content, nor any kind of SCRIPT.

An unintelligently designed (in need of some real world natural selection) mail reader will display (in the preview) all attached and "rich" content, via the program assigned to EDIT it if it's external to the mail program. You know, like Outlook. This would include things known to have had major problems and vulnerabilities in the past, like MS Office documents, PDF files, Flash, and even certain kinds of images and media (other than flash).

In Thunderbird, use 'View' 'Message body as' 'plain text' to BLOCK that crap. It's not the default setting. But it SHOULD be.

other mail readers, YMMV but preview as plain text ONLY to avoid problems. And no inline images in the preview. And no downloaded content in the preview.

/me points out that a faked-up URL in a phishing e-mail will show up as the ACTUAL link (not what they WANT you to think it is) in a plain-text e-mail. So instead of seeing "yourbank.com" and being fooled into clicking on it, it's "malware.phishing.site/alphabetsoup/whatever/clone-of-your-bank" and rather obviously malicious.

3
1
Bronze badge

These people are ridiculous. They need to stop trying to bring out new versions of windows 10 every six months (and stop giving them all the same name - "creators update") and concentrate on making existing stuf work

5
0

Eventually they'll update their creators enough, that the creators will come up with a new name.

3
0
Silver badge
Windows

Yep, evergreen here

Upgraded the servers and clients yesterday, no problems.

0
7
Anonymous Coward

How many errors are C++ related?

I would like to comment, I suspect that most of these error are C++ related. Code should not be able to read "out of bounds" unless it's a really dodgy language ... difficult to debug ... and definitely used for job security.

(Posting anonymously because, really, the continuing waterfall of C++ and such like bugs gives meself job security.)

4
4
Silver badge
WTF?

Re: How many errors are C++ related?

"I suspect that most of these error are C++ related"

What? The? FORNICATE???

(are you advocating C-POUND as a solution? I hope not!)

FYI - a properly written C++ program with well-designed objects will manage itself very well. If it was designed by an idiot [and I've been tasked to clean THAT kind of stuff up, before] then you might consider re-writing it. But NEVER with C-POUND. That would be WORSE...

I would re-phrase that as "lack of programmer discipline/competence". Bad code is bad code, in ANY coding lingo.

1
1
Anonymous Coward

Re: How many errors are C++ related?

What language is C-POUND? Do you mean C#, which is pronounced "C-sharp" and doesn't even have a pound symbol in it?

0
0
Silver badge

Re: How many errors are C++ related?

YHBT, HAND.

0
1
Silver badge
Gimp

More likely you're dying of dysentery

your mother is a robot.

0
0
Anonymous Coward

"Adobe Experience Manager"

Experience more security issues today! Also comes with a workflow designed for people who like to punish themselves.

3
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018