back to article They forked this one up: Microsoft modifies open-source code, blows hole in Windows Defender

A remote-code execution vulnerability in Windows Defender – a flaw that can be exploited by malicious .rar files to run malware on PCs – has been traced back to an open-source archiving tool Microsoft adopted for its own use. The bug, CVE-2018-0986, was patched on Tuesday in the latest version of the Microsoft Malware …

Page:

  1. Teiwaz Silver badge

    So.... not changing the name to Windows smash-the-window-and-ransack-the-joint?

    Windows I-was-out-back-having-a-smoke-guv

    any other suggestions...

    1. TRT Silver badge

      Windows-execute-order-66?

    2. Mark 85 Silver badge

      Duck-taped-Windows.

  2. Anonymous Coward
    Anonymous Coward

    Microsoft -- the Monopoly and Marketing Giant...

    It's been obvious for at least thirty years - Microsoft is the Monopoly and Marketing Giant....

    ......but has NEVER been much good at software. Here we have (yet another) an example of M$ taking a perfectly good piece of someone else's software and totally screwing it up. The other examples, I hear you ask? How long have you got? Powerpoint, Lattice C, Multiplan, Avalanche, Internet Explorer (purchased/licensed from NSCC), Visio........the list is endless.

    1. Credas Silver badge

      Re: Microsoft -- the Monopoly and Marketing Giant...

      Elsewhere we read that they're putting lots of their development effort into Fluent Design, which isn't going anywhere. Clearly shiny-shiny is more important than functionality.

      1. Dazed and Confused Silver badge

        Re: Microsoft -- the Monopoly and Marketing Giant...

        > Clearly shiny-shiny is more important than functionality.

        Shiny-Shiny is obviously more important than security. Security is really boring and doesn't look sexy in ads.

        1. Anonymous Coward
          Anonymous Coward

          Re: Microsoft -- the Monopoly and Marketing Giant...

          Shiny-Shiny is obviously more important than security. Security is really boring and doesn't look sexy in ads.

          Yeah, that's probably true.

    2. phuzz Silver badge
      Gimp

      Re: Microsoft -- the Monopoly and Marketing Giant...

      "Microsoft is the Monopoly"

      Don't let the Linux fans hear you saying that, or you'll get to hear exactly how many web servers run Linux, and how 2018 is the year of Linux on the desktop etc.

    3. Anonymous Coward
      Anonymous Coward

      Re: Microsoft -- the Monopoly and Marketing Giant...

      Mentioning because I just read about it today, but Microsoft licensed Mosaic from Spyglass, who had previously licensed it from NCSA, but they wound up developing their own codebase under the name.

  3. cbars

    Three Stooges

    The error here wasn't destroying perfectly good open source code, the error is the defender program itself. Anti virus isn't the solution. We should go the Mr Burns route and infect our systems with ALL the malware, then none of it will be able to fit through the door!

    https://youtu.be/gmBj8r1-fDo

  4. Anonymous Coward
    Anonymous Coward

    That's the trouble with open source

    Any idiot can modify it and recompile.

    1. J. Cook Bronze badge
      Go

      Re: That's the trouble with open source

      Even the swedish chef.

      bork bork bork.

      (for those that don't get it: https://en.wikipedia.org/wiki/Swedish_Chef)

      1. NickNick
        Joke

        Re: That's the trouble with open source

        Surely the swedish chef uses open sauce?

        1. msknight Silver badge

          Re: That's the trouble with open source

          Apparently loganberry - on the side - https://www.youtube.com/watch?v=3KtIBPwaRkk

    2. Daggerchild Silver badge
      Mushroom

      Re: That's the trouble with open source

      RAR!! HULK SMASH PUNY STACK!!

      1. asdf Silver badge
        Coffee/keyboard

        Re: That's the trouble with open source

        >RAR!! HULK SMASH PUNY STACK!!

        See icon.

    3. bombastic bob Silver badge
      Facepalm

      Re: That's the trouble with open source

      *facepalm*

      1. TRT Silver badge
    4. 2cent

      Re: That's the trouble with open source

      Microsoft forgot the mantra. Update and patch often.

  5. Mephistro Silver badge
    Devil

    Microsoft is the Anti-Midas of IT

    Every product they touch they turn into shit!

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft is the Anti-Midas of IT

      That's a little harsh...

      Maybe there's a little group? IBM (points at Notes - just in general not necessarily security. I mean it may have security bugs if anyone cared and were prepared to expose themselves to the horror), Apple with OSX "security patches", Microsoft, Adobe (for everything), Sun (Java), Oracle (unbreakable....).

      Maybe it would be easier to make a list of the Midas companies?

    2. Anonymous Coward
      Anonymous Coward

      Re: Microsoft is the Anti-Midas of IT

      That includes the stuff that it acquired along the way.

      Linkedin, Minecraft, Skype etc.

    3. Chris 244
      Holmes

      Re: Microsoft is the Anti-Midas of IT

      Nope, I think the original Midas (a cautionary tale about unbridled greed and unintended consequences) applies perfectly.

  6. FozzyBear Silver badge
    Coffee/keyboard

    Honestly the day Micro$hit makes a product that doesn't suck is the day they start making vacuum cleaners

    1. ST Silver badge
      Devil

      > [ ... ] the day they start making vacuum cleaners

      Microsoft's vacuum cleaner: they can call it Microsoft Enterprise PowerSuck 6000.

      Don't worry, they'll fuck this up too. It will unexpectedly switch from suck to blow with no warning.

      1. hplasm Silver badge
        Devil

        "It will unexpectedly switch from suck to blow with no warning."

        So - Win 10 as normal, then?

      2. FozzyBear Silver badge
        Happy

        Damn thought you were talking about exchange server. My bad

    2. Milton Silver badge

      Vacuum cleaners

      "... day Micro$hit makes a product that doesn't suck is the day it starts making vacuum cleaners ..."

      Eyewateringly overpriced, overmarketed, shiny, horrible looking, not very good vacuum cleaners?

      Too late, Dyson got that particular halfwitted market segment sewn up years ago.

    3. Captain Scarlet Silver badge

      Correct me if I am wrong but didn't MS buy an AV company many many years ago, to me it looks like to much copy and pasting going on.

      1. Anonymous Coward
        Anonymous Coward

        The company was literally built on copy and pasting.

      2. John 104

        Yes, It was GIANT antivirus. That turned into Defender. Their other security products are based on their own code I think.

  7. Olivier2553

    To stay at the top

    You do not realize the amount of efforts it takes to stay at the top and have new article day after day.

    Bad news is still news.

  8. Anonymous Coward
    Anonymous Coward

    All code is written by offshore idiots to the lowest price

    This shitty code is in your medical devices, cars, industrial systems, phones and most devices in your homes. It's present on every website you visit.

    Insecure by negligence and stupidity, it's everywhere in your life.

    But hey - psychopaths are running the companies that make this stuff & they don't give a shit. They are cutting cost to get paid. You are not the 1% so fuck you.

    1. handleoclast Silver badge
      Coat

      Re: All code is written by offshore idiots to the lowest price

      Steady on there.

      I'm an onshore idiot and I charge a fuck of a lot.

    2. Anonymous Coward
      Anonymous Coward

      Re: All code is written by offshore idiots to the lowest price

      Even Billy G and Ballmer had standards when it comes to patching software.

      SatNad, since becoming CEO, had lowered the bar to record new lows. He's outsourcing the software testing to the users, especially to those useful idiots called 'Insiders'. That's irresponsible and Microsoft should be sued.

    3. ChrisC
      FAIL

      Re: All code is written by offshore idiots to the lowest price

      "This shitty code is in your medical devices, cars, industrial systems, phones and most devices in your homes."

      Cobblers. Embedded systems (i.e. pretty much everything you're talking about here) programming is a world apart from desktop/cloud programming - when you know you can't always push out bugfixes to all your existing customers simply by sticking a new binary onto an update server, you do tend to spend far more time making sure the code you do send out the door is as bug free as you can possibly make it.

      "But hey - psychopaths are running the companies that make this stuff"

      No, they really aren't. At least not on the planet the rest of us are living on. Maybe on your world (you know, the one where your post might actually make any sense) things are different...

      1. Anonymous Coward
        Anonymous Coward

        Re: All code is written by offshore idiots to the lowest price

        " Embedded systems (i.e. pretty much everything you're talking about here) programming is a world apart from desktop/cloud programming"

        Remind me how secure is SCADA code again. And how many cars have been hacked via on-board systems. And how many medical devices have been hacked.

        You are living in cloud cuckoo land mate. All the code written is shit, insecure and done to the lowest possible cost and quality.

        1. soulrideruk Bronze badge

          Re: All code is written by offshore idiots to the lowest price

          All code, or just the code you choose to hate?

          I'd agree with you if you said every piece of code ever written by anybody was a giant fuck-up and the internet needs deleting.

          Maybe you should be a leader and start by wiping your PC?

    4. wallaby

      Re: All code is written by offshore idiots to the lowest price

      talk about copy and paste

      pasted entire comment from another thread

      https://forums.theregister.co.uk/forum/1/2018/04/05/netus_eeg_vulnerabilities/

  9. Boris the Cockroach Silver badge
    Alert

    Gawd

    help us if m$ start making any changes to open sauce code and then distributing it........

  10. Anonymous Coward
    Anonymous Coward

    Always look for the positives...

    I'll get my coat.

  11. Anonymous Coward
    Anonymous Coward

    Another day, another Microsoft cockup

    Also, such a misnomer: 'Defender'. More like a 'Trojan Horse' or 'Vector for Attack'.

  12. mark l 2 Silver badge

    Just on a side note, why do people still use RAR archives? I saw a firmware update for download just today that was packaged as a RAR. The majority of OS have some support for opening ZIP built in so why use a archive format that requires your end user to download an extra piece of software to open it?

    RARs are proprietary format as well so you need to buy WinRAR to create a RAR archive so surely even 7-zip would be a better option as that is open-source.

    1. Tom 38 Silver badge

      Standard zip encryption sucks, standard rar encryption is hard to break. File splitting works better in rar than in zip.

      For those reasons, its method of choice for certain modes of distributing unlicensed media, meaning it's kind of important that your virus checker can check them.

      1. J27

        I hate to burst your bubble, but if you use GPU-accelerated cracking, then RAR passwords are worthless too. Although I will admit, not as worthless as ZIP passwords, which have been a trivial crack for years.

      2. mark l 2 Silver badge

        Perhaps in some special circumstances RAR might be a better choice, but I see unencrypted single file RAR archives downloadable all the time when ZIP would work equally as well.

    2. CrazyOldCatMan Silver badge

      so you need to buy WinRAR to create a RAR archive

      Unless you use one the many open-source (untouched by Microsoft) rar tools..

      Some of them even work on Windows.

    3. Anonymous Coward
      Anonymous Coward

      RAR is ubiquitous, most file archivers open the format

      7z is still one of those 'exotic' archive file formats... it's similar to what Ogg or FLAC is for audio files.

      I still remember the ARJ and ACE file formats.

      You don't need WinRAR to open/decompress RAR files. If you want, you can always use the shareware WinRAR... or there are not-so-legal ways to overcome the restriction. ;)

      There is also no shame paying Rarlabs for its excellent software.

      Proprietary isn't always necessarily bad... depends on the spirit of the person or company owning the software.

  13. J27

    Unsigned integer values? Even Microsoft's own development documentation recommends not using unsigned integers in Windows applications because of the unforeseen side-effects. It sounds like Microsoft isn't taking their own advice. And retrofitting existing code like that is just a bad idea.

    1. tekHedd

      "Even Microsoft's own development documentation recommends not using unsigned integers"

      I can't decide whether to upvote this as top-shelf satire, or downvote it as a huge WTF?

      I mean, yes, if your integers are unsigned, anyone can replace them with other integers and you won't be able to tell. On the other hand, integer signing has never been useful as a form of DRM, and can make it more difficult to update the integers if it turns out one requires patching.

      The problem, as ever, is backward compatibility.

      Computers were designed from the start to use integers without cryptographic signatures, so it is not possible for applications to detect whether an integer is signed or unsigned just by looking at it. A program must be compiled with foreknowledge about which integers to check for signing. Signing is a "cool hack" first used in the late 90s as an attempt to prevent piracy, pioneered first by Microsoft, quickly followed by most of the rest of the industry. Applications designed for unsigned integers will run fine on modern operating systems, but if signed integers are used by mistake, this can result in crashing, especially if the numbers involved are modern numbers that can be quite large. This is because cryptographic signing uses a "hack" that takes over the topmost bit, which may be flipped in some circumstances. This confuses older software.

      Microsoft's hacking of the modern RAR program to force the use of outdated "unsigned" integers is an example of how the company has failed to move with the times. This dinosaur's days are limited.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019