back to article Hyper-V guest escape, drive-by PDF pwnage, Office holes, SMB flaws – and more now patched

After taking a month off, Microsoft's Patch Tuesday is back – and it's a blockbuster edition. There are 18 bundles of patches covering 140 separate security vulnerabilities. These flaws range from a hypervisor escape in Hyper-V, remote-code execution via PDF and Office files and malicious SMB traffic, to the usual barrage of …

  1. Mark 85 Silver badge

    make sure you install them ASAP before miscreants start exploiting them in the wild:

    Nope.. I'll wait a week in case there's any booby traps in that mess. Meantime, I'll just keep my eyes and ears open to what others find. Hopefully it all works and there's no surprises. Meantime, I'll use the Linux box....

    1. Anonymous Coward
      Anonymous Coward

      Microsoft's had an extra month to get things right

      There is a lot riding on these patches, MS has had an extra month to get them right. If any of these cause issues it really doesn't bode much confidence in their new delta patch process.

      1. AMBxx Silver badge
        Trollface

        Godwin's law?

        Perhaps we should have a new version of Godwin's law - the number of posts on a Microsoft news story before Linux is mentioned?

        1. Anonymous Coward
          Anonymous Coward

          Re: Godwin's law?

          Given Windows 10 now includes Bash (Unix shell), with more and more Linux features / sub-sets of Linux distributions being attached to Windows sub systems, from likes of Ubuntu and Suse, not sure why you'd seem somewhat surprised that Linux gets mentioned on "Patch Tuesday'" postings.

          Linux is today, a rock solid OS, and if you live in the browser like Firefox/Chrome, most people would be hard pressed to know/notice the underlying OS. I use multiple OSs, Windows 10, Windows 7, Linux Mint 18.1, and macOS Sierra/iOS and quite often of late, it's not until minimise the browser that I remember I started my work in Linux that morning.

          The hardest thing is remembering where I saved a document, if I was in a rush, so you have to be fairly disciplined in that regard.

    2. TReko
      FAIL

      Followed by Rollback Wednesday

      Yep. Wait a while before installing them. Microsoft seems to be doing little QA or testing on their patches.

      Most of the recent patch Tuesdays in our office have resulted in blue screens, broken stuff and rollbacks.

  2. Captain DaFt

    "and now Redmond has its official patch out, and so sysadmins can get their fix from the horse's mouth."

    Ok, quick poll:

    How many think of that end of the horse when Microsoft is mentioned? []

    The other? []

  3. -tim
    FAIL

    Hello new bot nets

    Put in a turing complete rendering tool and it opens up remote exploits. The Uniscribe one could be live in all versions of windows back to Win 98. Combined with with older versions of the OS loading the font cache in Ring 0, and there will be compete and total p0wnage.

    The scary thing is just how much new equipment still gets shipped with WinCE.

  4. DougS Silver badge

    Pretty sad

    That Internet Explorer is apparently Microsoft's most secure browser. I guess they must have thought "rewritten from scratch" means it will be more secure, when in fact you have to rewrite it from scratch with security in mind in everything you do. Apparently they missed that last part.

    1. Hans 1 Silver badge
      Coffee/keyboard

      Re: Pretty sad

      when in fact you have to rewrite it from scratch with security in mind in everything you do. Apparently they missed that last part.

      In fact, they re-wrote Edge in partnership with Adobe, yes, seriously!

      1. patrickstar

        Re: Pretty sad

        Edge is not a rewrite and was not claimed to be. It's more like a re-mix. And a new UI, that's where Adobe was involved.

    2. Anonymous Coward
      Anonymous Coward

      Re: Pretty sad

      Frankly, it didn't look that Windows 10 focus was protecting user data from exfiltration...

    3. Anonymous Coward
      Anonymous Coward

      Re: Pretty sad

      Show me a mainstream browser that is secure.

      More secure != Secure

  5. Hans 1 Silver badge
    Windows

    It is 2017 and a PDF or Link can 0wn your forest

    cf title

  6. druck Silver badge
    Unhappy

    Reboot, Reboot, Reboot

    Well after installing that lot on my home machines last night, I can expect to spend today at work rebooting all those 3 times too.

    1. JCitizen
      Alert

      Re: Reboot, Reboot, Reboot

      WSUS doesn't work on Windows 10???

      1. druck Silver badge

        Re: Reboot, Reboot, Reboot

        Who said anything about Windows 10? Windows 7 and 8.1 are reboot happy enough.

  7. Jim 68
    FAIL

    '...Secure programming is hard, kids'

    From reading the descriptions of most Windows related vulnerabilities, the developers would only have needed to type, size, bounds and sanity check inbound data. All incoming data, every time. This is hardly news, and is certainly less difficult than the time some suits at a former unnamed employer decided it would be a nifty idea to mix big and little endian app servers in a n-tier SAP environment. "Well, the marketing rep SAID it would work..."

    1. patrickstar

      Re: '...Secure programming is hard, kids'

      s/Windows/software/

      There isn't really any significant difference in the type of vulnerabilities that pop up in comparable (language, environment, etc) stuff written by the various major actors.

      Though often they are not as easy to avoid or spot as you might think, even when the actual fixes are just an added check or two.

  8. Mr.Bill

    just assume its always vunerable

    I use a setup where I have two machines - my main machine is Ubuntu and I remote desktop to my windows 7 machine for windows only stuff, so its semi-seamless between the two. I only use my browsers on the ubuntu side and try my best to not do any internet access from the windows side and avoid inserting strange USB sticks, etc, since my windows work involves a lot of USB debuggers and devices, so I can't just put glue in all the ports. Not that I assume Ubuntu is not vulnerable to anything but odds are much lower, if nothing else than from relative obscurity. I do periodic windows backups and git source control to a local linux server, to avoid ransomware.

  9. Milo Tsukroff
    FAIL

    Still living in C++ Wonderland

    Microsoft is still living in the C++ Wonderland, where the code is so hard to figure out that boss doesn't know what the programmers are doing. That's why programmers love C++. That's why remote execution bugs continue to abound. Simple, straight-forward, fully-tested, well-documented, and secure code? "Pah, that's for the ordinary folks, and we're far above the ordinary!" The old saying still holds, If houses were built like software is written, one woodpecker would destroy all civilization.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019