back to article Roses are red, Windows error screens are blue. It's 2018, and an email can still pwn you

Serious security flaws in Outlook and Edge are headlining a busy Microsoft Patch Tuesday. The Redmond giant has issued the February edition of its monthly security update, addressing a total of 50 CVE-listed vulnerabilities in its products. Adobe has also posted an update for flaws in Reader and Experience Manager. Microsoft, …

  1. JeffyPoooh Silver badge
    Pint

    "...a total of 50 CVE-listed vulnerabilities..."

    Under your chair you will find a pair of boots.

    Outside, you walk past a giant haystack, miles high.

    You examine it and can see 50 needles.

    Estimate how many needles (in total) are in the haystack.

    1. jake Silver badge

      Re: "...a total of 50 CVE-listed vulnerabilities..."

      How many? Why, all of them, of course!

    2. Anonymous Coward
      Anonymous Coward

      Re: "...a total of 50 CVE-listed vulnerabilities..."

      I don't need to estimate for I bring my mighty magnet. All hail the power of magnetism,

      1. Tim99 Silver badge
        Windows

        Re: "...a total of 50 CVE-listed vulnerabilities..."

        Mighty magnet? Many of the needles have been in the haystack for years and are still like new, so they are probably made from Austenitic steel (non magnetic).

        1. vtcodger Silver badge

          Re: "...a total of 50 CVE-listed vulnerabilities..."

          And the some of the needle people do not wish their needles to be found, so their needles are deliberately crafted from non-magnetic materials. Meanwhile, the needle-finding folk are finding oodles of needles with their magnets and sincerely believe they are making progress against the needle plague.

        2. bombastic bob Silver badge
          Devil

          Re: "...a total of 50 CVE-listed vulnerabilities..."

          "Many of the needles have been in the haystack for years and are still like new, so they are probably made from Austenitic steel (non magnetic)."

          unless you're near the ocean... Austenitic stainless steel has a high susceptibility to certain kinds of chloride pitting corrosion...

          But Outlook and Edge having vulnerabilities... (in the voice of Iago the parrot, as done by Gilbert Godfried)

          "THAT's a big SURPRIIIIIISE!!!"

      2. Dan 55 Silver badge

        Re: "...a total of 50 CVE-listed vulnerabilities..."

        The mighty magnet is Windows in the middle of the haystack. That's why it's full of needles.

      3. NonSSL-Login

        Re: "...a total of 50 CVE-listed vulnerabilities..."

        Sometimes the haystack just needs to be burnt to the ground and leave the needles in it's ashes.

  2. DougS Silver badge

    Adobe didn't release any flash fixes?

    Surely some kind of oversight, there's no chance a month could go by without another bucketful of flash flaws, right? Or did the last person using it finally give up?

  3. Dwarf Silver badge

    Reading this forum brings flashbacks of old text based adventure games.

    It only follows that my response be that security isn’t xyzzy.

    Come on Microsoft, hire some decent developers and perhaps consider putting a QA / Test department into your company, then we won’t laugh at you as much.

    1. onefang Silver badge

      Windows has a QA / Test department, they just outsourced most of the work to the users.

    2. Anonymous Coward
      Anonymous Coward

      You awake in a blue room, not just any room but a room with windows, its broken.

      1. DaveTheForensicAnalyst
        Facepalm

        Strike Bill

        >You strike Bill!

        >Bill's privately funded secret 'charity' Army, hunt you down.

        >You are dead

        >You have mastered 3% of this adventure

  4. Hans 1 Silver badge
    Windows

    FOutlook is still a thing

    What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution.

    He must have been frightened for decades ... Emails with embedded VBS, anyone ? They fixed that over 15 years ago ...

    Outlook, are people still using it??!! :-O

    1. Michael Wojcik Silver badge

      Re: FOutlook is still a thing

      Yes, the Preview Pane has always been a nasty attack vector. Issues with it were being raised back in 2000 on Vuln-Dev, so you're right about "over 15 years ago".

      But many people are stuck with Outlook. It's the required MUA at many corporations that bought into Exchange and aren't inclined to move on.

      1. bombastic bob Silver badge
        Devil

        Re: FOutlook is still a thing

        "many people are stuck with Outlook. It's the required MUA at many corporations that bought into Exchange and aren't inclined to move on"

        a good opportunity for a consulting gig: prove to them why it's costing MORE than hiring you to fix it.

        I can think up a few things that might work, things that include Linux, T-bird e-mail clients, T-bird's calendar, and everything else done with an in-house web server using a simple interface. "Wow, you can share docs using links to files?" etc. (as in right-click the link to the file and get something you can paste into an e-mail)

  5. Steve Jackson

    I take it the Skype bug isn't a thing if you use the app rather than the desktop software?

  6. David Roberts Silver badge
    Windows

    Preview pane?

    I suppose the average punter uses this without much thought, but why would you want to automatically open an email before checking it?

    1. Captain Scarlet Silver badge
      Terminator

      Re: Preview pane?

      I am lazy, anything obviously spam is deleted (StrongBadEmail style, except without the Lappie 486), anything with something work related look in the preview, hit the archive button to make it disappear into a random folder.

    2. bombastic bob Silver badge
      Devil

      Re: Preview pane?

      "why would you want to automatically open an email before checking it"

      an intelligently designed mail reader will allow you to 'preview' a mail rather than open it, and you'll see all of the TEXT content without activating any HTML-related things, embedded content, external content, nor any kind of SCRIPT.

      An unintelligently designed (in need of some real world natural selection) mail reader will display (in the preview) all attached and "rich" content, via the program assigned to EDIT it if it's external to the mail program. You know, like Outlook. This would include things known to have had major problems and vulnerabilities in the past, like MS Office documents, PDF files, Flash, and even certain kinds of images and media (other than flash).

      In Thunderbird, use 'View' 'Message body as' 'plain text' to BLOCK that crap. It's not the default setting. But it SHOULD be.

      other mail readers, YMMV but preview as plain text ONLY to avoid problems. And no inline images in the preview. And no downloaded content in the preview.

      /me points out that a faked-up URL in a phishing e-mail will show up as the ACTUAL link (not what they WANT you to think it is) in a plain-text e-mail. So instead of seeing "yourbank.com" and being fooled into clicking on it, it's "malware.phishing.site/alphabetsoup/whatever/clone-of-your-bank" and rather obviously malicious.

  7. anthonyhegedus Silver badge

    These people are ridiculous. They need to stop trying to bring out new versions of windows 10 every six months (and stop giving them all the same name - "creators update") and concentrate on making existing stuf work

    1. onefang Silver badge

      Eventually they'll update their creators enough, that the creators will come up with a new name.

  8. J J Carter Silver badge
    Windows

    Yep, evergreen here

    Upgraded the servers and clients yesterday, no problems.

  9. Anonymous Coward
    Anonymous Coward

    How many errors are C++ related?

    I would like to comment, I suspect that most of these error are C++ related. Code should not be able to read "out of bounds" unless it's a really dodgy language ... difficult to debug ... and definitely used for job security.

    (Posting anonymously because, really, the continuing waterfall of C++ and such like bugs gives meself job security.)

    1. bombastic bob Silver badge
      WTF?

      Re: How many errors are C++ related?

      "I suspect that most of these error are C++ related"

      What? The? FORNICATE???

      (are you advocating C-POUND as a solution? I hope not!)

      FYI - a properly written C++ program with well-designed objects will manage itself very well. If it was designed by an idiot [and I've been tasked to clean THAT kind of stuff up, before] then you might consider re-writing it. But NEVER with C-POUND. That would be WORSE...

      I would re-phrase that as "lack of programmer discipline/competence". Bad code is bad code, in ANY coding lingo.

      1. Anonymous Coward
        Anonymous Coward

        Re: How many errors are C++ related?

        What language is C-POUND? Do you mean C#, which is pronounced "C-sharp" and doesn't even have a pound symbol in it?

        1. jake Silver badge

          Re: How many errors are C++ related?

          YHBT, HAND.

  10. earl grey Silver badge
    Gimp

    More likely you're dying of dysentery

    your mother is a robot.

  11. Anonymous Coward
    Anonymous Coward

    "Adobe Experience Manager"

    Experience more security issues today! Also comes with a workflow designed for people who like to punish themselves.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019