back to article If at first you, er, make things worse, you're probably Microsoft: Bug patch needed patching

A remote code execution vulnerability in the Windows VBScript engine was left open for exploitation for two months after it was supposedly patched. In fact, the fix made things even worse by introducing another remotely exploitable bug in VBScript. This is all according to researchers at Qihoo 360, who today claimed a …

  1. Waseem Alkurdi Silver badge
    WTF?

    VBScript itself is a problem

    The language is at least 22 years old! It first appeared with Windows NT, and it's still used today, and only God knows what horrible stuff is beneath the surface …

    Time for us to make for only one (JavaScript/ECMAScript) instead of two broken scripting languages?

    1. MJB7 Bronze badge

      Re: VBScript itself is a problem

      Err, 'C' is about twice that (started in 1972, K&R published in 1978), and it's *everywhere*. Fortran is just less than three times as old - first published in 1957 (although less popular than it once was).

      Age is not a good reason to get rid a language, in fact it's a reason to keep it - we've probably got rid of most of the nasties from the compiler/interpreter, and we know where the dragons live when writing it.

      1. Stevie Silver badge

        Re: Err, 'C' is about twice

        Well Cobol is over 50 and still ticking.

        Works well too, unless you insist on running it on a toy computer, where it invariably is converted into horrible security-bug riddled 'C'* before being compiled.

        This safety is conferred partly because mainframes don't look like Unix usually (which confuses the Young and Hacky) but also because no-one paid attention in the one semester they took of Cobol 101 and so remain terrified of the language - which has NO semi-colons or double equal sign nonsense.

        And if one eschews the hideously dangerous Dynamic Linking philosophy, one is gold.

        Write all important stuff in statically-linked Cobol and only run it on an airgapped mainframe. You know it makes sense.

        * - reportedly.

    2. Anonymous Coward
      Anonymous Coward

      Re: VBScript itself is a problem

      > Time for us to make for only one (JavaScript/ECMAScript) instead of two broken scripting languages?

      https://xkcd.com/927/

      You knew that was coming, right?

  2. Coen Dijkgraaf

    Another of their July patches broke a few things

    See Advisory on July 2018 .NET Framework Updates

    It broke things in SharePoint, BizTalk Server Administration Console, IIS with Classic ASP, .NET applications using COM and impersonation.

  3. Anonymous Coward
    Anonymous Coward

    Qihoo 360 is Malware, so I guess they'd know all about it...

  4. Avatar of They
    Coffee/keyboard

    Title

    Best Headline pun ever. Love it.

  5. Version 1.0 Silver badge

    VBScript is Virtual Bug Script?

    Yawn ... we've been moving the bugs around for years, they are like Knot-weed, deep roots and they pop up again somewhere else every time you pull off the head. It's not (sic) possible to guarantee that there are no exploits so maybe it's time to revisit the concept of allowing external apps/users/bots to interface in this way with our enterprises.

  6. joecro

    why the hell is that thing still in windows?

  7. Claptrap314 Bronze badge

    Fundamental design

    It is technically correct that "math is hard". That does not mean that you just ignore it. You have to design your systems _from the start_ with security as a primary concern, or you will never get it right. (Flash, you know I'm talking about you. Also, zero-terminated strings...)

    Securing a complex system after the fact is not hard, it is a fool's errand. We dump on M$ with respect to security because they insist on being that fool.

  8. Stevie Silver badge

    Bah!

    Great scansion in the headline. Well done that El Reg Hack.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019