back to article It's September 2018, and Windows VMs can pwn their host servers by launching an evil app

Admins will again be working overtime as Microsoft and Adobe have posted their monthly scheduled security updates for September. This month's Patch Tuesday bundle includes critical fixes for Windows, SQL Server, and Hyper V, as well as Flash and Cold Fusion. Rude guests and ugly images menace Microsoft In total, Microsoft …

  1. elDog Silver badge

    I'm safe since I still use IE3.0. No one targets me anymore.

    Besides, that makes me a honking old man with no assets. Sort of like Linux in the old days - not enough return on investment.

    1. Jack of Shadows Silver badge

      Re: I'm safe since I still use IE3.0. No one targets me anymore.

      Ditto. I pity the poor id10t that ever thinks that I'm a useful target financially.

  2. bombastic bob Silver badge
    Meh

    round up the usual suspects

    they've all got major vulnerabilities. again. patch patch patch! [and hope Micro-shaft doesn't cram some UI update at you that erases your preferences and/or jams some new UI 'feature' or spyware at you]

    1. TReko
      Happy

      Re: round up the usual suspects

      or a new version of Candy Crush included in the update.

      It is always a gamble for us if the update fixes more than it breaks.

  3. Rob D.
    Thumb Down

    Just downplay it

    CVE-2018-8475 description from Microsoft, "To exploit the vulnerability, an attacker would have to convince a user to download an image file."

    I assume (the vulnerability description doesn't say other than "when Windows does not properly handle specially crafted image files") that simply downloading the file to the file system is not sufficient to cause a problem either. The phrase, "convince the user to view a web page containing a specially crafted image", carries more threat.

    1. DropBear Silver badge

      Re: Just downplay it

      Not necessarily, assuming Windows does its usual thing and happily "views" the image internally as soon as downloaded, for thumbnail and metadata / indexing purposes...

  4. bombastic bob Silver badge
    Unhappy

    CVE-2018-8475

    seems that the details for this are being hidden or something...

    best I can figure, it's a problem in the kernel.

    Ok, Microsoft, *WHY* are image files loaded up (and apparently parsed) within the kernel again?

    I was hoping it was an IE/Edge-only flaw so I could snark all over it.

    1. Anonymous Coward
      Anonymous Coward

      Re: CVE-2018-8475

      There are a lot of 'bang your head against a brick wall' moments when dealing with Microsoft and how they made their Operating Systems work.

      Over the years, they cut corner after corner, applied bodge after bodge etc just to get a small performance improvement and now a lot of those decisions are going to come back and bite them, hard.

      Sadly a lot of the people who made those decisions are still in place inside MS.

      The world moves on but apparently MS does not or in the case of Windows 10, IMHO, goes backwards a long, long way.

      {shugs shoulders}

      No sense in complaining too loudly about it though as dealing their 'stuff' is keeping me in work until the time comes to retire in 2020.

      Posting AC as my PHB reads this site and has no idea that I'm out the door in 15 months time.

    2. Anonymous Coward
      Terminator

      Re: CVE-2018-8475

      > *WHY* are image files loaded up (and apparently parsed) within the kernel again?

      To speed up rendering else there's too much of a performance hit switching from kernel mode to user mode, hence any defect in the code can crash the entire system or lead to a security violation

      1. Archtech Silver badge

        Re: CVE-2018-8475

        True as far as it goes. The more important aspect is that security should NEVER be sacrificed to performance - especially performance on relatively trivial tasks such as displaying images.

        Unless, of course, the buyer specifically asks for a "fast insecure system".

  5. Anonymous Coward
    Anonymous Coward

    Security feature bypass in Device Guard ..

    KB4093111: Windows 10 April 2018 Security Update

    I count thirteen memory violation errors, that's where the majority of security violations reside, in the Memory Management Unit?

    1. Adrian 4 Silver badge

      Re: Security feature bypass in Device Guard ..

      Kind of puts the exploitation of Spectre etc. in proportion, doesn't it ?

  6. Richard 12 Silver badge

    So adblockers are now strictly necessary

    If you run Windows.

    No ifs, buts or maybes. If you are running Windows, you must block all adverts.

    Time to get your domain policies pushing out the adblockers.

    1. Ben Tasker Silver badge

      Re: So adblockers are now strictly necessary

      >you must block all adverts.

      And images. The site your one might be malicious, and one image is all it takes.

      In fact, to play it safe, find a windows build of Lynx and be done with it.

      1. Richard 12 Silver badge

        Re: So adblockers are now strictly necessary

        For the most part you can trust that the site itself didn't get hacked, because that gets noticed very quickly.

        Pretty much all of the drive-by attacks come from adverts, because most workplaces already block "dodgy" sites based on a blacklist provided "by others".

        Presumably it wouldn't be too difficult to add all the adslingers to said blacklist.

        Skype was serving up dodgy adverts for a while just last week.

  7. N2 Silver badge
    Trollface

    Microsoft & Adobe

    No surprise there, lather, rinse, repeat for ad-infinitum

    1. GnuTzu Bronze badge
      Trollface

      Re: Microsoft & Adobe -- Imagine

      Imagine if those two would ever merge. Would the resulting singularity swallow the World?

  8. regadpellagru

    '"Open the wrong image – even through a web browser – and code executes, making this a browse-and-own scenario," explains Dustin Childs of Trend Micro's Zero Day initiative.'

    Why ? Why is opening an image ever triggering an execution of downloaded code ??

    WHY ? It's bloody insane !

    1. Michael H.F. Wilkinson Silver badge
      Facepalm

      My thoughts exactly. A bitmap image should just be data, and not contain anything executable. Real facepalm moment when I read that.

      1. DropBear Silver badge

        "A bitmap image should just be data, and not contain anything executable."

        That's not how the real world works though. You may well not supposed to have anything executable inside of a pure data file, but it's not like you can _prevent_ malicious actors from putting some in there; and the thing is, any piece of data needs to be processed by executable code in order to make use of it - and if that code contains just the right kind of bugs, a properly crafted bit of data it was only supposed to process as data can trip it into glitching execution over to that malicious piece of "data". Should we be past this sort of thing in 2018? Definitely. Is it still a thing nonetheless? Hell yes, unfortunately...

  9. mark l 2 Silver badge

    "Open the wrong image – even through a web browser – and code executes, making this a browse-and-own scenario,

    Can't see to find much info on this. I am assuming that this is only going to be a problem if your web browser is IE or Edge that using Windows's internal image handling rather than using a third party browser than handles image rendering internally? As I would assume that Outlook and the Windows Mail client would use the internal windows image handling as well which means you could get owned from an email with an attached image?

    Still this flaw is present in all Windows versions from 7 upwards, probably in XP and Vista too but since those are out of support they won't release details for those versions anyway.

  10. bombastic bob Silver badge
    Alert

    "see i told you so"

    with respect to 'safe surfing' practices, how many times have _I_ been DOWN voted for saying things like this?

    With respect to CVE-2018-8475 at least:

    a) do NOT surf the web logged in with admin or root credentials

    b) do NOT use a Micro-shaft browser

    c) if possible, do NOT surf the web with a MICROSOFT OS

    e) do NOT view mail "as HTML", and especially do NOT preview images 'inline'.

    (see? see? see????)

    e) run 'noscript' or other script blocker BY DEFAULT

    f) never "just open" the attachment to an e-mail [even if you know the sender]

    and so on.

    I ALSO expect that ad servers, image-related blog sites, spam mail with images embedded in them, and even web pages on places like 'deviantart' and 'imgur' and so forth can become VECTORS for the exploit.

    And it's very difficult to get *DETAILS* on this one, meaning it's probably VERY bad, enough that search engines are maybe DELIBERATELY keeping us from [easily] finding those places where it's properly explained... [my 'google fu' is usually pretty good, but not with THIS, not THIS time]

    yeah a little paranoia, and a *BIG* *FAT* "see I told you so" on the SAFE SURFING!!! because, even if they SAY it is patched, what OTHER similar vulnerabilities are STILL THERE waiting to be found???

    [sloppy coding is as sloppy coding does]

    1. tiggity Silver badge

      Re: "see i told you so"

      @bombastic bob

      You neglected to mention routinely web browse with images turned off (handy for performance as well as security, also v. good to use at work in case a web page pushes an image that could be in violation of work policies on what constitutes offensive image (plenty of sites scrape legit innocuous content and game search engines to be in top few results - a click on what seems legit content for a work related query could expose you to adult or other content that could be a workplace disciplinary issue ) )

      Only enable images on web sites where you really, really need to see images.

      1. Loyal Commenter Silver badge

        Re: "see i told you so"

        Only enable images on web sites where you really, really need to see images.

        If you really don't want to see any images, just use lynx.

      2. NellyD
        Coat

        Re: "see i told you so"

        > Only enable images on web sites where you really, really need to see images.

        B..b...b...but those types of site are the ones most likely to try and, if you'll pardon the pun, rear end my browser.

      3. Anonymous Coward
        Anonymous Coward

        Re: "see i told you so"

        "Only enable images on web sites where you really, really need to see images."

        Yeah, and only enable fonts when you really need them !

  11. Hans 1 Silver badge
    Windows

    Not again!

    One of the more noteworthy of those bugs is CVE-2018-8475, a remote code flaw that can be triggered simply by viewing an image file in Windows.

    FFS, it is 2018 and windows can be owned by viewing an image file ....

    As Krebs warns:

    According to security firm Ivanti, prior to today bad guys got advance notice about three vulnerabilities in Windows targeted by these patches. (emphasis mine)

    And guess what ? This CVE-2018-8475 beauty is one of them ....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019