back to article Stuck at home? Need something to keep busy with? Microsoft has 115 ideas – including an awful SMBv3 security hole to worry about

Microsoft has emitted more than 100 fixes in its March batch of security updates. The Patch Tuesday release includes 115-CVE listed flaws, including 26 classified as critical security risks. None of the flaws have previously been disclosed or exploited in the wild. One particularly nasty remote-code execution hole revealed …

  1. Phil Kingston

    >offerings from the multimedia giant are all free of major security flaws this month

    Some way to go yet

    1. simonlb Silver badge

      Or they've already been hacked and someone has stolen them!

    2. RM Myers

      Flash Has An Update Now

      Obviously, Adobe was just late getting the update out. No one seriously thought they could go a month without at least one Flash security flaw. Did you? Did you? Shame! Shame!

  2. kmedcalf

    God damnit!

    Who released the exploit for the SMBv3 vulnerability that Microsoft wrote into Windows at the behest of the Three Letter Agencies when they had to close the last vulnerability that they wrote into Windows (the SMBv1 remote execution vulnerabilities).

    When they fix this one, what is the next one that they will add?

    Seems that the Window between "TLA Sponsored Vulnerability Insertion" and detection and closure is getting shorter though, and that it a good thing!

    1. Anonymous Coward
      Anonymous Coward

      Re: God damnit!

      You seriously think the "fix" actually eliminates the hole? If I was writing these security fixes for the agencies then I'd use the fix to move the hole somewhere else each time it's discovered. How long has Microsoft been fixed these holes now? When will the next one be revealed? And the next?

  3. Bronek Kozicki Silver badge
    Pint

    It seems Flash, Reader, Acrobat, Creative Cloud, and the other offerings ...

    ... are still investigated for bugs, and a very large and/or important set of patches is expected later this month.

    FTFY

    1. DailyLlama

      Re: It seems Flash, Reader, Acrobat, Creative Cloud, and the other offerings ...

      Adobe Flash update 32.0.0.344 released last night...

  4. Terry 6 Silver badge

    Imagine a user...

    Not a programmer. Designing software for a home or business PC.

    There would be an operating system, which tells the computer what to do.

    There would be programmes, which the OS runs to let the users use to do stuff to data.

    And there would be data, which the user creates or views

    And all three would be separate. And there would be strict rules about what could be passed down from the data ( call that the outer ring) to the programmes and then to the centre ( call that the kernel).

    Data would only be allowed to change or address superficial components of the programmes; what to display, what to operate on etc. Stuff that used the programmes' features and nothing else.

    Likewise the programmes would tell the core where to store data files, which (permitted) operations to perform with it and nothing else.

    And the OS would perform the operations that it is permitted to, with the programmes. And nothing else.

    That's how users imagine these things work.

    Then programmers come along and spoil it.

    1. David Nash

      Re: Imagine a user...

      Users are not normally aware of the OS as a separate thing.

      It's just "the computer", "my stuff", and "the internet". And the second two are overlapping.

      1. Anonymous Coward
        Anonymous Coward

        Re: Imagine a user...

        It's not "the computer". To some users it's "the hard disk".

        1. Terry 6 Silver badge

          Re: Imagine a user...

          To some. And yes, we've all met them. But remember, if you are doing support, formally or just because you're the person who "knows computers" ( or probably both) you only meet the users who are having a problem. The ones you never hear from mostly know this stuff.

    2. J.G.Harston Silver badge

      Re: Imagine a user...

      You've got that upside-down. Data doesn't change programs, programs change data.

      1. phuzz Silver badge
        Devil

        Re: Imagine a user...

        Programs are data.

        1. thondwe

          Re: Imagine a user...

          OS is a program, OS is data, it's all very fractal

          1. Terry 6 Silver badge

            Re: Imagine a user...

            To a user data is the stuff they read and write. Programmes are the things that make,show and change the data, then save it and bring it back.

            Users make and use data.

            Programmers make..... programmes, that do things to the data

            Microsoft and Apple make Windows/macOs that they need to start the computer and make the programmes work.

            And that's how it should be

            And the point is that from the users' viewpoint the control should run OS to programmes to data. But never the other way round. Access to programmes and OS to make changes/updates should go though a very narrow route and not some random code inserted in a web page.

            It may not be how it is in real life. But it's how the users have every right to expect it to be.

      2. Terry 6 Silver badge

        Re: Imagine a user...

        But it appears that a crafted email (data) can run as a programme and change the way the computer works.

        1. Michael Wojcik Silver badge

          Re: Imagine a user...

          Everyone in IT who didn't already know this should have learned it in the first week of November 1988.

      3. Terry 6 Silver badge

        Re: Imagine a user...

        *1 That's how users imagine these things work.

        *2 And they do know they're using Word and that's in Windows, which is the thing that starts the computer- even if they have no idea what exactly it does. And they know that Windows 10 replaced 7/8. And ditto with what their Macs use.

        They even know what version of Android/iOs they have on their phones, for the most part.

    3. Alan Bourke

      Re: Imagine a user...

      Users have absolutely no idea whatsoever how any of it works.

      1. sw guy

        Re: Imagine a user...

        You are lucky if your user have no idea.

        For what I saw, there are indeed such users. But among others, one can find:

        - Those who assume it is magic ("Oh, you need time to think before acting ?")

        - Those who believe they know. <= ALERT Call for troubles

        Note this is not specific to computer science, BTW

    4. 2+2=5 Silver badge

      Re: Imagine a user...

      @Terry6

      Several of the vulnerabilities reported in this article result in "ability to run arbitrary code with the privilege of the user".

      Your system as described wouldn't prevent this.

    5. Brewster's Angle Grinder Silver badge

      Re: Imagine a user...

      It's not deliberate, though. Programmers, being humans, make mistakes and these mistakes are exploited by other, malicious human beings. And most users would agree that "preview" is a useful, time saving feature.

    6. a_yank_lurker Silver badge

      Re: Imagine a user...

      If you are complaining about Bloat's design it has roots in the CPM/DOS days when there were no hard drives or networks. PCs were completely standalone devices that had exactly 1 user and only 1 user with input either from a keyboard or a file on a floppy. Output was often printed. There were many design decisions that made sense in the old days but have consequences when computers are networked together and it is possible for code from different 'users' to be running simultaneously on the box.

      The saving grace of Linux and BSD is they are Unix derived/based. Since Unix was designed for a multiuser environment there were design decisions made that make it more secure.

      Back to the bugs at hand, it is unclear which ones are due to ancient design decisions (probably none) and which ones are due to bad code (probably all). Buffer overruns are a programming problem.

  5. J. Cook Silver badge
    Boffin

    At least M$ decided to not change the settings for LDAP Channel binding and LDAP signing, which would have definitely been a 'hair on fire' emergency on the scale (or worse) of the infamous CredSSP Encryption oracle fix.

    https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

    Apparently, enough large companies complained loudly enough to their TAMS and other high ups within Microsoft, so while it's still good security practice, they decided to not break stuff with this patch update. Either that, or someone in the update chain is learning that Breaking Stuff In the Name of Security is not necessarily a good thing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020