back to article It's April 2018 – and Patch Tuesday shows Windows security is still foiled by fiendish fonts

Microsoft has released the April edition of its monthly security update, this time addressing a total of 63 CVE-listed vulnerabilities. This month's update includes critical fixes for the usual suspects: Windows, Edge, Internet Explorer, and Office, as well as one flaw Redmond previously fixed with an unscheduled update. You …

  1. Just A Quick Comment

    Time to really say goodbye to flash?

    If you haven't surely it's time to remove Flash from your system, if you can. OK so some old programs may still use it, but it's just a security liability these days, and these programs should be retired as well, or at least updated/re-written not to include Flash.

    ...and as for Microsoft saying Edge is secure - well, patch after patch after patch suggests otherwise...

    1. Anonymous Coward
      Anonymous Coward

      Re: Time to really say goodbye to flash? Too right!

      Tell that to BTGroup - BTWholesale. The BTWholesale Speedchecker lives on the shitfest Adobe Flash to report diagnostic data from 10 million customers. Weasels Ofcom just accept it.

      1. My-Handle

        Re: Time to really say goodbye to flash? Too right!

        I actually went over this during my dealings with BT a year or so ago. Phoned up to complain about the erratic connection and the shite speed (0.5mbps) and they directed me to their flash-based speed checker. Wouldn't accept any other result to start with, until I said that Google and Mozilla had removed flash from their respective browsers and their speed checker would no longer work on any modern machine. Technically bollocks, as you can get flash to work if you really want, but it was enough to make the support droid cave.

    2. IceC0ld

      Re: Time to really say goodbye to flash?

      ...and as for Microsoft saying Edge is secure - well, patch after patch after patch suggests otherwise...

      =====

      March - NOW it's secure .................. oops

      April - NOW it's secure .................... oops

      May - NOW it's secure ...........................

    3. Anonymous Coward
      Anonymous Coward

      Re: Time to really say goodbye to flash?

      I can tell you why I'm forced to install Flash:

      * VMWare 6 vSphere

      * Company mandatory training material

      I'm afraid I could find a solution for the first issue, but not the second...

      1. I am the liquor

        Re: * Company mandatory training material

        I bet that includes the mandatory IT security training, that tells you to be careful when browsing the web, doesn't it.

        1. Anonymous Coward
          Devil

          Re: * Company mandatory training material

          I would like to be able to answer you, if I could remember mandatory training stuff beyond five minutes after having took the final test.

          Jokes aside, most of them are designed in ways they exercise just your short-term memory, and put more emphasis on useless details than on real, useful information - often by design, I'm afraid.

          And yes, there was IT security training as well, and what is worse, that requires Flash to be installed company wide, even by users who don't know how to enable/disable it as needed.

          I never understood why the consultants who create that stuff love stupid animations and other effects that just get in the way. The worst offender was one that displayed text line by line in a slow teletype way.

          1. Mark 85

            Re: * Company mandatory training material

            I never understood why the consultants who create that stuff love stupid animations and other effects that just get in the way.

            They know, or think they know, their audience. For run of the pack corporate groups, they're probably on target. For tech types, nope... no where close and those who prepare the training materials aren't techs either but are pulled from the first group. And then there's the "latest in training tech" marketing to be considered.

            The worst offender was one that displayed text line by line in a slow teletype way.

            They expect that's the way most people read... see above about who produces the crap.

    4. Anonymous Coward
      Anonymous Coward

      Re: Time to really say goodbye to flash?

      "and as for Microsoft saying Edge is secure - well, patch after patch after patch suggests otherwise..."

      Its had a significantly lower vulnerability count over time than say Chrome or IE.

      1. Anonymous Coward
        Anonymous Coward

        Re: Time to really say goodbye to flash?

        "Its had a significantly lower vulnerability count over time than say Chrome..."

        Wrong - Chrome has had slightly fewer vulns on average per year since release than Edge. They have also had a lower average severity.

        "... or IE."

        Using IE as a comparison point doesn't really say much.

    5. arctic_haze

      Re: Time to really say goodbye to flash?

      The time was something like two years ago. And I'm quite serious.

      If you really need Flash for some applications, enable it only for the right domains.

  2. JeffyPoooh
    Pint

    "addressing 63 vulnerabilities"

    You walk past an enormous haystack. You look at it briefly and can see 25 needles. Can you estimate the total number of needles in the enormous haystack?

    A month later, you walk past the very same enormous haystack. You look at it briefly and this time you can see 63 needles. Is it reasonable to conclude that the gorfdamn needles are reproducing in the enormous haystack?

    1. Chronos
      Coat

      Re: "addressing 63 vulnerabilities"

      A month later, you walk past the very same enormous haystack. You look at it briefly and this time you can see 63 needles. Is it reasonable to conclude that the gorfdamn needles are reproducing in the enormous haystack?

      No, but I think this particular haystack could do with a bit of counselling. I think it has a drug problem.

  3. david 12 Silver badge

    VBscript is part of office? Was it traced back to Open Source?

    Apparently, VBscropt os part of office. Presumably, that would be the Internet Information Server part of MS Office. Perhaps the part that is open source? Like the "remote code flaw in Windows Defender that was traced back to an open-source archiving tool"?

    Or perhaps VBscript is part of Windows, and the remote code flaw in Windows Defender was traced back to a MS fork of an archiving tool.

    1. Anonymous Coward
      Anonymous Coward

      Re: VBscript is part of office? Was it traced back to Open Source?

      "Apparently, VBscropt os part of office"

      No

      " that would be the Internet Information Server part of MS Office"

      No, that's not part of Office either.

      "Or perhaps VBscript is part of Windows"

      Yes.

  4. Anonymous Coward
    Anonymous Coward

    Bug bountiful

    Has anyone checked whether Flash developers are introducing new bugs as old ones are discovered and closed? It just seems very unlikely that such a small piece of software can have been originally built with quite so many flaws.

    1. Richard 12 Silver badge

      Re: Bug bountiful

      Large parts of Flash were insecure by design. It was a happier time, when everything and everyone on the Internet was sunshine and flowers*.

      Then they started trying to bolt on protection so a malicious Flash file couldn't steal your data and set fire to your living room.

      Unsurprisingly, trying to cage a wild beast is difficult, and it can still escape to eat your homework.

      * hahahahahhaaa

  5. steviebuk Silver badge

    Still impresses me...

    ...that someone can hack a machine using just a font.

    1. Anonymous Coward
      Anonymous Coward

      Re: Still impresses me...

      I was looking just yesterday how much an OpenType font can accomplish for complex scripts (i.e. medieval ones) enabling automatic glyph substitution, for example, for ligatures and other specific needs. They are really not a simple table of glyphs anymore.

      So, I'm not surprised nor impressed, they are actually a kind of small application which implements specific glyph selection and rendering, which unluckily, runs in privileged levels.

    2. GIRZiM

      Re: Still impresses me...

      And this is why I have blocked all fonts for the last fifteen years.

      I'm a bit concerned by the words " in some cases by simply putting the font on a web page viewed by the target" though. That has shades of 'Conficker', whereby disabling Autoplay didn't help because the mere fact of a call to Autoplay having been made by the insertion of a CD/DVD/USB was enough to compromise the system.

      1. Anonymous Coward
        Anonymous Coward

        "And this is why I have blocked all fonts for the last fifteen years."

        This is something that should be available directly into browsers, because it's a clear attack vector.

        Only approved sites should be able to use custom fonts - untrusted ones should have any custom font replaced with the standard serif/sans serif/monospace one.

        Then there's the issue of documents with embedded fonts. Again, these should be flagged, and there should be an option to open them with the font(s) replaced.

        1. Bill2357

          Re: "This is something that should be available directly into browsers..."

          Often It is but not obvious.

          Example: FF try these...

          Tools, Options, General, Font & Colors, Advanced and Uncheck "Allow pages to choose their own fonts."

          Or

          Open about:config then Set "gfx.downloadable_fonts.enabled" to false.

          Others have that buried somewhere too. Just web search disable fonts Browser Name

          1. Anonymous Coward
            Anonymous Coward

            "Tools, Options, General, Font & Colors, Advanced and Uncheck "

            But that's a global setting - I'm OK if a trusted site is displayed with a better, well designed typographical layout - it can improve readability.

            NoScript can block fonts, and let you allow them on trusted sites - I'd like something alike.

    3. phuzz Silver badge
      Trollface

      Re: Still impresses me...

      We should get rid of all fonts in Windows and render everything as Comic Sans.

      1. Mark 85

        Re: Still impresses me...

        Comic Sans? I think Sanskrit would be a good choice also.

  6. peterm3
    Windows

    here until the bitter end

    I can see Flash being used up until the bitter end, and beyond. Perhaps when we refresh to Windows 10 once Windows 7 is out of support, Flash will then be history.

    Perhaps make it easier to lock down Flash to only work on an intranet site - I think Chrome can do this.

  7. DJV Silver badge
    Thumb Down

    KB2952664

    Uh oh. They are also offering the above crock of shite yet again. Previously, this has been part of GWX (though they've been stating for a while now that there's no GWX functionality in it any more). However, that patch has been proven to bork computers in the past, see:

    https://borncity.com/win/2018/02/09/windows-7-8-1-updates-kb2952664-kb2976978-02-08-2018/

    YMMV

    1. paulf
      Big Brother

      Re: KB2952664

      I'm glad someone else spotted this. I did and GWX in the description rang alarm bells so I blocked it. I then found I had to install Feb+March patches manually as WU had stopped picking up auto updates - whether it's related to this update (and me blocking it) or not is another matter but I was able to install the Feb+March roll ups (plus associated out of band patches) without issue and Win 7 (x64) has now got the April roll up patch.

      1. paulf
        Mushroom

        Re: KB2952664

        PS - I've just checked and note that KB2952664 has oddly re-enabled itself despite me blocking it two weeks ago. If this has got nothing to do with GWX it's acting damned suspiciously like GWX did so nuke it from orbit - it's the only option.

        1. Updraft102

          Re: KB2952664

          When you hide or uncheck (deselect) any given update, you're only hiding that specific version of that update. If MS releases a new version of any given update, it is treated as a new update that you've never seen before, so even if the previous version was deselected and hidden, the new one is shown and selected (if that is the default option for the update in question) once again. This is not unique to KB2952662, but it's probably one of the few that gets rejected often enough to catch people's attention.

          1. DJV Silver badge

            @Updraft102

            Yeah, the Silverlight "updates" are notorious for that. They seem to come along like buses - 3 or 4 at a time, each of which needs hiding/clobbering before the nag goes away.

        2. DJV Silver badge

          @paulf

          "KB2952664 has oddly re-enabled itself"

          Ah, so MS have now upgraded it from a "plain patch" to "undead zombie patch" that, no doubt, staggers around groaning, "telemetreez, telemetreez!"

    2. Mark 85

      Re: KB2952664

      I too noted this but didn't really think about it until I saw your post. So now the paranoid in me is wondering if MS is starting to set up for Win7 EOL and an auto switch over to Win10? From one time payment (Win 7) to a lifetime of payments (Win10)?

      Apologies if I'm over thinking this but they've BS'd us before repeatedly.

  8. Terry 6 Silver badge

    I don't want to be in the Microsoft Haters group but...

    It seems that month by month there is nothing that Microsoft does that doesn't make me even more fed up by their failures. In all the various versions of Windows they haven't found a way to keep resources ( fonts, images etc) separated from and behaving in ways that can interfere with functional components.

    1. phuzz Silver badge

      Re: I don't want to be in the Microsoft Haters group but...

      Show me an OS that doesn't have regular security updates and I'll show you a really insecure OS.

      (Apple patched a character rendering bug in iOS and OSX last month as well)

  9. Anonymous Coward
    Anonymous Coward

    I've got to say I really like Flash...

    It's the only technology that gives you a consistent UI experience across all devices, big or small, except iPhones and who uses them anyway?

    Adobe should be congratulated on making the web more open and accessible to all, except iPhones, and who uses them anyway? Apart from FTP, I can't think of a single other open and audited protocol that works well in every browser, on every computer, across all social classes. I'd be willing to hear your suggestions, but I think you'll be hard pressed to refute my argument.

    Flash is diversity at its best. We should salute it. I've actually installed it twice on my iMac, once for each screen and a spare, to signal that I am a Flash champion.

  10. vtcodger Silver badge

    I'm getting stupider as I age. And maybe I didn't start off from all that much intellectual altitude. But can someone 'splain to me why a video player HAS to be a bundle of security bugs? Is it possible to write a player that can play most or all non-malicious Flash material and is relatively safe to use? They could call it FAIL or FLUNK.

    1. ThomH

      By being a scriptable interactive vector animation package that stumbles unwittingly into being the de facto video player, then gets sucked into Adobe's orbit and is dragged kicking and screaming into being a full application platform.

      So, a bluffer's guide to being Flash: get famous for some late tacked-on feature you didn't think was all that major, then try to distort yourself into something else again.

  11. IsJustabloke
    Facepalm

    FFS...

    "Those of us who lived through Duqu always shudder a bit when we see font-related bugs, and these have me downright shivering,"

    Yeah man... I lost 7 good friends, 2 of them sacrificed themselves for the rest of them. I still have nightmares man!

    What a knob jockey.

  12. Danny 2

    Dead Songwriters Fonts

    Someone's just released fonts based on the handwriting of dead songwriters: https://www.songwritersfonts.com/

    So now you can choose how you want your device to die:

    Heart attack - Serge Gainsbourg;

    Assassin - John Lennon;

    Suicide - Kurt Cobain;

    Cancer - David Bowie.

    I chose Leonard Cohen because I want it dying of old age but still working happily if slowly to the end.

  13. Anonymous Coward
    Anonymous Coward

    Flash!

    Crash!

    A-aaaaaaah!

    Saviour of the universe!

    Dispatch war rocket Ajax to render its body!

  14. Bill2357
    Meh

    Many governments still use Flash

    And won't update the sites because no budget to do so.

    One example is https://radar.weather.gov/ Go to any radar and click any "loop."

    Note that FF allows Flash to Always Ask before Running. Is under Tools/Add-ons/Plugins. I been doing this for many years.

  15. Anonymous Coward
    Anonymous Coward

    If your using 2008 r2 your NICs may disappear AGAIN

    Unless you manually apply KB4099950, as at least as of earlier it wasn't getting applied before the borked march 2018 roll-up that it is supposed to fix.

    So instead of unpublishing the bad roll-up and issuing one that works, they pushed a hack that fails to install on either WSUS or WU on the bugged machines. Two months in a row.

    Clearly dissolving the Trustworthy Computing Team is still working out beautifully. And now I have to explain to my boss, and his Boss, that we flunked a PCI compliance scan because we had to do our own regression testing before deploying the updates to our live environment.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like