News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft Security Response Center: The biggest malware threat comes from zero-days; delayed patches, not so much

    Posted on February 8th, 2019 at 10:04 woody Comment on the AskWoody Lounge

    Of course your greatest security threat lies between the ears and in the twitching clicking fingers of people at the console. That hasn’t changed, and likely never will.

    What’s startling to me, though, is that numbers from Microsoft now confirm that waiting 30 days to install those monthly patches realistically doesn’t put you at greater risk for getting clobbered by a cretin.

    Computerworld Woody on Windows.

    Thx, Susan!

  • Exchange Server elevation of privilege bug acknowledged

    Posted on February 6th, 2019 at 12:04 woody Comment on the AskWoody Lounge

    Remember the 0day exploit in Microsoft Exchange that we talked about two weeks ago?

    As I suspected, your Exchange Server is only vulnerable to a man-in-the-middle attack. It isn’t an all-purpose attack: The miscreant has to be able to sit in the middle of an interaction with the Server.

    Microsoft finally has an explanation in ADV190007 | Guidance for “PrivExchange” Elevation of Privilege Vulnerability.

    A planned update is in development. If you determine that your system is at high risk then you should evaluate the proposed workaround.

    The workaround is a one-line PowerShell script that @b talked about last week.

  • February missing security patch toll: Two zero-days and counting

    Posted on February 28th, 2017 at 11:28 woody Comment on the AskWoody Lounge

    Good report from Dan Goodin at Ars Technica.

    Google’s Project Zero sticks to its 90-day notification policy, and a second 0day has been revealed, this time apparently involving CSS tokens.

    The details are important. For example, there’s no exploit code available for this second 0day. But the first 0day, involving a gdi32.dll heap boundary, is still at large.

    So is the SMBv3 bug that causes crashes, and may lead to deeper exploits.

    Security patches are scheduled to resume on March 14.

  • Another Windows 0day appears – gdi32.dll heap boundary error

    Posted on February 17th, 2017 at 11:13 woody Comment on the AskWoody Lounge

    As 0day bugs go, this isn’t an earth-shattering development. But it’s still enough to cause concern.

    Mateusz Jurczyk at Google Project Zero discovered a memory disclosure vulnerability and notified Microsoft on Nov. 17. Project Zero has an automatic 90-day disclosure deadline: If the vendor (in this case Microsoft) doesn’t fix the hole that’s discovered, it will be automatically disclosed 90 days later.

    Sure enough, 90 days passed and, on Feb. 14, the timer rang and the full disclosure popped out, including exploit code.

    This isn’t a huge bug. The bad guy has to get access to your computer before it can be exploited. Once logged on to your machine, the interloper can open a bad EMF file and use it to sneak a peek at system memory that isn’t theirs.

    It seems that security bulletin MS16-074 didn’t fix the problem entirely.

    Yuhong Bao (whom I’ve mentioned before, many times) sent a provocative message to the Project Zero folks. He said:

    I wonder if this was supposed to be part of the cancelled February Patch Tuesday.

    Something to ponder over the upcoming three-day US holiday.

  • Update on the ZDI – Internet Explorer 0day post

    Posted on July 24th, 2015 at 11:54 woody Comment on the AskWoody Lounge

    I had a chance to talk with someone who’s close to the effort, and can confirm that my original post — while technically correct, and conforming to HP ZDI’s post — didn’t mention that the existing exploits only involved the mobile version of IE.

    Since I figure about two of you probably use the mobile version of IE, that rates an “Ooops. Nevermind.” kinda-sorta retraction.

    Which you can see now on InfoWorld Tech Watch.

  • Microsoft’s latest Word security hole, KB 2953095, is part of an on-going embarrassment

    Posted on March 25th, 2014 at 21:46 woody Comment on the AskWoody Lounge

    Has everybody forgotten that RTF – the sticking point in the latest zero-day, and dozens of zero-days before it – was invented and controlled by Microsoft?

    InfoWorld Tech Watch.

  • In minimizing zero-days, Microsoft misses the point

    Posted on October 13th, 2011 at 06:32 woody Comment on the AskWoody Lounge

    They may not be numerous, but they’re dangerous.

    InfoWorld Tech Watch.

  • And now for a different kind of 0day

    Posted on January 25th, 2011 at 07:31 woody Comment on the AskWoody Lounge

    Any list of the ten smartest people in the computer biz today would have to include Mark Russinovitch.

    With technical street cred stretching from building Windows uber-utility Sysinternals, to discovery of the Sony Rootkit, to defining the Microsoft Technical Fellow position by example, Mark knows tech like you know your coffee cup.

    Add one more achievement to the list. He’s a hell of a good novelist. At least, I couldn’t stop myself scrolling through the posted excerpt from his first novel, Zero Day. (Warning: it reads like an explicit action-adventure novel.)

    Mark says he started working on the novel eight years ago, and it’s taken this long to get through the book-writing maze.

    From the cover:

    An airliner’s controls abruptly fail mid-flight over the Atlantic. An oil tanker runs aground in Japan when its navigational system suddenly stops dead. Hospitals everywhere have to abandon their computer databases when patients die after being administered incorrect dosages of their medicine. In the Midwest, a nuclear power plant nearly becomes the next Chernobyl when its cooling systems malfunction.

    At first, these random computer failures seem like unrelated events. But Jeff Aiken, a former government analyst who quit in disgust after witnessing the gross errors that led up to 9/11, thinks otherwise. Jeff fears a more serious attack targeting the United States computer infrastructure is already under way. And as other menacing computer malfunctions pop up around the world, some with deadly results, he realizes that there isn’t much time if he hopes to prevent an international catastrophe.

    Arabs in league with Al-Qaeda play the villains. They want to “wreak havoc” on the West “in a very cost-efficient way that’s low risk.” Cyber terrorism fits the description, eh?

    Okay, so it’s long on cliches and penny-pinching Al-Qaedites, but the excerpt moves right along. The lead blurb comes from a certain Mr. Gates. You may have heard of him, too.

    Look for Zero Day on store shelves in March. Or you can pre-order a copy through Amazon, Barnes & Noble, or a handful of other bookstores.

    A quick check on the Amazon ordering page reveals that customers who bought Zero Day also bought a copy of the Windows 7 Professional Upgrade. Simple coincidence? I think not.