Security warfare is fascinating to watch from the mud huts.
Acknowledgements: Clément Lecigne of Google’s Threat Analysis Group
–CVE-2021-31955, an information disclosure bug in the Windows Kernel
Acknowledgements: Boris Larin (oct0xor) of Kaspersky Lab
–CVE-2021-31956, an elevation of privilege flaw in Windows NTFS
–CVE-2021-33739, an elevation of privilege flaw in the Microsoft Desktop Window Manager
Acknowledgements: Jinquan(@jq0904) with DBAPPSecurity Lieying Lab
Yes. The NSA has disclosed hoarded zero-days to Microsoft when they have fallen into the hands of people they did not like. See the Shadow Brokers incident :
> the critical vulnerabilities for four exploits previously believed to be zero-days were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks
Obviously, the problem with this is that the NSA were unaware their zero-days had fallen into enemy hands until the Shadow Brokers very publicly advertised the fact that they had them.
"The NSA did not alert Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand. The agency then warned Microsoft after learning about EternalBlue's possible theft, allowing the company to prepare a software patch issued in March 2017, after delaying its regular release of security patches in February 2017. On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time
Many Windows users had not installed the patches when, two months later on May 12, 2017, the WannaCry ransomware attack used the EternalBlue vulnerability to spread itself"
The only one that stands out as being a real concern, but who's willing to bet it requires JS to exploit (or even if not, the attackers prefer to obfuscate it using JS)? Turning off JS by default in IE is probably the single most effective way of preventing these attacks. Even if you don't use IE, it'll greatly reduce the attack surface. I've browsed the shadier parts of the Internet for literally decades this way.
This is one of the notable features missing from Edge.
Modern browsers are not well fit for security and anonymity. Torbrowser is the only one that actually removes tracking data and the wider attack surfaces of modern browser features like webgl. However it's still not 'secure'. You still have plenty of features that come from complex codebases, such as media decoders.
Anecdotally code execution exploits in pure HTML (that don't require JS) are exceedingly rare, so it is unlikely it doesn't use JS.
Turning off the internet. Or your PC entirely is.
Just not visiting most of the Internet is a solid move too, JS or not.
seems pretty bad...
Is there a third party program that finds/installs the windows 7 updates?
Source code here: https://gitlab.com/wsusoffline/wsusoffline
You are correct, this one wasn't caught organically through Windows Update. I had to install the KB4555449 Servicing Stack update first (https://www.catalog.update.microsoft.com/Search.aspx?q=KB455...), after which I was able to install the patch you linked. Did it on two machines (one freshly formatted, one old) and it took several minutes on each to install (longer than a typical update), and required a reboot after.
To add insult to injury, Microsoft's server refuses to honour the Accept-Encoding header, e.g., setting the value to "identity" has no effect. It returns compressed content no matter what, even when the content size is very small.
sed '/^e/!s/^/url=/'<<eof|curl -K-|gzip -dc|sed 's/",/\"<br>/g;s/\\n//g' > 1.htm
tnftp instead of curl
ftp -4o'|zcat' $(printf "%s\40" $(cat<<eof
))|sed 's/",/\"<br>/g;s/\\n//g' > 1.htm;
There was the bluetooth thing but patches for that were available instantly.
People have different preferences for what they like to work on, but you seem to be implying the weather app engineers are incapable of doing that work. Like they're some kind of lower caste that must be kept away from working on security mitigations for filesystem drivers.
I don't believe there's some category of human that's capable of shipping Windows 10 feature apps, and only that. People can move internally! People can leave and other people can be hired. It's all priorities and task allocation.
The impression I get (and please correct me) is not really that there's an oversupply of news feed app builders on the market, but that the Windows team at Microsoft has been shifting to more user-facing features rather than internal deep kernel work.
I'm pretty sure that a developer that wants to switch can and not many kernel developers would be impacted in total.
Besides, paint and notepad getting a make-over doesn't make a dent of difference for a company at this size.
Also that weather-widget engineer could do some basic tasks offloading more experienced engineer, who would offload even more experienced engineer until that chain of offloading makes enough time for NTFS-ninja to hunt down and fix that bug or write a fuzzer that finds new zero-days.
If you use MS, then it's Microsoft s fault, you won't be blamed because almost everyone was exposed to it and you got hit.
These companies also have older workforce who are used to windows and the switch would be difficult. Yes I know some older users would be fine but that is not the majority.
It's similar to the "no one got fired for buying oracle" situation
Being Linux-based does not preclude support.
I don’t think it’d be possible to train the React dev in kernel programming unless they had a serious interest in low level stuff to start with.
To quote a comment I read on HN once, "Krebs is a security entertainer, not a security researcher."
There are some technical details that may be abstracted or analogized in less-than-accurate fashion, but I don't recall reading an article or post and thinking "gosh, that's just _wrong_"
 Note: This looks like the same issue as above, but it is separate; https://itwire.com/security/krebs-accused-of-doxxing-man-bas...
To his credit, he never claims to be a hands-on researcher who disassembles and analyzes malware himself. I guess that's why I scratch my head when people point to his work as substantial. He has no skin in the game, no hands on technical experience, and just reblogs more technical articles from actual experts. His only real experience is getting personally hacked and hijacked.
Also, to clarify I never questioned his journalistic integrity. I just think he's a mediocre writer. It's his style that I, personally, don't like. One thing he does that I can't wrap my head around is writing about himself in the third person. He uses phrases like "...this author..." in reference to himself. Most authors would not be injecting themselves into a journalistic piece in the first place, but to do it with such bravado is awkward for the reader. Am I supposed to be impressed that you operate a WordPress blog?
Any of it, really.