• When is a fix not a fix? Google’s James Forshaw says MS’s CVE-2018-0826 fix is only half the story

    Posted on February 22, 2018 at 01:56 CST by Comment in the Forums

    Let the mud slinging continue!

    This month’s patches for Windows 10 include a fix for the bug described as CVE-2018-0826. Microsoft claims that it plugged the security hole. Google Project Zero engineer James Forshaw claims that MS only got half of the problem. Forshaw should know — he’s the one who originally reported the vulnerability.

    Microsoft was notified but didn’t pick up the other half of the bug. In Project Zero’s typically terse chronological outline:

    < 2018-02-13 – MSRC [which is to say, Microsoft] issues public fix.
    > 2018-02-18 – Analysis of patch indicates 1427 [the first vulnerability] is fixed but 1428 [the second] is not. MSRC sent an email indicating that the issue will become public on Feb 20th at 10am PST.
    > 2018-02-20 – Issue 1428 opened in issue tracker.

    The security holes give rise to a “privilege escalation” attack, which means the bad guys have to be running a program on your PC already, before the security holes can be exploited.

    Catalin Cimpanu at BleepingComputer has the details.

    Looks like Win7 and 8.1 are OK, but all Win10 machines will need yet another patch. No idea when it’ll appear.

    Keepin’ you safe, one half-patch at a time.

    Windows Patches/Security ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    April 2025
    S M T W T F S
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.