Google discloses actively exploited Win vulnerability

Topic

New Reply

Many of you have asked for my opinion about the “Google endangers us all as an act of hubris” articles making their way around the web. Emil Protalins
[See the full post at: Google discloses actively exploited Win vulnerability]

Reply | Quote

Replies

Another way Windows 10 is more secure than Windows 7?

Reply | Quote

Not clear, at least to me. Looks like the problem is with win32k.sys – and only Edge somehow avoids it.

Reply | Quote

I had a flash update this morning in Win8.1 WU

Reply | Quote

If you’re using Windows 10 Anniversary Update and the Edge browser, than according to MS you’re “safe”.

Let’s do some quick ballpark estimates of the “safe universe” … they’re ballpark because my memory on where to find these references is fuzzy but I believe the numbers are close to reality:

– Recent reports put Windows 10 users at approximately 23% of the Windows universe

– Another recent report said AU installs are now at about 66% of all Windows 10 installs following a dramatic increase in the update roll-out

– Less than 25% of Windows 10 users currently use Edge as their primary browser

So combining these figures, less than 4% of all current windows users (.23 x .66 x .25 = 0.3795) are actually considered “safe” from this exploit.

If anyone has more accurate, up-to-date figures for this analysis, please correct my math.

Regardless, this is one security hole that needs to be patched and quickly, whether or not you care for how the parties involved handled the situation.

Reply | Quote

Correct on all counts.

Reply | Quote

Am I right when I say that Windows 7 with no Flash Player on system = safe?

Reply | Quote

Whether or not 10 is more secure than 7 I feel is currently irrelevant. As long as 7 is still being patched it doesn’t matter who is more secure. Once support ends then 10 in my eyes will be more secure.

Reply | Quote

Funny. I didn’t get any flash update myself excapt the one released last Thursday. But I did see a telemetry patch. It’s KB2976978.
No 7 counterpart as far as I can see.

Reply | Quote

Except that Chrome on 1607 is also safe (as Woody noted in post 1) which jumps it from about 4% to about 12%.

But for the current exploit, anyone who has updated Flash in the last week is also safe.

Reply | Quote

Just noticed a typo… The last number in my equation should be .03795 which is less than 4%… Sorry about that!

Reply | Quote

Unless I misunderstood the wording in the article that’s posted below… if FLASH gets updated users are not at risk for this particular vulnerability. Is this correct?

“A source close to the company also shared that the exploit Google describes requires the Adobe Flash vulnerability. Since Flash has been patched, the Windows vulnerability is mitigated. That said, Microsoft still needs to plug the security hole as it could be leveraged in other types of attacks.”

Reply | Quote

Great question – short answer, I don’t know.

There are other articles that hint the problem is a parallel problem – it exists in both Flash and in Windows.

Reply | Quote

That’s an interesting statement – are you sure that anyone who’s updated Flash is safe?

I couldn’t find any details about it.

Reply | Quote

I believe that’s the case – but, as noted in other comments, I’m not 100% sure.

Reply | Quote

It appears this is an M$ notice that “No more out-of-band 0-day fixes” will be released, and we’ll have to wait for the “2nd Tuesday of the month”… or am I reading that wrong?

//

Reply | Quote

Woodie-
From the “synopsis” link in your post:

“Also on October 21, Google shared a Flash vulnerability (CVE-2016-7855) with Adobe, which that company patched on October 26. That means users can simply update to the latest version of Flash.”

“A source close to the company [i.e., Microsoft] also shared that the exploit Google describes requires the Adobe Flash vulnerability. Since Flash has been patched, the Windows vulnerability is mitigated.”

Reply | Quote

GACK! You’re right.

If you update Flash, you’re clear.

Thanks, Not b!

Reply | Quote

I’m sure there will be exceptions but, yes, Microsoft’s behavior in recent months points to a push to have all security patches on Patch Tuesday.

But also note last month’s patches that weren’t released on Patch Tuesday – or documented in the main list of Win10 updates.

http://www.infoworld.com/article/3136336/microsoft-windows/woodys-win10tip-how-to-figure-out-your-windows-10-version.html

Reply | Quote

Microsoft was quoted as saying, “To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we’ve ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack. Customers who have enabled Windows Defender Advanced Threat Protection (ATP) will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence.”

I suspect that at least part of the reason for all of the snooping going on by Microsoft is so that they can make Windows 10 more secure against this sort of attack. Likewise, that’s probably one of the reasons they are forcing all of the patches on just about everybody.

Just an observation; I’m neither agreeing nor disagreeing with what MS is doing.

Reply | Quote

Yeah, but I’m skeptical.

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-advanced-threat-protection

As I understand it, Enterprises aren’t deploying it in droves because it requires the company to grant Microsoft access to users’ searches. And it only works on machines with Win10 1607 – the Anniversary Update.

There are deployment problems, as you would expect with any new security product

I’d be very interested in any info Microsoft is willing to share about the ways Win10 snooping enhance ATP! That’d be a very good use for the information collected.

Reply | Quote

So those of us not using Windows 10 anniversary update, edge or chrome are screwed? I’m not convinced this is solely related to flash either, the wording seems to suggest both flash and a separate vulnerability. What’s the solution from both Google and Microsoft? Just use our browser for the former and make sure you upgrade to the latest OS for the latter, how convenient. I think they have a vested interest to get you using both those products. Say Microsoft patches this in next weeks updates, it’s gonna be lumped in with all the others, isn’t it? Either we install them immediately and hope nothing gets broken, otherwise the whole lot has to come out leaving you vulnerable yet again, or we wait for a few weeks as usual and remain vulnerable in the meantime. Thanks, Microsoft!

Reply | Quote

It would appear – judging by published reports, repeated earlier in this thread – that updating to the latest version of Flash eliminates the problem.

I won’t swear to it, personally, but that’s the gist of one paragraph in one announcement.

Solution? Use Chrome. Google fixed it right away.

Reply | Quote

Yeah, maybe. I don’t use flash anyway, I managed to wean myself off that devil’s teat a while back. An abstinence based flash policy is the best policy. Using chrome is no solution for me though, I don’t even use google search and I block all their scripts (seriously, those scripts are EVERYWHERE). It terrifies me how much data they are hoovering up and it makes Microsoft look like amateurs.

Reply | Quote

Why don’t you use Flash Block (a Firefox add-in)? All Flash videos are blocked, unless you specifically allow them. For me, this is the best of both worlds.

Reply | Quote

Woody, this is interesting.

As an Enterprise, the Defense Department has bought into that Windows 10 is more secure and has directed the entire department to be on Windows 10 by Jan 2017 (in a letter dated the end of 2015).

I know that for the most part the Air Force hasn’t even started. They have just announced that they will finish transitioning to W10 by Jan 31st, 2018 (which the DoD states in their letter that you can have an automatic 12 month waiver)

Interesting that the Air Force is waiting until the last possible minute.

I wonder if they will have some sort of deal with Microsoft about the snooping… with all the PII (Personal Identifying Information) and privacy Act of 1974 stuff that will be on those systems in the NIPR Net.

Since the SIPR Net (Secure)won’t be connected to the regular internet, I wonder how the updating will go for that.

http://news.softpedia.com/news/us-air-force-to-upgrade-all-its-systems-to-windows-10-by-2018-508043.shtml

http://www.af.mil/News/ArticleDisplay/tabid/223/Article/921260/windows-10-to-deploy-across-af.aspx

I guess the DoD will trust Microsoft with everything that is on their systems. Sounds like it more of a ploy to reduce the number of Computer guys in the military base on what I read in those articles.

Reply | Quote

DoD’s promise to transition to Win10 quickly certainly has a good ring to it – and, yes, the security improvements are a very big deal.

But the actual implementation… I mean, we’re talking DoD here…

Reply | Quote

I used to use that but i’ve removed flash entirely now so no need and i hardly miss it at all. I used to need it for BBC catchup services but they’ve transitioned to HTML5. Occasionally you come across a site that uses it but nothing essential for me.

Reply | Quote

Funny thing… Windows 10 has all the latest security updates… but requires you to give up all of your information freely in order to use it… Hmmm…

Reply | Quote

HA! “Flash isn’t Safe. You’re just not aware of it yet…

Reply | Quote

Lately I’ve been under the impression this was turning into a Fanboi forum… Finally! Someone who knows what they’re talking about… I’m with ya T…

Reply | Quote

Safer perhaps… Any security guy worth their salt will never tell you, you’re safe. Only we’ve done what we can given our current knowledge and budget and what we’ve done today is subject to change tomorrow. One thing is sure, Microsoft may be plugging security holes in the house but with their telemetry you have given them permission to keep the front door wide open. Now you have to ask yourself if you trust Microsoft, I don’t, but even if they have the utmost integrity, they will eventually get hacked, they all do sooner or later, and they won’t mean to lose your data, but they will. On the other hand if they don’t have my data I won’t have to worry about it. Sticking with 7 until I can find a suitable replacement.

Reply | Quote

Flash Block? Why not just not install Flash?

Learn here ->->-> https://panopticlick.eff.org/about#methodology

Specifically scroll down to the bottom and look under the heading “Try to use a “non-rare” browser” to explain why using Flash Block is another plugin that will rarefy your browser and then test your browser here..

https://panopticlick.eff.org/

I bet you’ll find out your browsers “Fingerprint” is unique compared to Billions of other browsers.

Reply | Quote

Firefox updated the new Flash (23.0.0.205) on October 26, 2016.

FF always keeps it updated, however this add-on should always be checked often to ensure that it IS updated. Mine is also set to “Ask to Activate”.

I’ve always relied upon it to provide the latest update, and ensure that it is “enabled in protected mode”.

Reply | Quote

Fanboi….. Nosotros ????? Think perhaps you need to view ALL the comments on AskWoody to realise that the opinions are varied and sometimes include a certain ‘confrontation’ amongst the commentators here in their discussions…….. so that viewers/readers have a true input of things.

Regarding the subject of Flash, Woody is on record as saying that it’s not something you should have….. and there are many that still use it……. so the opinion is divided.

That’s not a v. nice remark and it is perhaps no wonder that you go by the name of Anonymous. LT

Reply | Quote

Will this be disclosed in a future episode and is it related to “Flash Point”? 🙂 🙂

Reply | Quote

Not too many fanbois around these parts….

Reply | Quote

+1 …..LT

Reply | Quote

Does anyone really believe that DoD will get a version of Win10 that snoops? Does anyone really believe that DoD versions of Win10 will have advertising?

I’ve go a dollar in my pocket that says that DoD doesn’t get the intrusive version that the has been foisted upon the public.

Reply | Quote

Win10 Enterprise, properly configured, isn’t intrusive and all of the snooping it does gets sent back to the people paying the bill.

Advertising can also be turned off in the Enterprise (and Education) edition.

It’s us poor schnooks who can’t buy five copies at a time (and can’t afford to hire a full-time admin) who get privacy mugged.

Reply | Quote

As expected, looks like I get to keep my dollar!

Reply | Quote

🙂

Reply | Quote

Well now, that is a little bit unfair. I find this site to have no real fanboyism compared to many places on the net. It feels very inclusive for the most part as long as you don’t act like a d**k, whereas sevenforums can be very very sniffy to outsiders as woody will attest to. This is a nice place to be with very helpful contributors.

Reply | Quote

“They will eventually get hacked.”

+1.

Reply | Quote

D**k? Hehe… i see what you did there. Sometimes there needs to be a malcolm tucker bit of swearing but it is your site so fair enough, my mistake. 🙂

Reply | Quote

Lizzytish, I was supporting T’s comment about the way Google hoovers up data, makes Microsoft look like amateurs and how he avoids them at all costs.

Regarding Adobe Flash, those in Comsec and hackers know how insecure it is… Fanbois talk about how installing the latest update “Will make you safe”. It’s dead and has been dead for a long time. It’s only still used to push obnoxious and virus ridden banner ads by website owners with financial incentive and by companies that offer services in exchange for track you, HTML5 has replaced it, is far more secure and is ubiquitous.

I post anonymously because I understand what you do not…

Respectfully,

Reply | Quote

Don’t know about LT, but I am always thankful for those who understand what I do not.

Reply | Quote

I Bowdlerize with glee.

Reply | Quote

@anonymous ..Well I am too always thankful for those who understand more than I do…… but I fail to see
your point of view of categorically saying you understand what I do not. How do you know that……. you have no idea of what I know and don’t know. I didn’t even comment about Flash.

What one is objecting to is the word FANBOI..
it’s uncalled for. Simple as that.

Most viewers who come here come from many different scenarios and those that comment offer their thoughts and ideas. Woody allows this diversity and it is because of this that AskWoody is a place for EVERYONE
regardless of what protocols they practice.

If you feel in tune with certain ideas……… that’s great but don’t denigrate the rest of us…
that’s all! LT

“Let us not look back in anger, nor forward in fear, but around in awareness.” – James Thurber

Reply | Quote

And I’ll let that be the last word.

Reply | Quote

As Flash is on it’s way out to pasture to be replaced by HTML5, I say good riddance! It can’t happen soon enough!

The best way I have found to avoid Flash exploits is this:

Run Firefox as your main browser, but remove the Flash plugin from Firefox, and let sites like YouTube that can default to HTML5 do so.

Launch any pages or links that require Flash in Chrome. I let Chrome auto-update, so it always has the latest Flash plugin installed.

There is a convenient Firefox add-on that places a right-click context menu to open links in Chrome. It has a toolbar icon as well. https://addons.mozilla.org/en-US/firefox/addon/open-in-chrome/

Reply | Quote

Looks like the patch is out: https://www.catalog.update.microsoft.com/Search.aspx?q=KB3197868 – but which one should be used?

Thanks!

Reply | Quote

Wait, wait, wait!

Still much, much too early.

Reply | Quote

Thanks Woody! Just wanted to check and be sure!

Reply | Quote