Krebs: This month’s code signing zeroday, CVE-2020-1464, has been around for two years

Topic

New Reply

This month we had two zero-days fixed in the Patch Tuesday crop. Several folks in the press screamed that the sky is falling and you have to get patch
[See the full post at: Krebs: This month’s code signing zeroday, CVE-2020-1464, has been around for two years]

5 users thanked author for this post.

abbodi86, GreatAndPowerfulTech, Moonbear, Alex5723, lurks about

Reply | Quote

Replies

I still would prefer Microsoft fix old code bugs and security holes, and stop added unrequested features, like changing icons and tiles from square to round. The fluff is annoying, while the bugs and holes are dangerous, to some extent.

GreatAndPowerfulTech

2 users thanked author for this post.

lanceboil, woody

Reply | Quote

So the patching advice remains the same. despite the 2 zero day bugs, hold off applying this month’s v1909 patches until Woody says “go”?

Reply | Quote

That’s correct – for any version of Windows.

1 user thanked author for this post.

woody

Reply | Quote

The chances of either zero-day affecting normal Windows users is zero. At least in the short term.

Reply | Quote

Read, re-read, comprehend, repeat:

“Moral of the story: It’s very, very rare that you need to patch immediately. Wait and see what problems crop up before you install the latest fare from Microsoft.”

Consequences of Failure to Obey AskWoody:

Amazing Truths Revealed: Link to Simply Magnificent AskWoody Knowledge Bases

3 users thanked author for this post.

PKCano, Alex5723, woody

Reply | Quote

Thus spake PK.

Ignore at your peril!

Reply | Quote

Meanwhile, all this agile cloudy world is not helping most organizations get better at patching. This is ridiculous if IT professionals don’t even keep up:

https://threatpost.com/large-orgs-plagued-bugs-patch-backlogs/158433/

I think there is a need for a simpler OS that runs Office for a significant portion of consumers / SMBs.

Take Windows core, keep things simple, LTS, offer containerization and better app controls/insulation a bit like IOS was before it got a bit more chaotic, easy native virtualization for casual browsing, less coupling between the frivolous and the base, offer security only updates for 5 years. Let people choose what version of Windows they want to run. I don’t see any reason a dentist/lawyer/other conservative small business professional should run a version of Windows that gets feature updates they don’t care for especially when security feature updates aren’t even accessible to their versions or when they are too complex to use by non techies, not really announced or documented to users. Those users install or have them installed their specialized software and Office, then they run the machine until it dies.

I think Microsoft might be trying to do that with Windows X, transitioning with a win32 compatibility layer. When you stop using old software, you only keep the new more insulated one. Really, I never understood why Word and Excel weren’t a simple folder/.exe you drop and run except to prevent copying back in the very early days of Windows. And now Office still doesn’t run on Wine properly. On a technical level only, that’s crazy. Marketing wise, it’s another story. Complexity brings security issues and although some people might need all the interactions Office has with Windows and the Internets, I would think a significant portion of people don’t.

The phone world showed us that modern OSes can be more secure by design. And apps are one click wonders, auto updated, in theory they could have no permissions outside their scope unless granted, etc. The limitations of IOS aren’t that much tied to this for most people. Having multiple Windows managed well, proper mouse support and GUI for desktop use aren’t dependent on having a more tightened OS. File management is one thing, but there could be ways to implement that better too.

In the meantime, though, a zero-day that requires you to use IE or call something that uses IE by clicking on something you shouldn’t in an email is not going to make me loose sleep.

Reply | Quote

Another day of ad space in the computer mags sold I suppose.  Everything in gizmodo and tech crunch is the end all zeroday they have kind of cried wolf too many times to be believed.  (tech journalism)

Reply | Quote