SATYA NADELLA ON SUICIDE WATCH!
>According to the ZDI researchers, the vulnerability exists in all supported Windows versions, including Windows 10, Windows 8.1, Windows 7, and Windows Server Edition 2008 to 2016.
thehackernews.com
JAVASCRIPT EXPLOIT: github.com
HOW CAN MICROSOFT EVER RECOVER?
Other urls found in this thread:
github.com
twitter.com
First for Hackers The Movie
>At first I was like
This nigga really releasing 0 days in 2018 when msft has a bug bounty
>Took them over 120-days to patch
Yup its msft alright lul
How do i make a backup of the current java version? I'm afraid that if i update my rss reader will stop working again
>Crafted data in a database file can trigger a write past the end of an allocated buffer.
Der ewige C strikes again!
HACK THE GIBSON
>An attacker must convince a targeted user into opening a specially crafted JET database file in order to exploit this vulnerability and remotely execute malicious code on a targeted vulnerable Windows computer.
I'm not worried.
THE GIBSON. IT MUST BE HACKED!!!
It's Microsoft in the end
>Microsoft Jet Database Engine
>must have specific configuration (non-default) for it to work
do you guys even read the article before sperging? sure, its bad that they didnt patch it in 120 days but its not like its a bug in MS Word, its something most users dont have installed anyway.
the only thing stopping people from switching to ubuntu or some shit is gaymes. Come on steam fucking move it already.
Would embedding the file inside a jpeg work still?
>activexobject
So just don't use IE or Edge.
Trannies on the left, jokers to the right, stuck in the middle with you
The only person who could patch it was kicked of the team because he said a mean thing which violated the CoC.
behind every buffer overflow there's a pajeet.
This. LINUX IS DEAD
It's bundled with the OS, you arseweed!
Trannies to the left of me
Apples to the right
Here I am
Stuck on Day Zero with you
What the fuck are you doing, user?
I'm pretty sure that web browsers aren't allowed to open ODBC connections anyway if that's what you're insinuating. I think you'd have to run it with cscript or wscript.
Based
Gentoo doesn't have this issue
No wonder this shit wasn't patched
>all versions of Windows!
Why sensationalize it like this when it only applies to a specific subset of people using a specific subset of outdated technologies.
This doesn't apply to anyone and they should deprecate it instead of fix it.
explain
is muh windows 10 lgbt affect
Do you use IE, have activex enabled, and manually approve connections to databases that you're unfamilliar with?
yes yes no
>HOW CAN MICROSOFT EVER RECOVER?
Same way as always. Windows users are basically Masochists so MS ignores the exploit for a few years until the users accept that's the way Windows is.
Then, in a series of intrusive and overly long and complicated "fixes", it is "addressed", breaking several other functions in the process.
Final "fix" is to upgrade to the latest release, which has its own problems.
Naturally, the new release will be called the Most Secure Windows Ever. Whatever that means.
Looks like you goys on windows 7 will have to pay the subscription to get security patches now.
> Warning: This object is a Microsoft extension and is supported in Internet Explorer only,
Finally, finally, yes, finally this will force all the dipshits that still use IE to either ditch it or get annihilated.
Microsoft, do not fix this vuln. It's the only way to finally kill IE FOREVER. Do not fix it, let the IE dipshits get destroyed.
In fact, I hope somebody did this to save web devs from supporting that ancient piece of shit.
>"remotely exploitable"
I mean, I'm not defending Microsoft or saying this bug is noncritical or anything, but to call JS phishing "remotely exploitable" is pretty bad headline journalism.
Gentoo will soon not have a kernel though.
>I think you'd have to run it with cscript or wscript.
In that case there wouldn't be any point in using a Jet database to do the exploit though, would there? If you're running in cscript/wscript, you already have full privileges. I'm assuming that ActiveX object is allowed in IE since Jet is deemed "safe" by MS.
>In fact, I hope somebody did this to save web devs from supporting that ancient piece of shit.
Correct me if I'm wrong, but recent versions of IE don't really do anything particularly evil to web devs, do they? Noone's actually using IE6 anymore.
If anything, since the utter and total demise of both Firefox and Chrome, I don't really see why using IE would even be worse than anything else.
IE 10 and 11 have much better support for web standards compared to previous versions. However that doesn't make them viable choices for browsers, since they do not support or implement many modern web APIs (web audio api) , modern Javascript features (es6+) and modern CSS (grid) and there will not be any new version of IE.
>mission critical hardware will die because of some transvestite faggot's feefees
gentoo is not tied to linux kernel and can use bsd kernels as well
20+ years ago, "remotely exploitable" meant a daemon vulnerability, a Web app vulnerability, and whatnot. It then started becoming more of a FUD/marketing term applied to everything from browser vulnerabilities (which I suppose is fair) to malicious-file vulnerabilities requiring someone to download a file and open it.
Edge don't have Active X
Is that what this is?
>affecting all version of windows
>all
So they tested it all the way back to 3.1? Much hespect
>Need to have visual basic or Access™ to work.
>The victim needts to open a specially crafted db file
Wow! That's fucking nothing!
>it's a wangtard subhuman thinks he belongs on Jow Forums episode
cringe
>bug bounty
Why not intentionally leave in subtle bugs and then cash in on the bug bounty?
i only browse Jow Forums and youtube so i should be safe
Haha, very cool
Has it been patched? I know I'm not affected by this but still I'm wondering.
>to call JS phishing "remotely exploitable" is pretty bad headline journalism
It's not that misleading. Keep in mind that a LOT of big newspapers and web services and advertisement networks have been spreading malware time and time again. You write your little exploit and you take out an advertisement which is allowed to use JavaScript (previously flash was the bigger problem) for some reason (why do they allow random companies to run JS?) and now you get to infect all those who are dumb enough to read the washington posts propaganda.
I know, it's not like you can nc some port and you're in - which is what used to be "remotely exploitable". But some aunt checking her Facebook & getting 0wned via an advertisement isn't all that far from it.
Regardless of how you look at it: This is pretty bad on Microsoft's part. 120 days - four months - is a very long time for something like this.
What if I'm running Win XP, does this affect me?
what is proton?
I doubt it
They could make an OS that carries out surveillance for the state and people would still use Windows.
Oh wait.
Oh yes. I do hope the day comes when I can switch to linux fulltime and enjoy all the half-assed ripoffs made by people who don't know good design even if their lives depended on it and constantly being told I use it wrong no matter what.
inb4 patch only available on Windows 10
inb4 used by Microsoft to push people out of the better versions
>ActiveXObject
>2018
the absolute state of winpoo
That's just asking for a lawsuit
Everyone at my work place used IE. Always complained about viruses, but refused to use another browser because it wasn't "approved by Microsoft". One afternoon, I install Firefox with HTTPS everywhere and UO, on all the computers. I then use Resource hacker to switch out the Firefox icon with the IE icon.
>Hey, my internet is different!
>Different how? Can I take a look?
>Look! It's different!
>Ah! They must have pushed out the update finally! They've been talking about a redesign for months!
It turns out that my boss was the only one with a computer at home, and he knows what I did, and he approves.
mfw this ruse worked.
except whole windows gui is based on ie engine. taskbar, explorer, literally everything
you just perfectly described windows 10
It's a sad world
>publicly releasing this
>not selling it on the black market
>not abusing it yourself to install millions of crypto miners
Retards.
> 0day
More like alldayerrday.
Then linux is dead. Windows no longer secure. MacOS? lol
> LGBT/Lanux
ha ha ha, no
>browser vulnerabilities (which I suppose is fair)
I think it is not. "Remotely exploitable" means that the attacker can exploit his target with an unsolicited connection of his own to the target system, not that the target has to be phished into connecting to the attacker.
>HTTPS everywhere
HTTPS doesn't deserve to be used until root CAs are abolished. Don't encourage it. Don't use it unless absolutely necessary.
So, I don't have to panic, and it's required
> is a database engine integrated within several Microsoft products, including Microsoft Access
since I don't install this part of the main software.
When the office update I saw couple updates relates access and couple other things that I don't even install them. then I ignore them.
works on my machine
try updating it once it in a while?
can't run on my system. what's wrong?
>Noone's actually using IE6 anymore.
Oh if only this were true. We have to support it with our web platform because a small percentage of UK healthcare professionals do still use IE6.
HACK THE PLANET
You need update your system, to get new amazing vulnerability!
THEY'RE TRASHING!!!
>suicide watch
>needs activex to work
yeah i can see how patching obsolete OS will make microsoft being finished
Isn't the Windows kernel written in sepples? Windows doesn't even officially support C11.
>JAVASCRIPT EXPLOIT
Javascript was a mistake.
>party van
While I don't disagree that JavaShit was a mistake, this particular exploit is actually caused by Microsoft allowing access to ActiveX in unauthenticated JS, which is truly something that only Microsoft would do.
I feel for you user.