Netflix Users In Danger of Unknowingly Picking Up Malware

An anonymous reader writes "Users of Silverlight, Microsoft's answer to Adobe Flash, are in danger of having malware installed on their computers and being none the wiser, as an exploit for a critical vulnerability (CVE-2013-0634) in the app framework has been added to the Angler exploit kit. The vulnerability could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability and then convinces a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements." You'd think something like Silverlight would automatically upgrade itself.

Automatic upgrade

[Mr_Silver]

You'd think something like Silverlight would automatically upgrade itself.

It will, assuming that it's given a critical priority within Windows Update and the user has their machine set up to automatically download and install updates.

Come on, this is basic Windows stuff. Can we get someone on the Slashdot staff that has actually some experience of the operating system in use by 96% of the population please?

Re:Automatic upgrade

[DaHat]

If one looks at the link to CVE-2013-0634, there is a link to a MS Security Bulletin first posted in March 2013 & last updated in April... even saying:

Recommendation. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

Way to go editors... this bug was reported & fixed 7 months ago and only now are we to get paranoid over what it could do if Windows Update isn't enabled? sheesh

Re:Automatic upgrade

But the headline, it's so scary. Netflix users BEWARE! There be DRAGONS ahead. Boo!

Re:Automatic upgrade

You'd think something like Silverlight would automatically upgrade itself.

It will, assuming that it's given a critical priority within Windows Update and the user has their machine set up to automatically download and install updates.

Come on, this is basic Windows stuff. Can we get someone on the Slashdot staff that has actually some experience of the operating system in use by 96% of the population please?

I believe he was referring to Adobes rather (non-unique and very common) ability to upgrade itself, without the constraints or reliance upon yet another updater, even if we're talking about THE updater for Windows. Seems thousands of other programs stand on their own.

Come on, this is basic computer stuff. Can we get someone at Redmond to understand that obviously Windows Update is not the end-all-be-all to security in the operating system in use by 96% of the population please?

Re:Automatic upgrade

Way to go editors... this bug was reported & fixed 7 months ago and only now are we to get paranoid over what it could do if Windows Update isn't enabled? sheesh

Well, i had my automatic updates disabled because security and privacy issues, they where a way of infection with NSAs mallware unsolicited code... and a way to constanly monitor my position in the network (Joke) ;-P

Re:Automatic upgrade

[hairyfeet]

What do you expect, most of the MSFT bashing here is based on shit that ended with XP. As someone who works on Windows systems 6 days a week i can say that a modern Windows system (Vista on up) with automatic updates and a browser that recognizes low rights mode (IE or any Chromium based) is one tough nut to crack, in fact the only infections I see with any regularity are ones where the writer used social engineering to get the user to bypass the OS security. Sadly no matter how well MSFT hardens the OS you can't fix PEBKAC as those million infected Android devices can attest to.

As for TFA no matter what the security risk I'd GLADLY take SL and Flash over the fucking trainwreck that is HTML V5! Sure having a plug in may not be the most "elegant" way to do things but ya know what? At least it doesn't gobble down RAM and CPU like a fat guy at an all you can eat buffet! While I'd be the first to admit that we could and should be able to do better than Flash and SL I'm sorry but HTML V5 isn't the way, measure it any way you like and you'll find it scores WORSE than Flash and SL by a long shot, RAM, CPU, hell if the mobile device doesn't have hardware acceleration for H.264 all you are gonna get is a slideshow.

Re:Automatic upgrade

Yea, they push Bing toolbar and Bing desktop and even make IE a priority update but cannot update Silverlight? Luckily many sites that use Silverlight do prompt you if your running a older version. I know my Silverlight has a automatic update enabled. So maybe it updates in the background? I know I never get any prompts to install them.

Re:Automatic upgrade

Yea, let's make everyone paranoid over this. If I was Netflix I would be upset about they way this is worded. Its not like Netflix has any malware associated with it.
Just because they use Silverlight they are the problem? Microsoft and plenty other sites used Silverlight too? Why mention only Netflix?

Re:Automatic upgrade

[TWiTfan]

I hear you can get pregnant just by watching Netflix on an unpatched computer!

Re:Automatic upgrade

I have Windows Update active, just last week I received several updates.

Yet, when I check Firefox plugins, I find Silverlight there (though I never installed it in Firefox, what kind of malware is this?), and it is listed as vulnerable.

Re:Automatic upgrade

[g0bshiTe]

I'm too lazy to RTFA, where exactly did Netflix come into play? Is my Roku running silverlight? As far as I know I don't have silverlight running on any of my devices.

Re:Automatic upgrade

[g0bshiTe]

Switch to *nix, instead of fixing them 6 days a week they work.

Kidding, kidding before you decry me as a *nix zealot though I do use it regularly, I find that neither OS is 1 size fits all. There are things I love in nix and things I love in Windows barring Windows 8 of course. I never let it update without looking over what it wants to push.

And you are right since MS isolated Session0 it has been much tougher for me to find a compromised system on my network as long as users don't run with elevated privies. If an infection does get it, blow out the user account recreate and a reboot and it's clean.

Re:Automatic upgrade

[The+Grim+Reefer]

I hear you can get pregnant just by watching Netflix on an unpatched computer!

I don't know about that. But I did notice that ever since Silverlight got into my house the glue has disappeared from the bindings in all of my books. I thought it was a coincidence. But upon further consideration, I seem to be watching more movies from Netflix since the pages of my books keep falling out faster than I can read them.

Re:Automatic upgrade

[SQLGuru]

Just more FUD. Netflix is just one of the biggest reasons that people have Silverlight installed. Therefore, Netflix is the reason that you are vulnerable.

Re:Automatic upgrade

[Barlo_Mung_42]

And it only effects the web player version of Netflix. Those watching via the Windows Store app are fine.

Re:Automatic upgrade

It's not netflix related at all, the OP is a douchebag sensationlist. This is known and patched Silverlight bug.

Re:Automatic upgrade

[jedidiah]

> It's not netflix related at all, the OP is a douchebag sensationlist. This is known and patched Silverlight bug.

Netflix is probably the ONLY example of a Silverlight dependent website that any of us can think of.

If not for Netflix, this bug would be totally irrelevant to most people.

Re:Automatic upgrade

[phorm]

Not only that, but every now and then when I access Netflix with an older Silverlight version, it *does* prompt me to upgrade. This includes on Mac and older WinXP systems.

Re:Automatic upgrade

[gl4ss]

not just biggest reason - the only reason.

Re:Automatic upgrade

[ktappe]

• Can we get someone on the Slashdot staff that has actually some experience of the operating system in use by 96% of the population please?

It's not even correct for the other 4%. On Mac OS X, Silverlight absolutely alerts the user that their version is out of date and a single "OK" click will download the new version for them.

Re:Automatic upgrade

• Can we get someone on the Slashdot staff that has actually some experience of the operating system in use by 96% of the population please?

It's not even correct for the other 4%. On Mac OS X, Silverlight absolutely alerts the user that their version is out of date and a single "OK" click will download the new version for them.

Well, given the fact that Android is Linux, and your TV is linux, and Playstations are Linux, and even MacOSX is Unix, and probably your Car runs on linux, I guess unix is "the" operating system in use by 96% of the population, Sir. Actually most of computers are smartphones & tablets, and there are not many of those running windows.... And most of the time, when we use an operating system we are not actually using a Desktop Computer.....

Re:Automatic upgrade

[lgw]

Woah. I also use Silverlight and I just started reading my old, old copy of Ender's Game, and sure enough the pages are loose in the bindings! It's real, man!

Re:Automatic upgrade

[Darinbob]

I often think that automatic upgrades are a security disaster waiting to happen myself. I far prefer to be notified that updates are available.

Re:Automatic upgrade

I am having trouble figuring out how to enable Windows Update on my Macs with Silverlight installed.

Can you share directions?

After all, the MS Security Bulletin you link to says that it affects Macs with older Silverlight versions as well.

Re:Automatic upgrade

[The+Grim+Reefer]

I heard cedar chips keep silverfish, er, Silverlight out of your books.

Re:Automatic upgrade

[cbhacking]

The chain of trust for Windows updates is among the strongest protections the OS has. Certificate pinning for the update servers (can't spoof them even with a compromised CA signing your SSL cert), signed update packages (again, must be signed by Microsoft rather than some third-party trust authority), and signed binaries. In order to compromise the update installer, you would need to have already compromised the OS so thoroughly that there's no point pushing a malicious update. The odds of an actual security exploit using the update system are miniscule.

Now, with that said, it's a good idea to review the updates manually for other reasons. Some of those other reasons are even security-related, albeit indirectly (updating clients or servers or infrastructure that is important for security could have a detrimental impact on system security if, for example, you've heavily modified the default security configuration). If you don't trust the updates themselves (for example, because they might push DRM) then that's another reason to check them manually. Worrying about the update process, though... well, that's not likely a worthwhile concern. If it gets compromised, there are already other, bigger problems.

Re:Automatic upgrade

[lgw]

Dangit, I've been using pyramid power all this time. Cedar chips, eh?

Re:Automatic upgrade

[Darinbob]

You get a window that says "do you want to update this?" But you have no possible way of knowing if that is official or is part of malware. What about third party applications doing the same thing, as in Adobe Reader or Firefox asking over and over for your permission to update, I'm pretty sure they're not linked into Microsoft's cert chains.

Re:Automatic upgrade

[hairyfeet]

Look up "The Hairyfeet Challenge" to see why *nix don't cut it my friend. You are obviously a system admin and thus its trivial for you to admin your own systems, I on the other hand work primarily with home users, SOHOs, and SMBs and with them it better "just work" and any fuck up, like say Ubuntu shitting on the wireless or Mint doing a dump on the video? Then its ME that is gonna get a hit to my rep.

What the FOSS zealots here refuse to accept that you have seen with your own eyes is that from Vista on up? Once you set Windows up right, with the default user not running as admin, a low rights browser like Dragon or Chrome, and a decent AV like Comodo IS or Avast then that's it. That system can easily run for the life of the system with ZERO maintenance and with ALL the patches installed automatically. as long as Torvalds is in the big chair Linux will have "update foo broke my drivers" because he cares about "GPL purity" than he does a functioning system, sorry but he cares more about the politics than the OS.

So while I'm glad you have found something that works for you, in the markets I make my bread and butter in? Linux isn't even up to XP yet it terms of stability and functionality, MAYBE Win2K RTM levels but folks want a heck of a lot more now like functioning wireless and updates that don't crap on the system and in that regard Linux has a ways to go.

Re:Automatic upgrade

[chuckw]

That would be a reasonable thing to say if the world all ran Windows. This is in fact very much not the case. Apple users are forced to use Silverlight if they wish to use Netflix, and there is no auto-update feature. You have to download the latest DMG to your desktop, shut down your browser, and install it. Very 1995...

Silverlight *does* patch automatically ...

[cdrnet]

From the related MS13-022 security bulletin: "Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. "

Unless you're one of those "smart" people that use windows but disable windows update ...

Re:Silverlight *does* patch automatically ...

Unless you're one of those "smart" people that use windows

I usually take the stairs or the elevator, but I guess if you're in a hurry....

Re:Silverlight *does* patch automatically ...

Or one of those corporate people with a managed desktop where you can't install your own patches and don't get anything that your IT department don't deem "ultra-critical" because they'd rather avoid any testing or issues with updating a browser plugin that's not relevant to your job. The last place I worked was usually about a month behind on patches while we deployed them to testing groups, and some of the "peripheral" stuff like patches for Silverlight, driver updates, etc would just be ignored altogether. And because we were using SCCM for patch management, the actual Windows Update services were forced off.

Re:Silverlight *does* patch automatically ...

I'd be surprised they had Silverlight at all. It isn't installed by default, nor needed normally.

Re:Silverlight *does* patch automatically ...

We did, although I never looked into how it got there. Given that we deployed desktops via SCCM task sequences, it's definitely possible that it was put in by a step in the TS rather than as a core part of Windows.

Re: Silverlight *does* patch automatically ...

A month behind? My PC still has IE9 because our IT department are still trying to make the intranet site work with IE7 and are panicking about employees PCs getting too far ahead of them.

Re:Silverlight *does* patch automatically ...

Unless you're one of those "smart" people that use windows

I usually take the stairs or the elevator, but I guess if you're in a hurry....

Smart people go to boot camp, because then you go through the window, but only when using OS X... because we all know that cats always land on their feet.

Re:Silverlight *does* patch automatically ...

Mostly, I disable WU's ability to reboot my machine out from under me. This comes from a heavy-handed settings panel that gives you an all-or-nothing choice. And one slightly more than nothing choice... which is the right one.

Option 1: Let Windows Update do whatever it wants, whenever it wants, whether you're using the machine or not. Reboots will universally occur at times that interrupt things you feel are important. (It's like reverse clippy. "It looks like you're working on a document! Let me reboot your machine and lose all of your work for you!")
Option 2: Windows Update can download ONLY the really critical updates in the background, and nag you to install them, and even set them up to install on reboot, but never interrupt your usage. (This is the right choice, given these limited options.)
Option 3: Windows Update can go clean its butt with a rusty grill brush. (Bad idea. It will need tetanus shots along with malware scans.)

This completely ignores the well-designed configuration paradigm used by the power management system, where there are several independent options, but you choose a "profile". WU should allow you to choose WHICH levels of things to automatically download in the background. It should allow you to choose WHEN OR IF to automatically install them. And those options should be independent, and save as a "profile". Then there should be a set of conditions for when each profile becomes active, based on network connection, power supply, and system activity, as well as scheduling.

This is separate from the defaults for the "hurr durr" crowd. Defaults are fine for "those people", and should stay as they are now (reverse-clippy mode).

Re:Silverlight *does* patch automatically ...

I don't have it disabled, but I won't let it update audomatically -- not since an XP update replaced a perfectly good network driver with one that was completely nonfunctional. Right now it wants to "update" my browser to IE 10, I use FireFox and never use IE.

Re:Silverlight *does* patch automatically ...

[colesw]

My corporate PC is on XP SP2 :(

Come on...

I know there's been alot of bad movies lately... But malware? Really? That's harsh.

Misleading title?

Isn't this title just totally misleading? Although Silverlight never enjoyed the popularity of Flash, it's not like Netflix is the exclusive user of Silverlight...

Re: Misleading title?

[jrumney]

Yes, don't forget all the people checking the Beijing Olympics website daily for the latest updates. They have Silverlight installed too.

The Critic malware

[Gravis+Zero]

good news! all users that dont use Netflix will be unaffected. I can only surmise that this malware replaces all movie descriptions with "It stinks." and a rating of one star.

Re:The Critic malware

[ApplePy]

good news! all users that dont use Netflix will be unaffected.

Good thinking! My Linux box is so secure it won't even run Netflix!

Re:The Critic malware

[jedidiah]

> Good thinking! My Linux box is so secure it won't even run Netflix!

Although it handles Hulu and Amazon Prime just tine.

Unknowingly?

[pablo_max]

Tell me, when is the last time you knowingly were infected with malware?

Re:Unknowingly?

Each time you install something from Adobe, ask.com, or silverlight?

Re:Unknowingly?

[osu-neko]

Tell me, when is the last time you knowingly were infected with malware?

A few years ago. Rebooting into Windows and deliberately plugging into a client's network was (for various reasons) the quickest/easiest way to determine what exactly was infecting their computers and if it was really spreading across the LAN rather than being transmitted by some emailed word document or promiscuous USB-stick user. It was.

I've actually never been unknowingly infected with malware. It's always been deliberate, although I didn't always know exactly what sample I'd be collecting...

Re:Unknowingly?

Tell me, when is the last time you knowingly were infected with malware?

Since Snowden we know (knowingly) that we are runnin on a continious mallware infection, everytime we use something that is not open source and has been produced by an american big corporation....

Newsflash!

Active content executes code in the user's computer!

C'mon, folks...

to post about already patched vulnerabities

[Celexi]

Really? Why is this on front page of Slashdot? A vulnerability that was patched months ago via windows updates is now an issue?

Re:to post about already patched vulnerabities

[penix1]

To me the real story isn't the attempt to sensationalize on a vulnerability or to single out one user of the technology but that an exploit for that vulnerability has been added to an exploit kit. That means that you probably will see it exploited widely simply because of people turning off windows update for various reasons.

The best solution is to lock down Silverlight

[Ruedii]

For plugins like silverlight that run code rather poorly sandboxed, you should lock them to a whitelist, so that only web sites you have preapproved can use them.

Additionally, you should only run them on an unpriviledged user. (Something many Windows users don't do with anything as a regular practice.)

These two measures won't eliminate your risk, but they will dramatically reduce it.

Re:The best solution is to lock down Silverlight

[bazorg]

Hi,

When you say that it is not properly sandboxed and using admin user permissions, does that apply to people using IE11 (Windows 8)? I thought the defaults on Windows 8 were not as careless as back in the day of XP pre-SP.

Re:The best solution is to lock down Silverlight

[zippthorne]

How do you lock silverlight to a whitelist?

Re:The best solution is to lock down Silverlight

Silverlight is a plugin, and in Chrome you can block all plugins and then add sites to a plugin whitelist. I assume something similar is available in other browsers.

There are similar whitelists for Javascript and cookies. I whitelist all three. Managing the lists can be annoying, but I prefer to have a bit of control over what web sites do on my computer.

Re:The best solution is to lock down Silverlight

[jader3rd]

How do you lock silverlight to a whitelist?

In Internet Explorer, just like any other ActiveX control. In the Manage Add-Ons Windows select the Add-On you want whitelisted and press "More information". In the information dialog press "Remove All Websites". Then when you are viewing a website that wants to run that add-on and small bar will appear at the bottom of the windows asking for permissions to run.
I do this with Flash. It means I have a small bar at the bottom of every website I visit, and I think my whitelist for it at the moment is thedailyshow.com.

Re:The best solution is to lock down Silverlight

The best solution is just not to use Silverlight.

AI

[Ukab+the+Great]

Perhaps Silverlight has become self-aware and assumes that any upgrade would involve Microsoft trying to kill it off.

Netflix?

And this is specific to Netflix users?
I don't get it.

Re:Netflix?

[behrooz0az]

It's always their fault.
Don't you get it? It doesn't run on Linux.

Re:Netflix?

[CastrTroy]

Well, to be fair, it's probably the only reason most people have Silverlight installed. The only other thing I can think of that used Silverlight was when NBC required Silverlight for watching the Olympics, but I think that was back in 2010. I don't know why Netflix doesn't just required some kind of App to be installed. They have one for Windows 8. Sure the browser feature would be nice as a fallback options, but for actually watching shows it would be much better accomplished outside the browser.

Re:Netflix?

[Java+Pimp]

It has nothing to do with Netflix specifically. The article is sensationalist FUD. It's like saying Slashdot users are in danger of unknowingly picking up malware because someone found a javascript exploit.

Re:Netflix?

[jedidiah]

The headline is a function of the fact that Silverlight is pretty much irrelevant except for Netflix. Micrsosoft thought they were going to displace Adobe but it didn't quite work out that way.

Without the Netflix connection, the common man's reaction to this story would be: "Silverlight? What's that? Why should I care?"

Re:Netflix?

Because OMG, it's Netflix! Quick, let's move to a really secure platform, like one of those Adobe products.

Re:Netflix?

[Lumpy]

But it does. All BluRay players run linux, and the ones that have netflix.... That's Netflix on Linux. so they are lying bastards when they say they cant do it.

Silverlight? No Thanks

[Scarletdown]

Back when I used to be able to stream Netflix (I since changed my account to the 3 DVDs at a time plan instead), I gave Silverlight a try. After Silverlight was installed, my video capture device with WinDVR suddenly stopped working. Suspecting Silverlight was the culprit, I set up the video capture device on a test box, and verified that it worked. Then I installed Silverlight there, and sure enough, no more video capture capability. Removed Silverlight and eradicated all traces of it from the system, and my hardware was once again working properly.

That was when I invoked the hardware owner's right. The ability for any publisher's software to run on hardware that I own is a privilege, not a right. If your product interferes with the rightful and proper operation of my property, then its privilege to exist on my system is revoked permanently.

Do not fuck with my hardware or any other software that I have installed, or you will not be permitted to run on any systems under my control, and word of your dipshittery will be passed on to others, so that they can be made aware that your software is malware.

Netflix users?

[BringsApples]

Shouldn't this be Microsoft Windows users? My PS3 isn't going to get malware.

Re:Netflix users?

Not even that, since neither Win RT, Windows Phone, or Xbox users are affected either.

Re:Netflix users?

Not even that, since neither Win RT, Windows Phone, or Xbox users are affected either.

Neither are any Windows users with Windows Update on. This was auto-patched months ago. The summary blurb about upgrades is just ignorant.

Re:Netflix users?

Shouldn't this be Microsoft Windows users? My PS3 isn't going to get malware.

Ah.

We stand corrected, and you are right.

Your PS3 isn't going to get malware. They prevented that sort of thing right at the factory by pre-installing the malware for you.

Re:Netflix users?

> PS3 isn't going to get malware.

You are correct sir - Sony has give you a head start by preinstalling it for you.

Hey come on, gotta hate on MS!

[Sycraft-fu]

I mean if some random shit "security blog" posts a trumped up story to try and get traffic, it is Slashdot's DUTY to repeat it here, with no checking or verification! After all, better everyone is scared of their own shadow than informed about security.

Seriously this is just pathetic. As I said: This is some random ass site that is trying to get people to come and read, and it worked. By making a scare story about how Netlfix users on Windows are vulnerable they managed to get some Linux fanboy to submit the story to Slashdot. The editors then did what they do, which is to say NOT EDIT and just posted it. Great success for shit site, they now got a bunch of undeserved traffic.

What is sadder is how uninformed this makes all involved look. the statement of "You'd think something like Silverlight would automatically upgrade itself." Yes, it DOES you fucking moron. One thing you have to give MS is that Windows update will patch all their stuff for you. Let it do its thing and you get security updates, as they are released. You don't need to pay attention or anything, it'll just happen. This includes things not installed by default like Silverlight, or older versions of the .NET runtimes.

This is just a massive pile of fail. It is not news, not even really old news. There was a bug, they patched it. This would be "how shit works", or at least how it should.

Re:Hey come on, gotta hate on MS!

[ApplePy]

That's ridiculous. How would it automatically update itself? Windows doesn't even have the basic tools for it, like apt and cron!

Re:Hey come on, gotta hate on MS!

[camperdave]

Windows can do some scary stuff. My laptop BIOS does not have the ability to set a time to wake the machine. Yet for weeks I would find the laptop had gone from a completely powered off state to a completely drained battery overnight while sitting in my backpack. When I turned off the automatic update feature of Windows, the mysterious behaviour stopped. Somehow, Windows would power up the laptop in the middle of the night, and it would sit at a GRUB prompt until the batteries were drained.

Re: Hey come on, gotta hate on MS!

[jrumney]

I remember when Intel added power on timers to the BIOS specification and released some software for configuring it. I think I was using a 386DX40 desktop at the time I tested it out. Your BIOS has the feature even if it doesn't expose it in the BIOS setup UI. Its the kind of feature that doesn't make sense as a standalone feature so its provided more for the OS to use.

Re:Hey come on, gotta hate on MS!

[riis138]

Totally agree, this is Fox News style "journalism" at its finest.

Re:Hey come on, gotta hate on MS!

[Deathlizard]

This is nothing compared to the .Net Firefox plugin

If Slashdot put as much effort in denouncing that plugin into Actual malicious plugins like Conduit, Dealio and the like, the world would be a better place.

Re:Hey come on, gotta hate on MS!

[g0bshiTe]

Any administrator worth their weight doesn't let MS be rogue and update itself. You never know when KB-OMGWTFISTHIS will be incompatible with Driver_l()()t_d()()d.

Re:Hey come on, gotta hate on MS!

[LordLimecat]

Windows cant power the laptop up. Something else is at work-- probably a BIOS setting to power your laptop on when power is restored (power outage / power comes back, computer will boot up).

Stop and consider basic Operating Systems 101: The OS cannot run unless it is loaded into memory, and the CPU is active. If it isnt loaded into memory and the CPU isnt active, "windows" cant do anything.

Re:Hey come on, gotta hate on MS!

[LordLimecat]

Epic troll fail. Anyone whose done any sort of systems admin knows that Windows update is probably the LEAST likely of system updaters to cause problems.

Re:Hey come on, gotta hate on MS!

[ColdWetDog]

That's from the trolls. They hide underneath the BIOS and wake everybody up at 3:00 AM (because they're trolls).

It's what you get for hanging around here.....

Re:Hey come on, gotta hate on MS!

I turned that off when the a patch destroyed my wireless drivers.

Re: Hey come on, gotta hate on MS!

[ncc74656]

I remember when Intel added power on timers to the BIOS specification and released some software for configuring it. I think I was using a 386DX40 desktop at the time I tested it out.

That capability would've required ATX with its standby power capability, which didn't come along until well into the Pentium era. There's no way your 386 would've had wake-on-timer, wake-on-LAN, or wake-on-anything. The only thing that might've worked would have been to plug it into a timer (like you'd do with your Christmas lights).

Re: Hey come on, gotta hate on MS!

No, power on timers in the BIOS are actually useful. If you work in an AD environment where it takes 5 minutes just to get to the login screen if there are no updates pushed out, you can set it up to power on before you get in the office. Something is almost always being removed/updated/added to systems around the campus. Patch Tuesday = Watch Wednesday for people that don't have their power on timer set to a good 15 minutes before they're in the office.

Re:Hey come on, gotta hate on MS!

[freeze128]

That's what you get for not having a default selection in Grub. Add one, even if it's a HALT.

Re:Hey come on, gotta hate on MS!

[mmontour]

Windows cant power the laptop up.

Technically, no. But Windows (or Linux) can program a wake-up alarm into the RTC chip. See for example http://www.mythtv.org/wiki/ACPI_Wakeup .

Re:Hey come on, gotta hate on MS!

[camperdave]

I tried adding a poweroff default to GRUB, but it didn't work for some reason or another. I wound up simply disabling the automatic updates within Windows.

Re:Hey come on, gotta hate on MS!

[Darinbob]

Windows 8 will leave things running even after the computer appears to be off superficially. Part of it's goal to make bootup and shutdown look fast. Ie, screen goes blank but if you're on a desktop you see the hard drive light still active for five to ten seconds as well as the light on the tower's power switch. It's kind of worrying because someone not paying attention may just kill the power prematurely. For a laptop you never see the hard drive light and so think that its off when it isn't.

A couple weeks ago I used "power off" on the computer then went away to get ready for bed. Walking back to the office a few minutes later I could see that the hard drive was still active. I waited awhile and it still hadn't completely shut off. So I forced the power off rather than wait. Next day it took longer to boot up as it was checking the file system, and then it said it was configuring updates. Ie, the night before it had actually been downloading updates and probably installing them, all while the screen was blank. That's not normally how it does it though so it may have just been an anomaly.

Anyway, laptop users should be a bit suspicious here and make sure things are well and truly powered down.

Re: Hey come on, gotta hate on MS!

[noh8rz10]

The only thing that might've worked would have been to plug it into a timer (like you'd do with your Christmas lights).

I leave my xmas lights on 24/7, you insensitive clod! Also, 365 days a year.

Re:Hey come on, gotta hate on MS!

[noh8rz10]

A couple weeks ago I used "power off" on the computer then went away to get ready for bed. Walking back to the office a few minutes later I could see that the hard drive was still active.

You sleep at the office??

Re:Hey come on, gotta hate on MS!

[Darinbob]

Doesn't everyone?

Re:Hey come on, gotta hate on MS!

[noh8rz10]

yeah, but only between 9 and 5.

Re:Hey come on, gotta hate on MS!

Check your connected devices, especially USB 3.0. I had a somewhat similar problem - when turning off my computer (homebuilt desktop with Intel DH77DF) it would ALWAYS turn itself on again after a few seconds. It was caused by an external hard drive (Icy Box raid cabinet) connected to a USB 3.0-port.

Re:Hey come on, gotta hate on MS!

better everyone is scared of their own shadow

Oh ffs, is my shadow running Silverlight now?

I knew not to enable auto updates, and I did it anyway.

Cancel Netflix

http://www.defectivebydesign.org/netflix

This is not a news

Users of Microsoft platform are getting infested with malware....

If you want to be "safe" you have either to make sure that you have a very well maintained platform, and some smart firewalling setup that will passivelly monitor your connection and ping you when suspicious trafic is happening.

Or not use windows, and be reasonably prudent....
But then you will not get your "goodies" ...

The main issue is that most people do not care ... they just "know" that if the computer starts to be very slow you have to reinistall everything and hope that their
double verification payment platform/banking interface is reasonably safe from man in the middle attacks... and insured so that if your account goes into red you'll get repaid eventually...

Re:Silverlight? No Thanks

or your hardware needs drivers that follow apis and don't assumed their funky behaviour won't be screwed over by any update to any library. Silverlight did not (could not) fuck with your hardware. Your hardware ahs shit software support (and it's either the vendors or your fault)

As a Roku owner

[reboot246]

As a Roku owner this affects me how? Who uses a PC to view Netflix content? Yes, it's possible, but it's not the best way.

Re:As a Roku owner

As a Roku owner this affects me how? Who uses a PC to view Netflix content? Yes, it's possible, but it's not the best way.

You're asking why people use a computer...to go visit a website?

No fucking wonder people can't seem to remember that "smart" thing in your hand is also a phone that you talk to other people with, using your voice.

Common sense is rare. Apparently really rare.

Re:As a Roku owner

As a Roku owner this affects me how? Who uses a PC to view Netflix content? Yes, it's possible, but it's not the best way.

Anyone smart enough to figure out how to make an all-in-one media center connect to their TV. Roku is nice for Grandma, but lacks support for a whole host of media types and sources, plus the last time I checked, the interface was pretty crappy.

Re:As a Roku owner

[jedidiah]

Actually, Roku has a Plex client. So it can pretty much handle anything that any PC can.

On the other hand, the crapulence and DRM of Silverlight means that you need much more PC to deal with media that you would otherwise. The same goes for Adobe.

A Roku is cheaper and quieter than the extra horsepower you need from a PC to deal with these crappy web scripting languages.

Re:As a Roku owner

[Lumpy]

No it cant, the PLEX client on roku is a steaming pile. go and run a REAL plex client or better yet XBMC and discover what plex is supposed to be like. and I would LOVE to see your roku play a 1080p 3D file.

Re:As a Roku owner

[Lumpy]

Why? your TV has only one HDMI input? get a apple TV and then build a XBMC box, get yourself a universal programmable remote and call it done. I do not understand the fetish people have with having to only have ONE box. I have 3 and it's awesome. BluRay, AppleTV, XBMC. the Apple TV has the best interface for Hulu and Netflix and is 80X faster than the Roku 3 it replaced. And it has the advantage of not being FILLED WITH AD's like the roku boxes are.

Re:too much Linux

[ApplePy]

Windows is finally usable at last.

And then came Windows 8....

Re:too much Linux

Have ya looked at Apple Launchpad recently? Or maybe you remember At Ease, perhaps? Both of these Apple products look exactly like a Windows 8 Start Screen, thank Apple.

How does this stuff get the green light?

[WD]

1) This has nothing to do with Netflix. I am a Netflix user and I suspect that my Roku is not affected by the vulnerability in question.
2) Silverlight *does* get updated with automatic updates.
3) The vulnerability in question was fixed in March (MS13-022).

Re:How does this stuff get the green light?

Because Slashdot is owned by Dice. The editors have cotton for brains.

Re:How does this stuff get the green light?

[Desler]

That w as true long before the Dice buyout. Do you not remember kdawson? The sad part is that kdawson looks like a genius compared to Timmeh and Unknown Lamer these days...

Disable plugins by default

[CadentOrange]

This is why I have plugins disabled by default and enabled only for certain "trusted" sites. For Silverlight, the only site that can run it is Netflix. This obviously doesn't protect you if your "trusted" site is compromised, but it does mean that browsing to some random website doesn't automatically infect you.

What does this have to do with Netflix?

[EmagGeek]

Sorry, but this is just senseless hyperbole. Malware can be picked up from ANY website, but mentioning Netflix by name is just a design at whipping up a senseless panic.

Fuck you, Slashdot.

No M$ blasting ?

I'm disappointed, leaving.

Proprietary web standards insecure. Film at 11

[LoRdTAW]

"Users of Silverlight, Microsoft's answer to Adobe Flash"

Ah! There's your problem, right there.

WARNING! both TF And the /. title are nothing more than sensationalism. Nothing in TFA, which is quite brief, specifically says Netflix users are being targeted. Only that Netflix uses silverlight which has a vulnerability. Its like saying "Newgrounds (pretend it's 6+years ago and still relevant) users are in danger of being infected with malware" when its all users of flash. *BUT* since silverlight and flash are web technologies which have fallen out of favor, Netflix users are guaranteed to have it installed as it is not included by default with Windows and unnecessary for 99.9999%+ of all web content. I have never installed it and I think only once have I seen a website that needed it. I don't use Netflix either.

Maybe its time Netflix invested in HTML5 and other open, modern, cross platform standards.

Re:Proprietary web standards insecure. Film at 11

[Desler]

Only that Netflix uses silverlight which has a vulnerability.

That was patched in March via auto update... Unknown Lamer and Timmeh continue to show how the Slashdot "editors" are functional illiterates.

Harmony remote configuration stuff too

[Megane]

There is only one reason I have Silverblight installed on my OS X laptop, and that's the (laggy as fuck) Harmony remote configurator. Since that's the only thing I have which uses that crapware, I have the extension disabled in my web browser unless I'm actually using it.

The Harmony remote is such a total piece of crap, and that Silverblight configurator crapplet doesn't make it any better. The best part is when I drop it, its batteries bounce and it resets and thinks all devices are off. Fuck you very much, Logitech. If it weren't for some codes that I couldn't discover otherwise for when I eventually make my own damn remote (someday when I have enough free time), it would be completely worthless to me.

Another explanation

[Zontar_Thing_From_Ve]

I mean if some random shit "security blog" posts a trumped up story to try and get traffic, it is Slashdot's DUTY to repeat it here, with no checking or verification! After all, better everyone is scared of their own shadow than informed about security.

Well, around here there is a massive reading comprehension fail in submitters so that may be a big part of this submission. For example, if someone somewhere writes an article that says basically "Not X. Definitely not X. It may be A-W, Y or Z but it's definitely not X. Anything but X." then the submitter will post and scream "X! They said it was X! The sky is falling! It's X!!!". It does get old.

To STOP the "Angler Exploit Kit"

0.0.0.0 peragretisque.yevgenimalkin.com
0.0.0.0 yevgenimalkin.com

Add those to your hosts file - since "what you can't touch, can't hurt you"...

APK

P.S.=> Easiest & BEST way to build a custom hosts file (that adds more layered security, speed, reliability, & even anonymity (to an extent only on the latter)?

Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44701775

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431 w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

Enjoy - she's a 100% freebie & really works + VERY well (especially considering 99% of the servers/hosts-domains used nowadays ARE hostname-domainname based since "fastflux" &/or Dynamic DNS utilizing malware-botnets etc. ARE truly FAST becoming "the norm" & have been in use for years now).

... apk

Silverlight is

[kilodelta]

A flaming piece of shit from the word go. I can't stand it and wish Netflix would just go back to the damned Flash player. I have an older machine and can regular watch Silverlight consume EVERY CPU cycle. It seems to do with network latency - it loses it's mind.

Can't have it both ways.

Netflix Users In Danger of Unknowingly Picking Up Malware / You'd think something like Silverlight would automatically upgrade itself.

You can't have it both ways - you want silverlight updating or you want to stop malware being installed?

(implying silverlight is malware in a sense greater than just software)

Jeez, I frickin' hope so

[doggo]

"You'd think something like Silverlight would automatically upgrade itself."

As intrusive and time consuming as Microsoft updates are, they damn well better be updating Silverlight, FFS.

Sensationalism at its best.

[Java+Pimp]

Seriously, there has to be a better way to down mod articles that make it to the front page. The firehose just doesn't cut it.

Re:Sensationalism at its best.

[Lumpy]

If one of the "editors" like it, firehose means nothing at all.

Re:The dangers of using M$ Windoze keep piling up

[jones_supa]

We get it. You seem like the classic foam-mouthed person who loves Linux and hates everything Microsoft touches. Bonus points for writing "M$ Windoze". Year 2000 called and wants your rant back.

Re:George Zimmerman

[LordLimecat]

Next time, on "Troll vs Troll"...

Re:too much Linux

[jones_supa]

And then came Windows 8....

You can still run Windows 7. It will still be supported for over 6 years.

Re:Silverlight? No Thanks

[jedidiah]

Your attempt at misdirection doesn't alter the obvious facts here.

There's a clear chain of cause and effect here.

Chances are that Microsoft's willingness to turn it's OS for office work into a glorified TV with DRM up to the gills had some impact on a device specifically designed to do things that Hollywood might not approve of.

Silverlight will happily run in a VM. So you could always go that route if you really need to.

Re:too much Linux

[jedidiah]

Windows is monopoly ware.

It's hard NOT to have some experience with it.

Perhaps your employer shoves it down your throat or you have to be the unpaid support tech for friends and family.

Although the idea that we haven't touched WinDOS in 7 or so years is a nice testament to the suitability of Linux. If people can fully turn their back on Microsoft, then the alternatives can't really be so bad then.

Plain simple FUD over Netflix

[CokoBWare]

The problem was with Silverlight, not with Netflix. I think the author's article title is misleading and going to scare a lot of unsavvy Netflix users...

Hmm

Usually you do tend to be wiser and able to discern getting infected with malware via RCE. It tends to involve the host process crashing after executing the injected shellcode.

A classic case of sleep fapping

Dude. You may not be realizing it, but you might be waking up in the middle of night, booting up your laptop, then start fapping to porn until the batteries ran out. Sleep fapping is a serious medical condition and associated with severe skin lesions and soreness. Did it stop doing it after you got a girlfriend? Otherwise you've got to start watching more porn when you are awake.

Why I never installed Silverlight

[EmperorOfCanada]

This is a perfect example of why I never installed Silverlight. Adobe is sloppy enough with their programming, Microsoft tends to take it to the next level of actually hating their customers so I would love to watch Netflix on my Laptop/Desktop but instead don't. I was shocked to see that they were using Silverlight in that I though Netflix had good programmers who knew what they were doing.

Re:Why I never installed Silverlight

[cbhacking]

Either the Flash or Java browser plugins have more exploits discovered each year than Silverlight has in its entire existence... and unlike this one (which was patched over half a year ago), many of those get exploited in the wild as 0-days. Microsoft's security stance is (within the last seven years or so) far, far better than that of either Adobe or Oracle (Sun wasn't much better, at least with browser plugins).

Netflix does, in fact, have a lot of really bright people (don't work there myself, but I know some folks who do). I suspect the only person in this discussion who "[doesn't know] what they were doing" is you.

Re:Why I never installed Silverlight

[EmperorOfCanada]

The simple fact is that silverlight increases the attack space while offering me nothing. You still have to have flash (as do the vast majority) installed in order to access quite a bit of content but this is in a nice decline with HTML5, Java browser plugins are basically dead with just a few fools stuck with legacy code that they are required to use.

Plus I don't trust MS one iota. I don't have MS anything installed on any of my machines. Presently I use Mac and would love to dump even that OS but I too am trapped by some applications that restrict my OS options.

As for your numbers on silverlight security holes, that is like the past when Apple would point out that you basically didn't even need an AV tool. This was due to people going for the low hanging Windows fruit. The same applies to Silverlight; it is an also ran and is priority 200 for black-hat hackers.

As for Netflix, my guess is that the reality is one of two options. One was that their DRM requirements could not easily be met with Flash whereas MS is very much an IP driven company. Or two; in the early days of Netflix there was some sort of relationship between MS and Netflix and the decision was political. The main way that MS has increased Silverlight market share is to get large sports streaming and whatnot to use it forcing the dedicated fans to choke it down so this second guess is my favorite. At this point Netflix probably ignores MS's demands and requests but they are probably somewhat stuck with it.

My last guess is that within a year you will see them toss Silverlight.

Who Minds Nowadays about Malware (After Snowden)

Who cares about specific malware? Thnaks to Snowden we know Internet is Malware by itself.... Without any plugin.

Mod parent up

[cbhacking]

Good, informative post. I've been doing this for years on all my boxes with IE installed, but most people don't even know it's possible.
Note that since IE9, you can also disable/enable ActiveX in general on a per-site basis. Tools -> Safety -> ActiveX filtering to disable it by default. It'll put a little blue icon in end of the address bar when it blocks something; you can click the icon to turn off the filtering for that site only. Less obtrusive than the "do you want to enable <SPECIFIC_ACTIVEX_CONTROL>?" (usually Flash) prompt too, which won't show up until you enable ActiveX for the site.

Come on, if the question got to +4, the answer is worth a few mod points too...

Silverlight won't even work without Malware

[DickBreath]

Doesn't Silverlight require the computer to be infected with Windows?

Silverlight?

That's all one needs to say.

really?

[Lumpy]

People still use netflix on a computer? do these people not own TV's or tablets?

Re:too much Linux

No he cant, because 7 is less than 8 and that doesn't make him feel as good. Must have the highest number or friends will pick on me....

Misleading inflammatory title

[AbominousSalad]

Did Timothy cover Unknown Lamer's shift, using Unknown Lamer's account?

Re:The dangers of using M$ Windoze keep piling up

Hi twitter.

Newsflash : M$ Astroturfer defends M$

Oh you and the chair-throwing ape Sweaty B will never get it. M$ is toast and their monopoly, no matter how much you astroturf for M$ on $lashdot it will never change. M$ thinks non-free software is the way to go when free software is the future. Due to it's use of restricted boot Vista 8.1 (aka "Windoze 'Brick Edition'") is bigger failure than Windoze Vista, Vista 7 and Vista 8 combined. The xbone is poised for a bigger failure than the Nintendo Wii-u.. Internet Exploiter is also finished as free alternatives have surpassed it. The year 2000 called and wants your DRM infested, malware attracting nonfree software back. The justice department should investigate M$ for once again for it's monopolistic practices and revoke their corporate charter.

--
Friends don't help friends install M$ junk.
Friends do assist M$ addicted friends in committing suicide.