Slashdot Mirror
Microsoft Obliquely Acknowledges Windows 0-day Bug Published on Twitter (arstechnica.com)
A privilege escalation flaw in Windows 10 was disclosed earlier this week on Twitter. From a report: The flaw allows anyone with the ability to run code on a system to elevate their privileges to "SYSTEM" level, the level used by most parts of the operating system and the nearest thing that Windows has to an all-powerful superuser. This kind of privilege escalation flaw enables attackers to break out of sandboxes and unprivileged user accounts so they can more thoroughly compromise the operating system. Microsoft has not exactly acknowledged the flaw exists; instead it offered a vague and generic statement: "Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule." So, if the flaw is acknowledged (and it's certainly real!) then the company will most likely fix it in a regular update released on the second Tuesday of each month.
Unless there's more than is in the summary, the headline should read "Microsoft does not Acknowledge Windows 0-day Bug Published on Twitter".
http://www.geoffreylandis.com
As soon as Adobe makes a Linux build of their suite I'll switch over. Might as well call up SolidWorks and Pro/E while you're at it.
Only the State obtains its revenue by coercion. - Murray Rothbard
Exactly. Nerds need to learn that users care about applications not the OS. It's why so many are fine with ChromeOS despite it being "not real Linux" which is only of concern to dorks.
If you see the comments and write up in the documents and demo he released. It's fairly easy to exploit, in lay terms: the Task Scheduler read/writes to a location as SYSTEM and you can ask it to write any permissions to that file. Since the location of that file is publicly accessible for everyone, you could replace a job file with a DLL and then the system will write permissions for it to be executable as SYSTEM.
Custom electronics and digital signage for your business: www.evcircuits.com
I work in IT.
Everyone loves ChromeOS. And then they ask "so how do i install outlook?" And then they ask "How do I allow this ActiveX control?" And then they ask "How do I install this printer?" And then they ask "is it too late to return these?"
The only business users who can effectively use Chormebooks are ones where no one is working (i.e. kids using Slack).
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
Windows 10 will soon force monthly charges.
Basically, if there is a monthly charge for Windows 10, Microsoft will make more money if there are more bugs in updates. They will apparently fix the bugs only for those who are paying monthly.
I work in IT.
Everyone loves ChromeOS. And then they ask "so how do i install outlook?" And then they ask "How do I allow this ActiveX control?" And then they ask "How do I install this printer?" And then they ask "is it too late to return these?"
The only business users who can effectively use Chormebooks are ones where no one is working (i.e. kids using Slack).
I work in IT too, and I found an excellent use for ChromeBooks. Remote access.
Both remote desktop and our VPN client are available on the chrome store.
Full laptop form factor chromebooks run $300, compared to a full fledged windows laptop from HP closer to $1000
Once VPNed in, you can remote to your desktop or VM instance and do everything you would in the office, except perhaps full multi-monitor support.
No one asks how to install Outlook because they already have it.
No one really asks for ActiveX controls either, as the local apps using them have those controls pushed out to IE already, and anything else likely will gain a "no" reply.
Same for the printers, office printers are installed with clicking a link on our intranet site, and home printers connected to the chromebook are forwarded over remote desktop to print to.
Plus there are no worries about a windows laptop offsite being joined to the domain.
No stupid syncing group policy except while logged in, no windows update errors due to not finding the WSUS server, no downloading updates over the VPN when it can find the WSUS server, no locally stored data to secure or backup or worry about being lost, no worries that Windows will expire the local SAM cache and tell the user they can't login to the laptop until after they login to the laptop and VPN in...
They also have much lower end and simpler chromebook hardware in the $100-200 range.
Not quite laptop form factor fully, but at a price point to be almost disposable.
Maybe your infrastructure doesn't allow for this type of setup, and I can only vouch for the Cisco AnyConnect VPN client, but that doesn't mean there are no business use cases for the things.
Questions:
1) Do you think Microsoft won't begin charging everyone later? That's what Adobe Systems did after releasing Creative Suite version 6. It is now Adobe Creative Cloud.
2) Will "business users" want Microsoft to have more control over their computers?
and AutoDesk and MasterCAM, let's move the whole industry over
So switch to Mac, there is a build of their suite available there.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
And also a lot more secure, if a remote user connects them to a random free wifi network the chance of them being compromised and becoming a foothold on your corporate network is massively reduced.
A corporate windows (or macos to a lesser degree) laptop connecting to a third party wireless network often leaks a LOT of information at the network level (eg it tries to perform dns lookups for your internal domain), and often contains a lot of data that can be extracted. A chromebook will do none of these things, and is far less likely to be compromised in any case.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!