Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Obliquely Acknowledges Windows 0-day Bug Published on Twitter (arstechnica.com)

Posted by msmash on from the for-the-record dept.

A privilege escalation flaw in Windows 10 was disclosed earlier this week on Twitter. From a report: The flaw allows anyone with the ability to run code on a system to elevate their privileges to "SYSTEM" level, the level used by most parts of the operating system and the nearest thing that Windows has to an all-powerful superuser. This kind of privilege escalation flaw enables attackers to break out of sandboxes and unprivileged user accounts so they can more thoroughly compromise the operating system. Microsoft has not exactly acknowledged the flaw exists; instead it offered a vague and generic statement: "Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule." So, if the flaw is acknowledged (and it's certainly real!) then the company will most likely fix it in a regular update released on the second Tuesday of each month.

1 of 66 comments (clear)

  1. Re:Microsoft OS is insecure by dissy · · Score: 5, Interesting

    I work in IT.

    Everyone loves ChromeOS. And then they ask "so how do i install outlook?" And then they ask "How do I allow this ActiveX control?" And then they ask "How do I install this printer?" And then they ask "is it too late to return these?"

    The only business users who can effectively use Chormebooks are ones where no one is working (i.e. kids using Slack).

    I work in IT too, and I found an excellent use for ChromeBooks. Remote access.

    Both remote desktop and our VPN client are available on the chrome store.
    Full laptop form factor chromebooks run $300, compared to a full fledged windows laptop from HP closer to $1000

    Once VPNed in, you can remote to your desktop or VM instance and do everything you would in the office, except perhaps full multi-monitor support.

    No one asks how to install Outlook because they already have it.
    No one really asks for ActiveX controls either, as the local apps using them have those controls pushed out to IE already, and anything else likely will gain a "no" reply.
    Same for the printers, office printers are installed with clicking a link on our intranet site, and home printers connected to the chromebook are forwarded over remote desktop to print to.

    Plus there are no worries about a windows laptop offsite being joined to the domain.
    No stupid syncing group policy except while logged in, no windows update errors due to not finding the WSUS server, no downloading updates over the VPN when it can find the WSUS server, no locally stored data to secure or backup or worry about being lost, no worries that Windows will expire the local SAM cache and tell the user they can't login to the laptop until after they login to the laptop and VPN in...

    They also have much lower end and simpler chromebook hardware in the $100-200 range.
    Not quite laptop form factor fully, but at a price point to be almost disposable.

    Maybe your infrastructure doesn't allow for this type of setup, and I can only vouch for the Cisco AnyConnect VPN client, but that doesn't mean there are no business use cases for the things.