Posted on 06/15/2016 6:01:38 PM PDT by Utilizer
Microsoft is today closing off a vulnerability that one Chinese researcher claims has probably the widest impact in the history of Windows. Every version of the Microsoft operating system going back to Windows 95 is affected, leaving anyone still running unsupported operating systems, such as XP, in danger of being surreptitiously surveilled.
According to Yang Yu, founder of Tencents Xuanwu Lab, the bug can be exploited silently with a near-perfect success rate, as the problems lie in the design of Windows. The ultimate impact? An attacker can hijack all a targets web use, granting the hacker Big Brother power, as soon as the victim opens a link or plugs in a USB stick, claimed Yu. He received $50,000 from Microsofts bug bounty program for uncovering the weakness, which the researcher has dubbed BadTunnel. Microsoft issued a fix today in its Patch Tuesday list of updates.
Even security software equipped with active defense mechanisms are not able to detect the attack, Yu told FORBES. Of course it is capable of execute malicious code on the target system if required.
Yu, who is one of only three ever recipients of more than $100,000 Microsoft bounty, said there are myriad ways a hacker could exploit the flaw. This vulnerability can be exploited through Edge, Internet Explorer, Microsoft Office and many other third-party software on Windows, Yu added. It can also be exploited through web servers
or even through thumb drives insert the thumb drive into one of the ports on the system and the exploitation is complete.
(Excerpt) Read more at forbes.com ...
Or is still up at 1:20AM posting about it. :-)
I'm blessed with a good bit of energy and God willing that will continue. True, I've got hypertension (take 4 meds daily), and my feet went bad from peripheral neuropathy 7 years ago, and I have terrible tinnitus and wear hearing aids. And I'm slowly going bald. But I still play in two rock bands (lead guitar in one, bass in the other), eat raw fish and hot-hot Thai food and (like right now) devour sharp Pecorino Romano by the slice. I'm convinced that's what makes it all possible. God has blessed me beyond what I deserve.
I heartily accept the moniker "Old Fart"!
Like they say, "Yer only as old as ya feel". I hope you are likewise feeling well (and young) this evening. Cheers!
Absolutely Pelham. It has been a struggle to get otherwise computer literate user friends to understand that smart intruders have lots of invisible mechanisms to get a little executable routine onto your machine. If you run with administrator privilege, or are admin or superuser in Linux, an executable will be created with implicit administrator privileges, meaning the power not only to quietly take over your machine, but to worm its way into any machine on your local network, and potentially other networks. Create a special user with admin privilege and, after you have carefully written the new password into half a dozen books, postits, and on your dog’s collar, demote your normal account, the one you use for browsing and email, into a standard user account. Someday, if you don’t, you may learn the hard why you should have done this.
A bit of trivia: When I first attended a Microsoft conference for driver writers (I too worked for DEC), about five minutes into the first code example I realized, and said to my neighbor, “Heh, that’s VMS”. He said “you didn’t know”? I should have. Dave Cutler, the brilliant architect of DEC’s RSX 11M, VMS, and ELN (which no one remembers, but which anticipated message passing real time systems by twenty years), resigned from DEC and started his own company. DEC bought him back. He tried again, and I believe there was a third time. Bill Gates was no dummy, not an architect, but understood Cutler’s value, a legend to DEC engineers, and bought him while the buying was good.
Cutler got his opportunity to execute his dream, no secret to those of us in engineering, of making VMS the world standard. Microsoft paid DEC 600 or 700 million dollars to indemnify Microsoft. Dave turned VMS into Windows NT, with similarities such that I had to look hard to find some minor functional differences (the scheduler), most resulting from the desire to retain executability of most DOS programs. Backwards compatibility was not new to Cutler and his team since they designed VMS to execute 16 bit PDP 11 code from its introduction, though it executed on the 32 bit VAX architecture.
VMS was one of the most robust minicomputer operating systems ever built, and significantly surpassed VxWorks in our lab, a “real time” operating system executing on the same hardware, to the first instruction in an interrupt service routine. VxWorks didn’t even have a file system to slow things down. (It was process context switch latency in VxWorks where Cutler and team minimized saved context).
Cutler provided more hardware independence than he was allowed to put into VMS because DEC was a hardware company which had made billions selling VAX-processor-based systems. Windows NT ran on X86, MIPS, Motorola, Alpha, VAX and Sparc (in the lab), and several other processor platforms fading from my memory. Making money isn’t easy, but Microsoft was a software company while DEC lost money maintaining VMS, not unlike Xerox, who created the “Windows” interface, but had no reason not to let Apple borrow it to improve their early PCs.
I’ve found VMS code in Unix and System V Unix source. Microsoft Windows isn’t without flaws. Unlike Apple, Microsoft published its IDEs (integrated development environment)because much of its revenue came/comes from selling its development environment, which required supporting the hardware that others made their livings writing code for and building hardware peripherals which use standard interfaces. I faced that several times when medical systems I was developing could have used the nice displays Apple produced, but Apple wouldn’t expose their hardware or software interfaces. Apple wasn’t just eliminating competition, which was one result. I understood; Apple’s revenue came from publishing systems while OEMs are forced to preserve and support interfaces they support, a considerable expense, particularly when developers have a tendency to jump to other companies and sloppy developers don’t leave documentation sufficient to fix their mistakes to understand how to extend what they’ve built.
Microsoft is now making most of its libraries open source. Your smart phone may have a quad processor that executes at 2000 or more times the speed of a VAX, and the smart phone comes with 64 gigabytes of relatively high speed memory, 64 thousand times the amount of memory used by 200 students at the University I attended. all with accounts on the same refrigerator-sized VAX. Android or IOS or MacOS, or Linux can save lots of effort by using a function already written, with a well-defined interface and accompanied by source code on “NuGet.org”.
Microsoft doesn’t make much profit from selling Windows(essentially the same kernel called Windows NT 3.1 is at the core of Windows 10, but with some carefully architected extensions over its life of more than two decades. The NT kernel now runs on wearable platforms, smart devices, even if Microsoft is late to the smart phone market, embedded controllers of all kinds, and in the servers managing Lois Lerner’s politically lost emails distributed on multiple Outlook archives around the world. The “Cloud” business, “Azure”, seems to be the focus for future revenue, but the Windows Kernel will only get more secure and more robust, such as the new partitioning of the kernel to make it even less vulnerable.
Windows update is a remarkable system which supplies patches, usually without requiring a reboot, constantly being improved by engineers whose careers depend upon being excellent, both disciplined and quick. Don’t be confused by rumors spread by unsupported opinions. Let Microsoft protect your data by providing patches for vulnerabilities which they must fix.
I don’t work for them, but have been designing systems for almost two decades that depend upon their discipline. Many of my DEC colleagues did/do work for them. Microsoft is now supporting Linux, IOS, Android, and MacOS with their open source libraries on all sorts of new hardware platforms including Qualcomm, ARM, and many other embedded processors, while providing free access to supported Visual Studio for developers.
And bulletin boards vs. web sites....
bkmk
You have a fascinating background.
I have a friend who spent his career in Silicon Valley beginning back in the day when it was staffed entirely with American engineers. He too was a huge fan of DEC and VMS and once told me about how it was the basis of WNT, albeit without the detail of your excellent history. And while I’m a computer novice I enjoy learning about this stuff.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.