Thread: Check your Windows 10 block settings
View Single Post
  #82   Report Post  
Posted to alt.home.repair
Mayayana Mayayana is offline
external usenet poster
  
Posts: 1,033
Default Check your Windows 10 block settings
| Have you ever read the descriptions for the updates windows
| pushes? Ever notice how many claim to be to fix a "security
| vulnerability"?
|
| This is the polite way of saying the developer screwed up and
| didn't anticipate someone MISUSING the code he wrote. How
| does someone misuse code? Ans: they present it with "inputs"
| that have been crafted to exploit unexpected patterns in
| that data. I.e., violating basic ASSUMPTIONS that the developer
| made -- inappropriately.
|

That's an interesting point. If you look into the
details of those fixes you'll find, in the vast majority
of cases, that it's like your PDF, MP3 and MP4 issues:
The actual hack involves javascript. Microsoft doesn't
generally focus on that because they're a big
corporation trying to "monetize" the Web. They don't
want people disabling javascript. They even play
down ActiveX. IE always depended on ActiveX. MS
just couldn't afford to write the truth: "Warning!
New IE attack! You should disable ActiveX because
ActiveX is dangerous. It was a big mistake. Sorry."

Instead they have a section, way down the page,
titled "workarounds", in which they beat around the bush.

The javascript issue is like the elephant in the room.
It's obvious to anyone who takes a look. It's common
sense that executable code in webpages can never
go along with security. But nobody wants to hear
that. The website owners want "rich content" and
trackability. The visitors want convenience.

You've brought out a lot of interesting points in this
discussion with your devil's advocate style of discussion,
but I think that at some point that misses the point.
You're making a big deal out of the rare exception.
Javascript is by far the biggest problem. Maybe 90%.
Almost all the rest is things like Java, or maybe an
occasional MS Office attack that doesn't need script.
The data is online. Cisco put out a report awhile back,
for instance. Anyone can read it for themselves:

http://www.cisco.com/web/offers/pdfs/cisco-msr-2015.pdf

0-day browser hacks, used by everyone from the NSA
to Russian criminals, are also mainly javascript issues.
Typically it's javascript running in an iframe. Cross site
scripting.

Script, script and more script. To keep focusing on
the .5% that's not script related, and that is highly
unlikely in the first place, is to skew the facts. (The
VLC player vulnerability is good to know about, but
it's very unlikely to ever be a risk. It's unlikely to ever
even be exploited, because VLC isn't widely distributed.
Even if it were exploited, I don't use it online. (Likewise,
I would never install a PDF browser plugin.) And there's
also context: Exploiting VLC would require that I
download a video from a dubious source.

What makes Adobe's stuff so bad is threefold:

1) Adobe has a bad habit of jacking up functionality
with javascript at the cost of security.

2) Adobe has a long history of trying to create a
proprietary Web by force-installing their plugins.
(Acrobat Reader installs the PDF browser plugin,
with Adobe pretending that PDF is a webpage
format.)

3) Adobe has been very successful at flooding the market
in attempts to make their products ubiquitous. Acrobat
Reader is nearly universally installed because they've been
giving it away like grocery store coupons since the 90s.
Flash is also nearly universal.

Those three things have resulted in the vast majority
of people having Flash and Acrobat Reader *and* with
both running in the browser. That's an important distinction.
Their ubiquity, their use of script, and the fact they run
in the browser, all combine to make them the most
common attack targets.

*Not using the most popular brand is one of the best
security measures because it's not a good strategy
for hackers to target software with a limited market.*

| I've never heard of any vulnerability in HTML.
|
| Thirty seconds with google: CVE-2014-6332
|

Another 30 seconds turns up this:

"This vulnerability can be exploited using a specially-crafted web page
utilizing VBscript in Internet Explorer."

https://www.us-cert.gov/ncas/alerts/TA14-318B

It's an IE-specific bug, requiring script. It has nothing
to do with HTML. (No one should *ever* use IE online
in the first place. It's too closely linked into Windows.)

This is what I mean about your devil's advocate
approach. You're trying to find any tiny exception to
the rule. A tiny exception does not negate the rule.
And what you're finding are not even exceptions.
By trying to carry out a good debate you're obscuring
the one critical point: The single best thing you can
do, by far, is to disable javascript. No other security
measure, even using anti-virus software, comes close
to the protection afforded by disabling script.


Reply With QuoteReply With Quote