Channel

Google reveals bug Microsoft says is mere gnat

Chocolate Factory says Redmond can't be bothered fixing hard-to-exploit flaw

Darren Pauli Tue 20 Jan 2015 // 23:28 UTC

Google has reported a local file flaw affecting Windows 7 and 8.1 32 and 64 -bit systems in the third vulnerability dropped since a spat with Microsoft erupted last week.

The vulnerability that allowed a malicious Server Message Block version 2 server to force a client to open arbitrary local files was marked high severity by researcher James Forshaw and led to information disclosure but would not be patched by Microsoft.

"Microsoft have concluded that the issue does not meet the bar of a security bulletin," Foreshaw said in an advisory.

"They state that it would require too much control from the part of the attacker and they do not consider group policy settings as a security feature."

The new disclosure followed a Google bug notice issued last week affecting Windows 7 and 8.1 and leading similarly to information disclosure.

Google appears determined to continue revealing vulnerabilities on its 90-day schedule, despite that policy ruffling Redmond's feathers.

Google's Forshaw said the new flaw isn't easy to exploit, .

"[Exploitation] allows a malicious SMBv2 server to force a client to open arbitrary local files," Forshaw said.

"For example it might be possible to serve a HTML file from the share and use XMLHttpRequest to access local files through this vulnerability. Also even though mount points are supposed to only be used with directories once the buffer is in the object manager it doesn't make such a distinction, so this can be used to open files or directories." ®

26 Comments

Broader topics

Narrower topics

Corrections Send us news

Other stories you might like

Bug in WebKit's IndexedDB implementation makes Safari 15 leak Google account info... and more

Glitch is spilling private data and there's not much Apple users can do about it

Laura Dobberstein Mon 17 Jan 2022 // 18:31 UTC

An improperly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers.
The vulnerability was discovered by fraud detection service Fingerprint JS, which has contacted the WebKit maintainers and provided a public source code repository.
As of 28 November last year, the issue had not been fixed, so the team at Fingerprint JS decided to make the finding public to encourage the expedition of its repair.

Continue reading
Buy 'em by the punnet: Raspberry Pi offers RP2040 chips in bulk

'Reel'-y cheap – like $0.70 a pop

Liam Proven in Prague Mon 17 Jan 2022 // 17:28 UTC

If you only need the smallest of Raspberry Pi chips, but you need a lot of them, you can now buy the gang's RP2040 microcontrollers directly from the ~~farm~~ supplier in lots of 500 or 3,400.
Because the Raspberry Pi range is so cheap, people use lots of them – even in places where a complete Linux computer is arguably overkill. That's probably why, this time last year, the Raspberry Pi Foundation launched the Raspberry Pi Pico, a $4 device based around the RP2040 microcontroller – its first in-house CPU design.
The end-user version of the Pi Pico is a tiny PCB containing the RP2040 system-on-a-chip (SoC) and 2 MB of flash memory. (The board is a hair over 2×5cm, so only slightly bigger than an old-style DIP chip such as a Z80.) The RP2040 is still an ARM, but a tiny one: a dual-core 133 MHz Cortex M0+, plus 264 kB of RAM.

Continue reading
Ukraine blames Belarus for PC-wiping 'ransomware' that has no recovery method and nukes target boxen

And for last week's digital graffiti operations, too

Gareth Corfield Mon 17 Jan 2022 // 16:24 UTC

After last week's website defacements, Ukraine is now being targeted by boot record-wiping malware that looks like ransomware but with one crucial difference: there's no recovery method. Officials have pointed the finger at Belarus.

Continue reading

Move over exoplanets, exomoons are the next big thing

Is that an extremely large moon we see outside the solar system, astro-boffins ask themselves

Lindsay Clark Mon 17 Jan 2022 // 15:25 UTC

Scientists have spotted a new candidate for a moon existing outside of our solar system, with only a 1 per cent chance the observation could be an anomaly.
More than 4,000 exoplanets have been mapped since the first was found in 1992. Although the finding of worlds beyond the Earth's immediate star system generated much excitement at the time, exoplanets are not so rare a discovery in recent years: US space agency NASA once found 700 in a single haul.
However, the existence of moons outside the solar system has yet to be confirmed. Going with the thinking that there's nothing particularly special about our own solar system, which is host to more than 200 moons, then we might assume they are also commonplace elsewhere.

Continue reading
Cloud spending back to business as usual at end of 2021: Slight slowdown was a blip due to overprovisioning

IDC figures suggest providers had extra inventory to shift after pandemic panic

Dan Robinson Mon 17 Jan 2022 // 14:29 UTC

Spending on compute and storage infrastructure for the cloud rose by 6.6 per cent during the last quarter following a cooldown in the middle of 2021 due to overprovisioning by cloud providers in response to the pandemic.
The figures come from IDC's latest worldwide quarterly enterprise infra tracker that traces buyer and cloud deployment. The report shows that spending on compute and storage infrastructure products increased to $18.6bn during the third quarter of fiscal 2021.
This resumes the underlying trend of net positive year-on-year spending growth in each quarter, which, according to IDC, saw a dip in the second quarter of 2021 when spending actually decreased by 1.9 per cent.

Continue reading
Umbrella company Parasol Group confirms cyber attack as 'root cause' of prolonged network outage

'Malicious activity on our network' spotted, says CEO, as some contractors say they've still not been paid

Paul Kunert Mon 17 Jan 2022 // 13:28 UTC

Umbrella company Parasol Group has confirmed why it shut down part of its IT last week: it found unauthorised activity from an intruder.
As reported by us on Friday, the umbrella company's MyParasol portal, where timesheets are submitted, was not accessible due to a multi-day outage starting on 12 January, impacting the processing of payroll.
Tech freelancers suspected a cyberattack was to blame for the blackout and sure enough the Group wrote to customers at the close of last working week to explain in more detail what had happened.

Continue reading

Email blocklisting: A Christmas gift from Microsoft that Linode can't seem to return

Sorry, that IP address is on the naughty step

Richard Speed Mon 17 Jan 2022 // 12:24 UTC

Microsoft appears to have delivered the unwanted Christmas gift of email blocklisting to Linode IP addresses, and two weeks into 2022 the company does not seem ready to relent.
Problems started as large chunks of the world began packing up for the festive period. Complaints cropped up on Linode's support forums when customers began encountering problems sending email to Microsoft 365 accounts from their own email servers.
On that thread, a Linode staffer acknowledged there was an issue and suggested a number of alternative third-party email services as a stopgap as well as saying: "Microsoft has acknowledge[d] the problem and looking into it [sic]."

Continue reading
Epoch-alypse now: BBC iPlayer flaunts 2038 cutoff date, gives infrastructure game away

Nobody expects the Linux malposition, do they, Michael Palin?

Liam Proven in Prague Mon 17 Jan 2022 // 11:34 UTC

Feeling old yet? Let the Reg ruin your day for you. We are now substantially closer to the 2038 problem (5,849 days) than it has been since the Year 2000 problem (yep, 8,049 days since Y2K).
Why do we mention it? Well, thanks to keen-eyed Reg reader Calum Morrison, we've spotted a bit of the former, and a hint of what lies beneath the Beeb's digital presence, when he sent in a snapshot that implies Old Auntie might be using a 32-bit Linux in iPlayer, and something with a kernel older than Linux 5.10, too.
That 2020 kernel release was the first able to serve as a base for a 32-bit system designed to run beyond 03:14:07 UTC on 19 January 2038.

Continue reading
Edge computing set for growth – that is, when we can agree what it is

Analyst predicts double-digit percentage uptick in '22

Dan Robinson Mon 17 Jan 2022 // 10:28 UTC

Worldwide spending on edge computing is expected to see double-digit growth this year, according to new figures from analyst IDC.
It also predicted investments in edge will reach $176bn in 2022, an increase of 14.8 per cent over last year.
"Edge computing continues to gain momentum as digital-first organisations seek to innovate outside of the data centre," IDC research vice president Dave McCarthy said in a statement, adding that the diverse needs of edge deployments have created a market opportunity for technology suppliers, increasingly through partnerships and alliances.

Continue reading
Open source, closed wallets, big profits – nobody wins the OSS rock, paper, scissors game

Stop horsing around. Pony up

Rupert Goodwins Mon 17 Jan 2022 // 09:30 UTC

Opinion There's much talk of the Open Source Sustainability Problem. From individual developers to Google's White House lobbying, the issue seems simple but intractable. Is the willingness of volunteer coders a solid enough basis for the long-term health of essential infrastructure?
This is, of course, balderdash. It's not an open source problem, it's a software problem. All software needs resources to adapt as the working environment changes, resources the changed environment may not provide. Look how many out-of-support versions of Windows still limp on like superannuated footy players in the Sunday leagues.
According to StatCounter, as of December 2021, one in seven PCs still runs Windows 7. One in 200 is on XP. Try getting Microsoft to update either.

Continue reading
Planning for power cuts? That's strictly for the birds

Please Mr Hitchcock, no more. The UPS can't take it

Richard Speed Mon 17 Jan 2022 // 08:34 UTC

Who, Me? "Expect the unexpected" is a cliché regularly trotted out during disaster planning. But how far should those plans go? Welcome to an episode of Who, Me? where a reader finds an entirely new failure mode.
Today's tale comes from "Brian" (not his name) and is set during a period when the US state of California was facing rolling blackouts.
Our reader was working for a struggling hardware vendor in the state, a once mighty power now reduced to a mere 1,400 employees thanks to that old favourite of the HR axe-wielder: "restructuring."

Continue reading

ABOUT US

SITUATION PUBLISHING

The Register - Independent news and views for the tech community. Part of Situation Publishing

SIGN UP TO OUR DAILY NEWSLETTER

Do not sell my personal information Cookies Privacy Ts&Cs

Topics

Resources

Situation Publishing

Get our Weekly newsletter

Channel

Google reveals bug Microsoft says is mere gnat

Chocolate Factory says Redmond can't be bothered fixing hard-to-exploit flaw

Similar topics

Broader topics

Narrower topics

Other stories you might like

Bug in WebKit's IndexedDB implementation makes Safari 15 leak Google account info... and more

Buy 'em by the punnet: Raspberry Pi offers RP2040 chips in bulk

Ukraine blames Belarus for PC-wiping 'ransomware' that has no recovery method and nukes target boxen

Move over exoplanets, exomoons are the next big thing

Cloud spending back to business as usual at end of 2021: Slight slowdown was a blip due to overprovisioning

Umbrella company Parasol Group confirms cyber attack as 'root cause' of prolonged network outage

Email blocklisting: A Christmas gift from Microsoft that Linode can't seem to return

Epoch-alypse now: BBC iPlayer flaunts 2038 cutoff date, gives infrastructure game away

Edge computing set for growth – that is, when we can agree what it is

Open source, closed wallets, big profits – nobody wins the OSS rock, paper, scissors game

Planning for power cuts? That's strictly for the birds

ABOUT US

MORE CONTENT

SITUATION PUBLISHING

SIGN UP TO OUR DAILY NEWSLETTER