 Just days after the monthly Patch Tuesday Windows security update, unpatched system file zero-day vulnerabilities have been publicly disclosed. Every month, Microsoft fixes a bunch of security vulnerabilities across the product range on Patch Tuesday. The latest round of fixes has already been and gone, addressing a total of 111 security vulnerabilities. Some sixteen of these were rated as critical, and, crucially, there were no zero-days. A zero-day vulnerability is one that remains unpatched by the vendor, leaving a window of opportunity for those who would exploit it using a zero-day attack. That's good news. The bad news is that no less than four new zero-days affecting Microsoft Windows have now been publicly disclosed. Three of them impact a core Windows system file. Trend Micro's Zero Day Initiative (ZDI) is a bug bounty program founded in 2005 which encourages the reporting of zero-day vulnerabilities by financially rewarding security researchers. "We make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw, which leaves researchers free to go find other bugs," the about ZDI page states. It also says that no technical details about any vulnerability are made public until the vendor has released a patch. ZDI gives vendors a 120-day window in which to address the vulnerability, after which a "limited advisory," which includes mitigation advice, is published if a patch has not been forthcoming. The Microsoft Windows zero-days that were publicly disclosed in such a fashion on May 19 mostly impact a core Windows system file called splwow64.exe, which is a printer driver host for 32-bit apps. The Spooler Windows OS (Windows 64-bit) executable enables 32-bit applications to be compatible with a 64-bit Windows system. CVE-2020-0915, CVE-2020-0916, and CVE-2020-0986 all impact that splwow64 Windows system file. All three are classified as high on the CVE severity scoring system with a 7.0 rating. If exploited by an attacker, these vulnerabilities would allow them to escalate privileges on the targeted Windows computer. "The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer," the ZDI advisory states, "An attacker can leverage this vulnerability to escalate privileges from low integrity and execute code in the context of the current user at medium integrity."Learn more about this zero-day vulnerability by visiting OUR FORUM.  Huawei Technologies Co. warned the latest U.S. curbs on its business will inflict a “terrible price” on the global technology industry, inflaming tensions between Washington and Beijing while harming American interests. China’s largest technology company said it will be “significantly affected” by a Commerce Department decree barring any chipmaker using American equipment from supplying Huawei without U.S. government approval. That means companies like Taiwan Semiconductor Manufacturing Co. and its rivals will have to cut off the Chinese company unless they get waivers -- effectively severing Huawei’s access to cutting-edge silicon it needs for smartphones and networking gear. Washington’s decision drew condemnation from Beijing, which regards Huawei as a national champion because of its success in dominating global networking technology. China and Huawei have threatened retaliation but Rotating Chairman Guo Ping on Monday refrained from commenting on a possible Beijing response -- a departure from just two months ago when the company warned Washington risked opening a “pandora’s box” and Chinese countermeasures if it chose to go ahead with additional restrictions. “Our business will significantly be impacted,” Guo said at a company briefing with analysts in Shenzhen. “Given the changes in the industry over the past year, it dawned on us more clearly that fragmented standards and supply chains benefit no one. If further fragmentation were to take place, the whole industry would pay a terrible price,” he added. Huawei is still assessing the potential fallout of the latest restrictions and couldn’t predict the impact on revenue, for now, Guo said. On Monday, a swathe of Huawei’s suppliers from TSMC to AAC Technologies Holdings Inc. plunged in Asian trading. Guo was far less vocal than colleague Richard Yu, who runs the consumer division responsible for smartphones. The outspoken executive said the restrictions that ostensibly aim to allay U.S. cybersecurity concerns are really designed to safeguard American dominance of global tech. “The so-called cybersecurity reasons are merely an excuse,” Yu, head of the Chinese tech giant’s consumer electronics unit, wrote in a post to his account on messaging app WeChat earlier on Monday. “The key is the threat to the technology hegemony of the U.S.” posed by Huawei, he added. Yu also posted a link to a Chinese article circulating on social media with part of its headline asking: “Why Does America Want to Kill Huawei?” Follow this and more news on Huawei on OUR FORUM.  Microsoft president and chief legal counsel Brad Smith has taken his turn at admitting Microsoft's former stance on open source put it on the "wrong side of history". In 2001 former Microsoft CEO Steve Ballmer famously said, "Linux is cancer that attaches itself in an intellectual property sense to everything it touches." Shortly after that and for the same reason, Microsoft co-founder Bill Gates described the open-source GPL (GNU General Public License) as "Pac-Man-like". Ballmer has since made peace with open source, and now Smith, who was one of Microsoft's top lawyers during its war on open source, has admitted he too was wrong about its approach to technology. "Microsoft was on the wrong side of history when open source exploded at the beginning of the century, and I can say that about me personally," he said in a talk about hot computing topics at MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL). "The good news is that, if life is long enough, you can learn … that you need to change." Of course today – with an eye on cloud developers and as the owner of a code-sharing site GitHub – Microsoft approaches open source completely differently, even shipping Windows 10 with a custom Linux kernel for developers who use the Windows Subsystem for Linux. "Today, Microsoft is the single largest contributor to open-source projects in the world when it comes to businesses," said Smith. "When we look at GitHub, we see it as the home for open-source development, and we see our responsibility as its steward to make it a secure, productive home for [developers]." Smith also said that in 2013 president Obama warned top execs from Google, Microsoft, Apple, and Facebook that they too would soon face scrutiny over privacy. Obama made the prediction at a roundtable with tech executives who were pushing for surveillance reforms following Edward Snowden's NSA leak, reminding them they held more data about people than the government did. Smith said the "political watershed moment" arrived with the Cambridge Analytica scandal, which affected tens of millions of Facebook users and resulted in huge fines for Facebook. Tune into OUR FORUM to learn more. |
Latest Articles
|