• conciselyverbose@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    69
    ·
    4 months ago

    The fact that Windows hasn’t solved the “fake extension” scam is wild. You can’t make people not click stuff, obviously. But you absolutely could identify double extensions clearly intended to confuse people and give some kind of “this isn’t a PDF” warning.

    • mememuseum@lemmy.world
      link
      fedilink
      English
      arrow-up
      38
      ·
      4 months ago

      It’s so dumb that Windows hides file extensions by default. They could just flip a toggle.

      • Plopp@lemmy.world
        link
        fedilink
        English
        arrow-up
        29
        ·
        4 months ago

        But don’t you understand how confusing and scary those cryptic three letter strings are to normal people?? 😱

        • Cort@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          4 months ago

          Administrator Plopp, what do I do if it has a 4 letter extension? That .jpeg is a virus right?

          -sincerely, The dumbest user you know

          • Plopp@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            4 months ago

            Oh shit. Yes. I need you to press Ctrl+Alt+Del while pulling the power cord or else the virus will steal your RAM and upload your printer to a criminal server in the cloud!

        • GreenBottles@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          4 months ago

          It’s not the 90’s anymore. There’s no excuse for not having basic understanding of the tools you use in life.

          • Plopp@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            4 months ago

            Where have you been for the past decade? The trend is the exact opposite. Dumb everything down until there’s nothing left to understand, in the name of “usability”.

    • 𝕸𝖔𝖘𝖘@infosec.pub
      link
      fedilink
      English
      arrow-up
      37
      ·
      edit-2
      4 months ago

      They’re too busy finding new ways to inject telemetry and ads into your os, and degrade your experience. It takes a lot of resources to do this.

      Edit: ‘to’ to ‘too’. I blame fatigue.

    • GreenBottles@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      4 months ago

      When MS chose to hide file extensions by default I fucking lost my mind because of the malware\virus implications… idiots.

  • BigDanishGuy@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    33
    arrow-down
    4
    ·
    4 months ago

    If it’s a zero day then Microsoft didn’t know about it. If Microsoft knew about the exploit for a year it was not a zero day.

    • Echo Dot@feddit.uk
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      11
      ·
      4 months ago

      Zero Day just means that you have zero days to fix it before it becomes a problem. Doesn’t mean that you actually take zero days to fix it.

      • BigDanishGuy@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        14
        arrow-down
        5
        ·
        4 months ago

        What? No it doesn’t, it means that the exploit has been known for zero days, aka it’s an unknown exploit.

        • Grimy@lemmy.world
          link
          fedilink
          English
          arrow-up
          19
          ·
          4 months ago

          A zero-day (also known as a 0-day) is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor has zero days to prepare a patch as the vulnerability has already been described or exploited.

          From wiki

        • AceBonobo@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          ·
          4 months ago

          My understanding, zero day means when the exploit was discovered it was already being used in the wild. This is different from an exploit discovered by a bounty program or by security researchers.

  • reddig33@lemmy.world
    link
    fedilink
    English
    arrow-up
    30
    arrow-down
    1
    ·
    edit-2
    4 months ago

    Well by all means then, let’s run our governments and banks on Windows! 🙄

  • Wooki@lemmy.world
    link
    fedilink
    English
    arrow-up
    16
    arrow-down
    1
    ·
    edit-2
    4 months ago

    Microsoft has proven time and time again security is not a priority. Cloud profit mattered more than the security of the public and public services as sunburst proved.

    This should not come as a surprise.

  • Treczoks@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    4 months ago

    The three letter agencies probably knew about this, too, but either didn’t tell Microsoft, or forbid them to fix it.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    7
    ·
    4 months ago

    This is the best summary I could come up with:


    Threat actors carried out zero-day attacks that targeted Windows users with malware for more than a year before Microsoft fixed the vulnerability that made them possible, researchers said Tuesday.

    The vulnerability, present in both Windows 10 and 11, causes devices to open Internet Explorer, a legacy browser that Microsoft decommissioned in 2022 after its aging code base made it increasingly susceptible to exploits.

    The company fixed the vulnerability, tracked as CVE-2024-CVE-38112, on Tuesday as part of its monthly patch release program.

    The link, however, incorporated two attributes—mhtml: and !x-usc:—an “old trick” threat actors have been using for years to cause Windows to open applications such as MS Word.

    “From there (the website being opened with IE), the attacker could do many bad things because IE is insecure and outdated,” Haifei Li, the Check Point researcher who discovered the vulnerability, wrote.

    “The second technique is an IE trick to make the victim believe they are opening a PDF file, while in fact, they are downloading and executing a dangerous .hta application.


    The original article contains 616 words, the summary contains 170 words. Saved 72%. I’m a bot and I’m open source!

  • EpicFailGuy@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    3
    ·
    4 months ago

    Yall remember eternal blue? no? only me?

    Yeah … im never putting any of Micro$oft products on anything I need to be secure … ever

    • lud@lemm.ee
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      4 months ago

      Remember regreSSHion?

      All software has serious security vulnerabilities.

      • EpicFailGuy@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        RegreSSHion is overblown … it was quickly patched and it was not reliably reproducible every time. It depended on “Luck” to have pointer fall on the right memory space in order to allow the code execution.

        I think Terrapin was much much worse … and log4j … log4j was a DISASTER … but point taken.

        I wasn’t shrilling my choice of OS tho, I think eternal blue is a lot worse than those other CVEs because the NSA KNEW about it and did not disclose it, and because Windows has a much wider user base of clueless users that easily fooled.

        • lud@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          4 months ago

          Yeah, I just took the most recent one as an example.