Two Windows vulnerabilities, one a 0-day, are under active exploitation
- Thread starter JournalBot
- Start date
This is an absolutely trash tier response, and you should be ashamed of yourself, Dan. Telling people to Google something isn't the same as providing instructions, even if you slap a fucking search query link in your comment.
Upvote
44
(51
/
-7)
At first I got the impression that the vulnerability was that existing shortcuts could be tricked to point to malicious files, and the solution is to disable automatic repair of broken links.
Instead, it's about clicking a malicious shortcut that does arbitrary code execution. Except, arbitrary code execution is an intended feature and the vulnerability is that the extra commands are not visible in the shortcut target property.
In the end, what is the actual workaround? A warning when opening a shortcut for the first time?
Instead, it's about clicking a malicious shortcut that does arbitrary code execution. Except, arbitrary code execution is an intended feature and the vulnerability is that the extra commands are not visible in the shortcut target property.
In the end, what is the actual workaround? A warning when opening a shortcut for the first time?
Upvote
12
(12
/
0)
To be honest, I think the .lnk stuff is a bit of a distraction. Who is going to be vulnerable to that? A lot of people simply won't be computer savy enough to both check the target of a lnk file before clicking it and understand what it means if they do. And if they are, they probably aren't going to bother if they trust the source (if they are both computer savy and don't trust the source they aren't going to download it in the first place). I'm not arguing that nobody will be tricked by it but it seems more a method of putting obstacles in the way of investigating causes after the fact then tricking ordinary users per se (who won't get that far in the first place).
On the other hand, this is very ameniable to detection by tools (rather than humans). It should be fairly trivial to flag.
On the other hand, this is very ameniable to detection by tools (rather than humans). It should be fairly trivial to flag.
Upvote
10
(10
/
0)
How is this a "zero day" if it was discovered back in March? "Zero day" refers to the amount of notice a vendor has that a vulnerability exists and is at risk of being exploited.
It may have been a zero day back in March, but It's been eight months since then!
It may have been a zero day back in March, but It's been eight months since then!
Upvote
20
(21
/
-1)
As I've said many a time when people suggest "simply" moving to linux, that is fine with a technically literate person who doesn't mind lots of change and is fine with manually sorting out apt or yum or rpm or pip or dpkg or dnf or... (ad infinitum) when something inevitably breaks, but for a simple home user or a corporation with tens or hundreds or thousands of machines, linux just isn't the answer. Not to mention the insane amount of infrastructure changes, retraining of staff, potentially losing employees because you're not using the "standard" tools (yeah, it sucks, but it's a reality).
I'm glad it works for you, I really am, but until Linux on the desktop grows up and becomes viable in a business/corporate environment, it's useless.
Upvote
18
(25
/
-7)
I'm on the receiving end of vulnerability "reports" from customers. Their IT/security team runs a scan on the servers which host the apps that I support and forward the reports to my team (the app vendor) for analysis. Often these reports aren't worth the paper they're pinted on (if I were to print them); they're generated by automatic scan tools and the customer's IT/Sec team just forwards the results on to me. I'm lucky if they filter the results to just the servers hosting the software that I support. The vast majority of the reports are nothing more than the scan tool looking for things like open ports and concluding that they must be insecure, even though I can (and have) provide evidence that my app uses encrypted connections over the port. Or the tool notices some vulnerable component on the server and flags it for remediation, but it doesn't know whether the component is actually vulnerable to exploitation. Rarely, if ever, do these reports include links to documentation supporting their finds, such as CVE articles, vendor bulletins, etc.
And Dan's snarky response sure doesn't help the reputation of "security researchers".
Upvote
15
(18
/
-3)
That sure sounds like a non-apology apology to me. Maybe next time wait until you have a solid reply before posting, Dan?
Upvote
23
(27
/
-4)
Here people said that those settings don't work anymore since years tho..
https://superuser.com/questions/179...tion-of-shortcuts-lnk-files-in-windows-10-gro
Upvote
6
(6
/
0)
True story: a few years back, I moved from one top-tier research university to another one (as a professor). In my old institution, I had gitolite running on my office computer and IT configured a pinhole in their firewall allowing outside access to my ssh port, so my computer effectively acted as a git server for my collaborators. (I know that something like that would never fly in a corporate environment, but in universities it's not that uncommon.)
When I mentioned that I would like a similar setup at the new institution, their first reaction was that this is completely impossible. After a bit of back and forth with the local IT guy, it turned out that it was in principle doable, just not with my office machine but a VM (their VM's are running on a network that's outward-facing but doesn't have access to the rest of the university network). Still, the security people were balking at giving access to outside people.
After escalating things, I had a half hour discussion with the university head of IT and the head of security. Once I explained that gitolite wouldn't actually give anyone shell access they told me it was fine. Still, they spent the next half hour telling me all the ways in which I could end up liable for crimes that carry a three year jail sentence if I so much as sneezed in the wrong way.
Two months later, the VM suddenly stopped working overnight. It turned out that all the VM's still had their default 'admin / admin' account enabled and were busy mining crypto, so they all had to be nuked and set up again from scratch. So much about 'security for thee but not for me'...
Upvote
24
(24
/
0)
?
What exactly does this mean?
Mind I used to have WAIK and WSUS ages ago when one of my roles was imaging computers.
Upvote
2
(2
/
0)
The .lnk exploit is extraordinarily tame. Who is downloading shortcut files from the raw internet and launching them? Most people are creating these themselves or they are thrown on the desktop during software installations. If someone with bad intentions already has you running their installer, you are already sunk. I can see why it has been unpatched since 2017. A bit of sensationalism on that one.
Upvote
13
(13
/
0)
That was not an apology, and grace should have been given by the author who demeaned that arsian to begin with. That comment by the author was completely inappropriate and should be brought to the attention of his employer as it was conduct unbecoming to someone writing for pay under the umbrella of Conde Nast. What any employee does reflects on all who work for the company, and the reputation of the company itself.
Empathy, kindness, respect. The comment by the author that he pinned to the story for all to see showed none of that.
Upvote
14
(19
/
-5)
Mr. Perfect
Ars Praetorian
So I was trying to hunt down a patch for this WSUS issue described in CVE-2025-59287 and found Microsoft's official tracking page. The page is utterly infuriating though, as no where in it does it mention the KB numbers to be on the lookout for (at least that I can see). It just continually mentions "the October 23, 2025 out of band security update". Thankfully Google could make the connection between "the October 23, 2025 out of band security update" and some actual KBs.
For those interested, there are three. One for each Server version under support.
Server 2019 - KB5070883
Server 2022 - KB5070884
Server 2025 - KB5070881
Why wouldn't the official tracking page have links to the patches?!
For those interested, there are three. One for each Server version under support.
Server 2019 - KB5070883
Server 2022 - KB5070884
Server 2025 - KB5070881
Why wouldn't the official tracking page have links to the patches?!
Upvote
18
(18
/
0)
where i work, they use o365 and encouraged everyone to use ms authenticator for passwordless login (well, on browsers in outside devices anyway) which is like the best thing since sliced bread.. type in login, enter code on phone..
and then that just stopped working all of a sudden (around the same time authenticator stops remembering password or whatever that change was, which shouldn't matter) if i just want to log into o365... reverts back to login/password... though it still asks for passwordless authenticator if i then use single sign on for 3rd party sites.. obviously something changed somewhere and the response of it support was.. it's fine.. still secure (whatever happened to passwordless being more secure than passwords).. instead of trying to figure out why the change happened (ms changed something? someone changed something on the company system?)
or at least pass it on to someone who might figure out what changed, if it applies to anyone else, etc..
ps... on company laptops (for use on site)... login/pw for win11.. though we enabled fingerprint login and use that instead.
Upvote
1
(3
/
-2)
That's not the same thing. It's about stopping links from following a target that's moved or renamed. That poster wanted to rename test.exe to testold.exe and place a new test.exe. If you have a shortcut to the original test.exe, it will be updated to point to testold.exe when it's renamed and the poster didn't want that.
So posting a "let me Google that for you" is bad enough, but it's inexcusable if it doesn't even lead to an answer.
I'm certain you can't disable links, at least not without causing massive problems. The start menu is based on links, for example. It would be like disabling soft links in Linux.
Upvote
18
(18
/
0)
You mean, the same arsian who didn't think it was a big deal?
Anyhow, time to exercise the mute function I guess.
Upvote
-18
(5
/
-23)
Upvote
13
(16
/
-3)
One of the two people in this argument got paid to write something here. Please learn from this.
Upvote
24
(25
/
-1)
I unpinned that comment. I’d replace it with something better but to be honest I’m too ignorant of the topic to feel comfortable doing that.
In the interest of promoting harmony here is a photo of two of my cats that tend to bat at each other deciding last night that curling up next to me while I’m injured was a better idea.
In the interest of promoting harmony here is a photo of two of my cats that tend to bat at each other deciding last night that curling up next to me while I’m injured was a better idea.
Upvote
54
(56
/
-2)
I know I’m both jumping in late and dragging this comment astray
further off topic-but that photo made me just wake up the babies!On topic-2 days ago they received their first anti-virus shots!
Attachments
Upvote
10
(11
/
-1)
I’m having a very hard grasping how you think that’s somehow a legitimate “apology”.
He very poorly attempted to gaslight that ‘specific arsian’ into believing his asshole comment wasn’t an asshole comment with some serious bullshittery.
“I thought I was being helpful and giving a reminder (by accusing you of criticizing me, telling you to do it your damn self because it’s so easy and giving you the DuckDuckGo version of lmgtfy).”
Then attempted to push perceived fault off of himself.
”I’m sorry if it came off wrong (See everyone, now that I’ve said my bullshit, it’s really just this guy being confused).”
For fucks sake, the damn “apology” is worse than the original comment and reeks of a narcissist trying to save face.
Upvote
16
(21
/
-5)
Dan's tone in the comments is extremely inappropriate. The article did not even explain anything about the actual vulnerability and provided such a high level overview as to be useless. This is not why we come to read Ars.
Upvote
25
(26
/
-1)
SMH. Some things never change. Reading through this thread reminded me of a similar 'snafu' where some of us dared to question Dan's writing/headline.
I don't remember the exact wording of the original headline used (I've since learnt to copy it when commenting on it) - but I queried it in the comments and a few others had similar opinions, and Dan chimed in... https://meincmagazine.com/civis/threa...y-for-iphones-and-ipads.1487379/post-41333216
(You sort of have to read ahead and look at posts quoting his posts because he deleted his posts at a later time.)
To answer your question train_wreck - yeah, pretty sure it's Dan - spot on for his trademark sort of attitude in the comments when you dare to question his writing.
Upvote
20
(20
/
0)
This is a difficult issue to balance successfully. On a team I'm with we go the full length of discovery, correlation with external information, correlation with any suspicious activity internally, production of IoCs for everyone to use with their tools and services, summary recommendations, detailed implementation techniques specific to the existing patch management and system administration tools, and round table discussions seeking immediate and future improvements with final statements implemented into existing policy and procedures.
Our team is too small for this and we are not able to keep up. There are sysadmin teams that are better suited for this especially since we do not have access to most of their tools or significant access to cloud interfaces. The research belongs in Threat Intel and IoCs should be in the SOC. The short and long term actions and policy belong to Policy & Governance. But because our team is populated with people that are former system and network administrators with scripting skills who became security engineers and migrated to incident response, we find we are the backstop for everything. Pushing back in the middle of a potential crisis doesnt' work. It's exhausting and frustrating.
I would assume that most organizations do not have a sub-security group that used to do everything and instead are trained in specific cybersecurity silos. I'm both thrilled to see how detailed new cybersecurity staff are as they matriculate out of college and certification mills like CEH, SANS, BH, ISC^2, ISACA, but very disappointed in how ineffective they are operationally and unable to grasp the entire infrastructure. We have a lot of people in cybersecurity now, but most are junior.
Upvote
8
(8
/
0)
IMO security should be a mid/late-career job after some years working in support & operations. I don't believe that you can understand vulnerability & remediation properly if you don't also understand the context of the systems and environment you are working in. Theory and practice are not the same thing and only experience let's you know the difference.
Upvote
16
(16
/
0)
Dan's writing is what originally brought me to Ars. I was looking for regular writing on security issues, although I am completely non-technical. Not in IT or the tech industry at all, I just find security issues really interesting. I don't even understand what all I'm reading half the time, maybe that is weird, but I just enjoy reading about it.
After reading this article, I had the exact same question in mind and was glad the first comment was aligned with my thoughts. Was hoping for an update or answer.
The completely uncalled for responses from Dan in these comments has made me feel like these articles aren't for me. If so, that's OK I suppose, good to know going forward. Will leave it to the IT experts to read and understand.
After reading this article, I had the exact same question in mind and was glad the first comment was aligned with my thoughts. Was hoping for an update or answer.
The completely uncalled for responses from Dan in these comments has made me feel like these articles aren't for me. If so, that's OK I suppose, good to know going forward. Will leave it to the IT experts to read and understand.
Upvote
19
(19
/
0)
It’s the weekend, but I’ve been aware of all the reports and comments and feedback, and have made sure they’re forwarded onto the management team.
It’s not my role to respond to any of it, but as the community manager I 100% want everyone who is curious about tech to feel welcome. You don’t have to be in IT to participate here.
Upvote
29
(29
/
0)
The lnk vuln seems very overhyped. Most email providers strip it as a dangerous extension, if you could social engineer a browser download you could use an executable instead, and same story for planting on a file share. It’s mildly interesting someone is actually using that technique but it doesn’t seem to warrant being labeled a zero day (also, the “vuln” is a shitty ancient dialog UI, which is somewhat stretching the meaning) and sure doesn’t deserve billing above a pretty legit exploitable vuln in wsus. It feels a little like the article was uncritically echoing vendor hype
Upvote
7
(7
/
0)
woooo, we already mitigate .lnk in several ways, and we patched the WSUS one day of release.
Being well positioned is nice, but something... some day, is gonna get us.
Being well positioned is nice, but something... some day, is gonna get us.
Upvote
5
(5
/
0)
And the prior example of Dan's odd hyper-sensitivity to even the slightest questioning of his writing I posted a few posts above was from 2022 - his responses there were arguably even worse and less appropriate and professional.
Look, I actually enjoy his articles and his writing is usually very clear and engaging. But - he does get a chip on his shoulder if anyone happens to question him, and can respond inappropriately and unprofessionally.
I don't really want any sort of managerial involvement to result in any dire consequences, but he does need to reflect on his attitude when readers ask - IMHO - legitimate and reasonable questions. Get defensive, sure defend your position, but he crosses the line into disrespectful and unprofessional.
Upvote
13
(13
/
0)
Not my circus, not my monkeys, I just wanted people to understand that when I hear voices in the community I do pass that feedback along.
Upvote
21
(21
/
0)
Understood. And forgot to include my thanks in the previous posts. Your efforts are appreciated.
Upvote
18
(18
/
0)
Yeesh that's a pretty out of scope reply considering the polite tone of the original request don't you think? I tend to agree, for what it's worth, and if someone's suggesting that, they may not have a link on how to do that. I personally don't take very kindly to that sort of "Just google it" responses anyway. If you didn't want to provide help, you could have left it for others who did want to.
Sorry about this, it just felt rather rude and dismissive when you weren't being attacked in the first place and brought up some bad memories of "technical forums" that always seem to have a few people genuinely upset at the thought of answering a sincere question. It's right up there with the sort of person who on getting a technical question instead suggests that the person is wrong for wanting to do X in the first place. For example: "What's the best defragmenting strategy?" "Just buy an SSD."
Upvote
6
(8
/
-2)
Arse Technica
We can just as easily go read tech articles somewhere else too
Upvote
10
(15
/
-5)
People are imperfect. People have good days, bad days, get grumpy, sad, excited, drunk, crazy. It's the flavor of life. Without shit days, how would you know what a good day is?
Maybe he had a bad day? Maybe he's busy giving up cigarettes?
Shit happens, sometimes even twice a day.
Maybe he had a bad day? Maybe he's busy giving up cigarettes?
Shit happens, sometimes even twice a day.
Upvote
-12
(4
/
-16)
What it says on the tin: a WSUS server that is accessible from the general Internet.
Which is not good practice; a system like that should be locked down and only available from the corporate network (and any host that has VPN'd into the corporate network.) The only services that should be accessible from the general Internet are public facing web servers; the VPN server; mail server; and that's pretty much it. It significantly lowers the risk profile that you have to deal with as a sysadmin.
But of course, not all companies or individuals follow good practice, so we end up with this sort of situation.
My honest opinion, as somebody who is not Ars staff and bloviates a bit much on threads here: don't go. Stay. Ask your questions. Generally, I find the Ars community to be very good about picking up on when somebody isn't deep in a subject, and the usual approach I've seen is to give useful replies to questions, even those that seem basic. We all have to learn somehow, and that learning journey has to start somewhere. This is one of the better places I've seen online for that.
And if somebody makes a comment that is out of line or inaccurate, the likelihood is very high that it will be called out and/or downvoted into oblivion, irrespective of who made it. Which you can see with Dan's comment, which is (as I type this) sitting at +16/-210, for a net score of -194.
Frankly, that's about where I think it belongs. It's singularly unhelpful; a link to a search engine carries tones of "I'm doing your homework for you", and I'm of the opinion that the better approach is to just say nothing. Either dig into the question and provide something that's actually useful, or say nothing. (Unless it's clear that the question is not being asked in good faith, but that wasn't the case in this specific instance.)
But hey, I'm just a random on the Internet, so I might be way out of line.
Upvote
10
(12
/
-2)
I'd imagine it's not the first step in the penetration, but more like step 2 or 3, possibly in a social engineering attack. To the target it might not look like they did anything dangerous, when their system has now been Pwned.
Upvote
7
(7
/
0)
The nature of engaging in a job of some description almost invariably requires you to set aside your shitty day. If you can't do that - you're gonna have a bad time.
For a server in the USA, you might not eat that week as you'll get shitty tips (if you're not fired). For a lawyer, you might end up fined, or worse if you have a go at the wrong judge. For a writer, it might mean you get hauled in for a 'please explain'.
I posted something almost identical in tone to your post in that 2022 thread I posted earlier, but I've since changed my mind. You don't get to brush aside being an unprofessional arse by claiming you've had a bad day.
Of course there will be times in anyone's life where they Just Can't - for whatever reason, they snap and they let fly. In those circumstances - if you don't let go too badly - the resolution is to wait until things calm down and then humbly apologise, explanation optional. Most people that aren't arseholes would accept that, I think (assuming its not the umpteenth such apology).
Now, having said all of that - I'm not trying to make mountains out of molehills and blow things here out of proportion. But, there is a clear pattern - fool me once, and all that.
Upvote
16
(16
/
0)
But but but buuuuut, REMEMBER:
Windows now pretends a TPM chip on your motherboard for
And definetively do not go to Linux boyo, Its a den of scum and villany in there...
Last edited:
Upvote
-8
(3
/
-11)
I think that in general an article regarding an actively exploited vulnerability should include IoCs and details on mitigation/patching. Not necessarily within the article, but certainly via links.
Leaving it to people to find those on their own kind of defeats the purpose of the article, in my opinion.
Leaving it to people to find those on their own kind of defeats the purpose of the article, in my opinion.
Upvote
15
(15
/
0)