WTF is happening with Windows 10? And nothing else
-
If that sounds bad to you, remember that Chrome has something called WebUSB.
-
@Rhywden said in WTF is happening with Windows 10? And nothing else:
@acrow said in WTF is happening with Windows 10? And nothing else:
@Rhywden Mainly because it opens a whole new vector for malicious 3rd parties.
If the engine supports connecting to USB and C#, and the engine is shipped by Microsoft as a shared library, and (assumption) the same one is shared between Edge and UWP, then it means that Edge is just one security-SNAFU away from being a virus magnet.
Again, this is a locked-down API. You do not know what you're talking about. The default is "no access to USB".
This "What if the sky was falling" whining of yours is rather tiresome.
You want a concrete example, which I predict to turn to reality if it hasn't already? OK, here goes:
Bad software will request access to camera, address book and flash drives. Just like they do on phones already. Because why not.
Most USB memory sticks feature a generic controller IC, which can be reprogrammed. Cheap memory sticks don't program the fuse bit meant to prevent further modification.
The UWP app will show a webpage, which features an ad, which will run Javascript, which will rewrite any attached and supported USB stick to pretend to be an Ethernet adapter. Windows will then (in an Enterprise environment) probe the adapter's connected network for SMB1 shares with your login credentials. POOF - a bad actor now has your login credentials.
--
And just because I'm so generous, here's another example:
Every app will want access to the camera, because . Apps will still show HTML ads, loaded via . Ads still contain executable script, because parent site can't be trusted to report ad-views correctly. Ads get access to your camera. And just like they do now, ads will contain a malicious drive-by.
You will be extorted with webcam photos of your last wanking session.
-
@Zerosquare The most important feature of Firefox is the about:config page, which allows closing of street-facing windows.
-
@acrow Yeah, and how is that supposed to work exactly? Without starting the Edge engine inside an UWP app, the API will not be there.
Also, how old is UWP in Win10 now? And how many exploits have we heard about?
You're giving us a lot of hypotheticals without showing any proof that this vulnerability even exists. And no, "but there could be!" is not sufficient.
Proof.
-
@Rhywden said in WTF is happening with Windows 10? And nothing else:
@acrow Yeah, and how is that supposed to work exactly? Without starting the Edge engine inside an UWP app, the API will not be there.
The second example addressed this, if you bothered to read it.
Also, how old is UWP in Win10 now? And how many exploits have we heard about?
And it has been so unloved that it was protected by the niche effect. Kind of like Linux has. You start getting serious attacks once there is a market. But exploitable holes there have been a-plenty:
Pay special attention to the "XSS" and "Privilege Escalation" columns.
A house being broken into is hypothetical until it actually happens. But that shouldn't stop anyone from pointing out the cardboard doors and plastic locks.
-
@acrow said in WTF is happening with Windows 10? And nothing else:
For every competently written one
I'm still waiting for the "disable S-mode" app. That's the only one I care about, because Microsoft requires associating your Microsoft account in order to disable it, which is a pain when I have to do it to multiple computers...
-
@acrow said in WTF is happening with Windows 10? And nothing else:
@Rhywden said in WTF is happening with Windows 10? And nothing else:
@acrow Yeah, and how is that supposed to work exactly? Without starting the Edge engine inside an UWP app, the API will not be there.
The second example addressed this, if you bothered to read it.
No, it didn't. It was pure speculation on your part. Your Rube Goldberg example was so finicky that it's really laughable that anyone would consider even probing for something like that.
I mean, for all that to work you need to basically escape the sandbox. Twice. On top of the XSS. And if you manage that then why even bother with rewriting a USB stick which might not even be mounted or of the proper type?
I say again: Rube Goldberg.
-
@Rhywden said in WTF is happening with Windows 10? And nothing else:
I say again: Rube Goldberg.
We're talking about software, right? Did you expect it would be anything else?
-
@acrow said in WTF is happening with Windows 10? And nothing else:
And just because I'm so generous, here's another example:
Every app will want access to the camera, because . Apps will still show HTML ads, loaded via . Ads still contain executable script, because parent site can't be trusted to report ad-views correctly. Ads get access to your camera. And just like they do now, ads will contain a malicious drive-by.
You will be extorted with webcam photos of your last wanking session.Oh, right, so pretty much just like
getUserMedia()
?EDIT: also, I'm about 90% sure that displaying ads in the webview is absolutely forbidden and you must use
AdView
in XAML instead... so that eliminates the entire exploit method you described
-
@Rhywden said in WTF is happening with Windows 10? And nothing else:
@acrow said in WTF is happening with Windows 10? And nothing else:
@Rhywden said in WTF is happening with Windows 10? And nothing else:
@acrow Yeah, and how is that supposed to work exactly? Without starting the Edge engine inside an UWP app, the API will not be there.
The second example addressed this, if you bothered to read it.
No, it didn't. It was pure speculation on your part. Your Rube Goldberg example was so finicky that it's really laughable that anyone would consider even probing for something like that.
I mean, for all that to work you need to basically escape the sandbox. Twice. On top of the XSS. And if you manage that then why even bother with rewriting a USB stick which might not even be mounted or of the proper type?
I say again: Rube Goldberg.
No, I meant the webcam example. Because that doesn't require breaking or escaping anything. Merely access to your webcam, and serving ads. Both of which are present in all kinds of apps already, and have no reason to not be present in an Edge-based app.
But even the other example only required USB mass media permissions for the app. As soon as that is given, getting some Javascript executed is enough.
The presence of the right kind of USB stick is a statistical variable, much like people using Edge in the first place. It becomes a viable vector when the propability is high enough that the potential victim pool pays the bills.
-
@Tsaukpaetra said in WTF is happening with Windows 10? And nothing else:
@acrow said in WTF is happening with Windows 10? And nothing else:
For every competently written one
I'm still waiting for the "disable S-mode" app. That's the only one I care about, because Microsoft requires associating your Microsoft account in order to disable it, which is a pain when I have to do it to multiple computers...
Well, if it's any easier, you could just disable Secure Boot from BIOS and then boot the suckers. That should also get them out of S-mode, last I checked.
Or just PXE-boot Linux and change the S-mode setting, which I assume to reside in Registry.
-
@acrow said in WTF is happening with Windows 10? And nothing else:
@Tsaukpaetra said in WTF is happening with Windows 10? And nothing else:
@acrow said in WTF is happening with Windows 10? And nothing else:
For every competently written one
I'm still waiting for the "disable S-mode" app. That's the only one I care about, because Microsoft requires associating your Microsoft account in order to disable it, which is a pain when I have to do it to multiple computers...
Well, if it's any easier, you could just disable Secure Boot from BIOS and then boot the suckers. That should also get them out of S-mode, last I checked.
Or just PXE-boot Linux and change the S-mode setting, which I assume to reside in Registry.
Yeah, that just deactivates them and bitches about buying Windows Pro...
-
@sloosecannon said in WTF is happening with Windows 10? And nothing else:
@acrow said in WTF is happening with Windows 10? And nothing else:
And just because I'm so generous, here's another example:
Every app will want access to the camera, because . Apps will still show HTML ads, loaded via . Ads still contain executable script, because parent site can't be trusted to report ad-views correctly. Ads get access to your camera. And just like they do now, ads will contain a malicious drive-by.
You will be extorted with webcam photos of your last wanking session.Oh, right, so pretty much just like
getUserMedia()
?https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getUserMedia says:
The MediaDevices.getUserMedia() method prompts the user for permission to use a media input which produces a MediaStream with tracks containing the requested types of media.
Permissions asked when installing an app, vs. permission asked when someone wants to fiddle with your camera unexpectedly.
Not a big difference. Except if all the cheap apps start asking for all the permissions just in case.EDIT: also, I'm about 90% sure that displaying ads in the webview is absolutely forbidden and you must use
AdView
in XAML instead... so that eliminates the entire exploit method you describedThe advertising cake is thin, and then Microsoft/Apple/Google want a slice too. I expect apps to circumvent that restriction as much as they can get away with.
Good point anyway. Someone actually thought about it for a change then. TIL.
-
@Tsaukpaetra said in WTF is happening with Windows 10? And nothing else:
@acrow said in WTF is happening with Windows 10? And nothing else:
@Tsaukpaetra said in WTF is happening with Windows 10? And nothing else:
@acrow said in WTF is happening with Windows 10? And nothing else:
For every competently written one
I'm still waiting for the "disable S-mode" app. That's the only one I care about, because Microsoft requires associating your Microsoft account in order to disable it, which is a pain when I have to do it to multiple computers...
Well, if it's any easier, you could just disable Secure Boot from BIOS and then boot the suckers. That should also get them out of S-mode, last I checked.
Or just PXE-boot Linux and change the S-mode setting, which I assume to reside in Registry.
Yeah, that just deactivates them and bitches about buying Windows Pro...
Seriously?
Wait, what does the "disable S-mode" app do then? I mean, it's got to flip some setting somewhere, and it's not like it'll buy you a new license; I'm pretty sure the license key in UEFI won't change.
-
@Tsaukpaetra At least according to this, just re-installing should get rid of the S-mode:
The license key should apparently be independent of S-mode. Just a regular Home or Pro key. The installation media is the same for Home and Pro, so you should technically end up with whichever the license key is for. And the key sits in the UEFI locker, so won't be lost by a wiped drive.
-
@acrow said in WTF is happening with Windows 10? And nothing else:
@Tsaukpaetra At least according to this, just re-installing should get rid of the S-mode:
The license key should apparently be independent of S-mode. Just a regular Home or Pro key. The installation media is the same for Home and Pro, so you should technically end up with whichever the license key is for. And the key sits in the UEFI locker, so won't be lost by a wiped drive.
I'll give it a shot the next time a friend buys a cheap PC...
-
@Tsaukpaetra said in WTF is happening with Windows 10? And nothing else:
a cheap PC
Rant triggered:
I bought one of those for my grandmother. Didn't bother breaking it out of the S-mode, but I did try Linux on it.
From the box, it ran like molasses. No, wait, let me rephrase that: it made molasses seem fluid. Edge was almost stop-animation. I think half the reason for the S-mode is to partially hide the slowness. If you can't run anything on it, then it can't run slow.
If I ever had to use one myself again, I'll take the missing right-click of the touchpad and non-working WiFi in Xubuntu anytime. At least can I fix those with external hardware.
-
@acrow said in WTF is happening with Windows 10? And nothing else:
If you can't run anything on it, then it can't run slow.
-
@acrow said in WTF is happening with Windows 10? And nothing else:
and it's not like it'll buy you a new license
basically this.
Or rather, deactivate S mode and install a new (free) license
-
@sloosecannon said in WTF is happening with Windows 10? And nothing else:
EDIT: also, I'm about 90% sure that displaying ads in the webview is absolutely forbidden and you must use
AdView
in XAML instead... so that eliminates the entire exploit method you describedAnd that is enforced by the
evilad bit?
-
Status: I hate it when my computer does this.
Strongly considering clean installing to see if whatever encrypto-ware that's intercepting my files disappears...
-
Status: Dumb-man's burn-in test (playing a game while calculating primes) for half an hour done. Apparently left a piece of plastic too close to the fans, so annoying.
Toasty.
-
@Tsaukpaetra Only 76C? Return when you've been using a GPU that has 110C as its typical operating temperature!
-
@Tsaukpaetra said in WTF is happening with Windows 10? And nothing else:
Strongly considering clean installing to see if whatever encrypto-ware that's intercepting my files disappears...
I'm sorry, but Windows Update will still be there…
-
@Atazhaia said in WTF is happening with Windows 10? And nothing else:
@Tsaukpaetra Only 76C? Return when you've been using a GPU that has 110C as its typical operating temperature!
For such a teeny case with literally no airflow I'm surprised it maintained such cooling.
Little fucker feels like a 400 Watt personal space heater when I'm doing that.Wait, I guess that would makes sense, huh....
-
@dkf said in WTF is happening with Windows 10? And nothing else:
@Tsaukpaetra said in WTF is happening with Windows 10? And nothing else:
Strongly considering clean installing to see if whatever encrypto-ware that's intercepting my files disappears...
I'm sorry, but Windows Update will still be there…
Not if I switch to some form of Linux! 😘
-
-
@Zerosquare said in WTF is happening with Windows 10? And nothing else:
Doesn't matter. You still will experience bizarre behavior, because .
I'm special, it's true!
-
@Atazhaia said in WTF is happening with Windows 10? And nothing else:
@Tsaukpaetra Only 76C? Return when you've been using a GPU that has 110C as its typical operating temperature!
You fell for a Club3D too, huh? Don't worry, it could happen to anyone. Just splice the fan cable to a separate supply and move on with your life.
I bought a Club3D Radeon once. Worst decision ever. The card didn't respond to attempts to raise fan speed via SpeedFan, so the only way to get it below 100C was to bypass the card's control hardware. The fan itself was still underpowered, so I ended duct-taping a long plastic bag with a fan at the other end, so as to force air from outside the case into the GPU. *That* finally got it to sane temperatures.Last time I ever bought a Club3D.
-
@acrow Radeon VII. The card is notoriously hot, and there's only the reference design available regardless of who you get it from.
Actually, normal operating temperature under load is at least 80C, with 110C junction temperature.
-
@Atazhaia said in WTF is happening with Windows 10? And nothing else:
there's only the reference design available regardless of who you get it from
Yes and no. While I won't swear that mine was the Radeon VII specifically (as it's been more than a decade by now), the Club3D card was the only one that didn't allow raising fan speed via 3rd party tools, as far as I could find out. Other manufacturers' cards allowed raising fan speed.
The card did seem to have "smart" fan control that responded to temperature after a fashion. But that "smart" algorithm seemed to consider 80C a normal temprature to have, and almost stopped the fan.
-
@acrow Considering the Radeon VII was released last year it can't have been a decade ago. But yeah, mine is a Sapphire card and they're one of the better AMD board partners. Just, you know, reference cooler on an already warm CPU. At least it's not the traditional AMD blower cooler...
-
@Atazhaia The tradition of cooking-temperature GPUs continues, then.
For a moment there, I was afraid I'd never again get tea that's been properly simmered on a Radeon.
-
@acrow said in WTF is happening with Windows 10? And nothing else:
@Atazhaia The tradition of cooking-temperature GPUs continues, then.
For a moment there, I was afraid I'd never again get tea that's been properly simmered on a Radeon.
I'd rather do some BBQ on a GeForce. (1:39)
-
Going back on topic
Microsoft hasn't bolloxed this one up yet.
-
Alt+Tab will flick through Edge tabs as well as apps
On the one hand I want to turn that off right away because I think it's stupid, but on the other it's a non-issue because it's not like I'll ever have Edge tags open.
-
@DogsB said in WTF is happening with Windows 10? And nothing else:
Microsoft hasn't bolloxed this one up yet.
Yet being the key word.
-
Preparing... Downloading... Preparing... Installing...
"You can help us schedule a [...]". Fuck you. Just reboot and install. The whole machine is sitting unused just waiting for this. I mean, what kind of idiot would keep actually using a machine for something else after clicking Install on a Windows version update?
Preparing... 24%
Two reboots so far... --oh hey, it found my other monitor again.
Working on updates 91%.
...I'd feel a lot more confident in that if they also admitted the "of part 2/5"..."This will take a while."
Now that I actually believe.Log in screen...
A minute of "Welcome"...
"You've got the latest update!"
No shit, Sherlock. Isn't that what I just asked for?I should have taken time. Just for accurate reporting.
Now I can only say that it took 8 chocolate candies, going to the loo, taking a short walk outside, ordering a kid to go potty, emptying the potty, and writing all of the above, for 20H2 to install on a Ryzen 5 3600 (6 x 2) and 860EVO.Now to see if Doom started magically working again.
-
@acrow Last time it had one at end-of-day and I selected 'update and shut down', it actually just shut down. All the updating (including 3 reboots) was done the next morning.
In the current situation, neither my work laptop nor my game PC is ever off mains power. So I'd really prefer if it did all that while I was not, like, waiting to be able to use
mymicrosoft'sMY PC
-
@PleegWat said in WTF is happening with Windows 10? And nothing else:
'update and shut down'
Logical and is commutative,
CLOSED_WONTFIX
-
@acrow said in WTF is happening with Windows 10? And nothing else:
Now I can only say that it took 8 chocolate candies, going to the loo, taking a short walk outside, ordering a kid to go potty, emptying the potty, and writing all of the above, for 20H2 to install on a Ryzen 5 3600 (6 x 2) and 860EVO.
Still faster than installing an xcode update.
-
Considering I ended up rolling back 2004, lets see what breaks with this one...
-
@loopback0
So far:Get fucked, Edge.
I had to manually reboot it an extra time to make the mouse work although this has happened before, so probably wasn't the update.
-
@loopback0 said in WTF is happening with Windows 10? And nothing else:
lets see what breaks with this one...
The one computer that was offered this went smoothly. The other 3 I've checked have been "what update?".
-
@loopback0 said in WTF is happening with Windows 10? And nothing else:
Get fucked, Edge.
Either it didn't actually make itself the default, or Firefox silently went "LOL nope" and set itself back.
-
The only two proper issues so far are actually the ones that made me rollback 2004 - which I was expecting.
Since then though there are some solutions!
1 - Chinese knock off Xbox 360 Wireless Receiver stopped being recognised - fix is to download the drivers from Microsoft, edit the .inf to change the hardware ID to match the unofficial one and use that driver (which requires putting Windows temporarily into test signing mode to accept an unsigned driver) before using device manager to upgrade to the built-in driver that Windows should have used all along
2 - Weird crackling/breaking audio via Voicemeeter but only in Discord - turns out Windows update helpfully set the quality of the virtual interfaces to 44.1KHz and setting them back to 48KHz fixes itNothing new to this update but fixing them still made this more of a faff than previous updates which mostly just worked.
-
@acrow I'm guessing you weren't on 20H1? I just went from 20H1 to 20H2 and it was pretty short, like any other update needing a reboot.
@loopback0 said in WTF is happening with Windows 10? And nothing else:
1 - Chinese knock off Xbox 360 Wireless Receiver stopped being recognised - fix is to ... edit the .inf to change the hardware ID ....
IIRC, I had to do something similar in Windows 7. Windows 10 picked mine up, though. Yay, knockoffs! :)
-
@Parody said in WTF is happening with Windows 10? And nothing else:
Windows 10 picked mine up, though. Yay, knockoffs! :)
Windows 10 picked mine up fine until 20H2 and after the painsome middle step seems to do so again.
-
@Parody said in WTF is happening with Windows 10? And nothing else:
I just went from 20H1 to 20H2 and it was pretty short, like any other update needing a reboot.
Not surprising - in the RSS feed I have, they announced:
People running the May 2020 Update will have a faster overall update experience because the update will install like a monthly update
-
@dcon said in WTF is happening with Windows 10? And nothing else:
@Parody said in WTF is happening with Windows 10? And nothing else:
I just went from 20H1 to 20H2 and it was pretty short, like any other update needing a reboot.
Not surprising - in the RSS feed I have, they announced:
People running the May 2020 Update will have a faster overall update experience because the update will install like a monthly update
Yup, that's the latest change in direction. Still two updates per year: one big, one small with long-term support.