[Last Week in .NET #49] – Automated Printer CVEs

I swore up and down I would not release a newsletter this week owing to the July 4th holiday (Treason day for the Brits out there), and then Microsoft’s Github announced and released Github Copilot, and my promise fell apart.

CoPilot is an ML trained code snippet generator. What is it trained on, you ask? All the public code on Github, GPL’d or otherwise. This has angered the internet lawyers and is generally considered to be a Dick Move™ by everyone else (except those that have read the parable of the Scorpion and the Frog). And since there really isn’t any magic in ML, that’s led to some interesting bugs… like reproducing the inverse-sine function from Quake to include the PG-13 rated comments. Or giving internet randos the API keys that Sendgrid users put in their source code on accident, or even reproducing the GPL in its entirety in a source code header file and none of this includes the mundane but possibly Office Space plot inducing every day bugs present in CoPilot.

It’s almost trite to call these ‘bugs’, these aren’t bugs. These aren’t misunderstandings of product requirements, or bad coding. No, these are Ian Malcoms:

Your scientists engineers were so preoccupied with whether or not they could, they didn’t stop to think if they should. (original source)

AI and ML have given us a new class of software defect: the Ian Malcom, the defect that exists due to hubris and a lack of foresight into how it could actually be misused. We can thank Github for playing the role of movie villain here.

With that out of the way, here’s what else happened last week in .NET.

🚉 In Windows 11 you can now specify which Terminal you want to use and not have to have cmd.exe launch all the time. I don’t want to be cruel; but would anyone willingly choose cmd.exe as their terminal? @ me if you would, and why.

🚅 ZDNet’s Jason Berlow says he’ll bite the bullet and buy a new PC for Windows 11 and it’s important to note that ‘more secure’ here means “less likely to get taken down by ransomware”. Microsoft’s usual track record for security post-boot-up still applies.

👔 Adam Storr has a blog post out titled Test Your .NET HttpClient Based Strongly Typed Clients Like a Boss, and I’m not clear from the title if he means the every day “exploit them” or if there’s a more sinister meaning, like “gaslight them into believing working 60 hours a week means you’re a team player”.

🎭 There was a LinkedIn Breach announced on June 29th, with the field “Inferred Salary” included. Since no one knows what “inferred” means here, we’ll just go with the face-value interpretation that LinkedIn calculates what your salary should be based on your experience and roles and local market and that is exactly why naming is so important in software.

🍞 I got a little flak last week for suggesting that Azure Static Web Apps were mundane but being touted as The Next Great Invention After Sliced Bread, and here’s just another example. Now, I get that if you work at Azure, you should be touting Azure products — but my concern here is that treating something mundane like Static site hosting as revolutionary in your verbiage (awesome, awe inspiring? Really?) is overplaying the marketing angle without understanding that a crucial part of marketing is credibility, and it’s easy to lose it if you overplay your hand.

🖨😲 There’s a new CVE out for Windows dubbed “Printer Nightmare”. CVE-2021-1675 allows an attacker to take over your system through the windows printer spooler service. and this is reason #2 why I had to release a newsletter this week. Holy forking shortballs Microsoft.

🖨😲 Kevin Beaumont gives us an indepth report on “Printer Nightmare” including most importantly how to mitigate this zero-day. Also important to note there appear to be 2 CVE classifications for “Printer Nightmare”, the aforementioned -1675, and CVE-2021-34527. 1675 covers Privilege Execution, and 34527 covers Remote Code Execution. Happy Monday.

🖨😲 There’s a POC out for Printer Nightmare that was promptly deleted but still available via caching sites if that’s your thing. I’m not going to look and see whether or not my old Livejournal is cached somewhere, thanks.

🖨😲📊 Interested to know if you’re affected and you like Flowcharts? @StanHacked has you covered.

🖨😲🚉 Interested in seeing if your machine is exploitable for “Printer Nightmare”? Try this powershell one-liner (please don’t).

📢 YARP Preview 1.0.0-preview12 has been released and we are promised that this is the last ‘big set of API changes’. I admire their optimism.

📢 The Pull request for finishing out W^X support for .NET is open and the problem with naming it W^X is that I can’t find — either on github in my old releases or on google any reference to what this means. My memory seems to recall it means Write Xor Execute; which means that a piece of memory is either writable or executable, but not both. I could be way off on this, and I take corrections @Gortok on Twitter and via email at george+lwidn@georgestocker.com.

🚫👴💻 Windows 11 will leave millions of machines behind and Microsoft is struggling to explain why writes TheVerge. I guess “We’re getting hammered by side-channel attacks and ransomware attacks because we have the most popular operating system of all time and we’re sitting on a long legacy of a single-user disconnected operating system vs an internet connected system” is hard to say?

👩‍💻🥌 There is a Fortnite VS Code theme and I have not played First Person Shooters since Battlefield 2 so I don’t really know what the hype is. Fortnite really just looks like Team Fortress 2 meets Starseige:Tribes Without the Jetpacks, he says, yelling at the kids to get off his lawn.

💉☁ AT&T is moving its 5G Network to Azure for Operators and now I guess the COVID Vaccine will give you Azure interopability as a side-effect?

👋 Valid Kubernetes YAML that also happens to be AT&T x86_64 assembly code and I need a shower after seeing that. Ew.

☕ Leslie Richardson and Cecil Phillips have a .NET video out on Exception Filters and I promise if you catch System.Exception and don’t filter it, bad things will happen (also please don’t filter on System.Exception, just pick the execption sublcass and filter on that. Your maintenance programmer and I will thank you).

📖 dotnet-wtrace Command Line Tool has been released and it captures .NET traces. No, I don’t know anything more than that and Open Source Projects aren’t exactly known for their Marketing.

🔧 The .NET team has a blog post that covers the Object allocation tool in Visual Studio. Think of this tool like dotMemory or ANTS Profiler, just built into Visual Studio.

UWP Projects will not have ongoing support in the new WinAppSDK World, according to a Youtube video by the WinUI team, and the longer discussion that alerted me to this fact is here.

And that’s it for what happened Last Week in .NET. I’m especially interested to see if there’s any legal action around CoPilot (ha), and how bad PrintNightmare turns out to be, so if either of those get more press, you’ll hear about it here.

Leave a Reply