[Last Week in .NET #92] – Minister of CVE Disinformation

Not too much happened last week; but what did happen was rather alarming. Nothing like a Zero-day RCE in Microsoft Office to get your blood pumping. Let’s get to it.

Zero-day vuln in Microsoft Office: ‘Follina’ will work even when macros are disabled This is a wild vulnerability that basically allows code execution even in a situation where you’ve explicitly set up Office to not allow code execution. Microsoft’s response to this has been wishy-washy, by closing the initial report, and then saying, Yea, “msdt executing with macros disabled is an issue” and then opening CVE-2022-30190 for it. This is not a rousing endorsement of when their PR and security practices collide. Oh, and in the intervening time there was an unofficial patch released if you are the daring sort.

Also shockingly, the zero-day was mentioned in a 2020 thesis. 🤯

Microsoft is on the cusp releasing ‘classifiers’ that will scan computers for messages that fit into one of several categories: “Leavers”, “Corporate Sabotage”, “Money Laundering”, “Gifts & Entertainment”, and more. Rightfully people bring up the false positive rate. I mean, who wouldn’t accept a $50,000 bribe from me so I can get the new Elder Scrolls before it’s released? 🙀

Code Signing is moving to a hardware key that will absolutely make it harder to sign certificates. If you can do your job, the security isn’t strong enough. 📵

Amazon SNS for the .NET Developer, Getting Started Quick and Easy Everybody and everything claims to be quick and easy, just once I want someone to lean in to long and hard. Like Python the Hard Way (which by the way is a lie). 🎂

Cory Doctorow talks about Apple’s sabotage of “Right to Repair” in a guargantuan twitter thread. In a time of rising inflation, we can ill afford the costs associated with a monopolized repair system. 🛠

And lastly, Gen Z is smarter than all of us: Quit Early and Quit Often. If you want employees to be loyal, offer them contracts. Contracts. With Severance. Yea, I said it.

Leave a Reply