Announcing a new Thimbleweed Park mini-adventure

Why not? It’s working great.

Security holes/issues?

Which ones? I’m updating my browser at least once a year, this should be enough

But seriously, I’m not talking about laptops, so they are never directly connected to a public network.
I even never update my Windows 10 VMs unless some application forces me to, because especially with Win10 they make stupid changes all the time, they like to break stuff and made it hard to selectively install the updates I want.

So, I guess you don’t have a Windows 7 to test Delores on?

Well, I’m speechless.

If hackers find new vulnerabilities in Windows 7, Microsoft will no longer be creating software patches to protect against them. So your computer could be vulnerable to cyber attacks.

Hopefully having antivirus installed makes the risk lower, but I don’t think the companies behind them will feel obliged to provide the protection that Microsoft no longer offers.

His Windows 10 installations and his Browsers are having already known vulnerabilities. In fact he could be already a victim because a lot of malware utilizes the system silent in the background (and attacks other systems from there).

So let’s hope he is just kidding…

What kind of vulnerabilities could those be?
I.e. vulnerabilities not directly related to my browser or other third party software I am running at my own will.

I might be ∗beeped∗ when they can somehow hijack Windows update servers.
Which I still rely on btw., e.g. just the OS not being patched doesn’t mean other Microsoft related software won’t be fixed (.NET, Office, SQL, …).
(e.g. I have some Office format related viewers from Microsoft installed which luckily still get updates in 2020)

If you manually run malicious software (e.g. manually downloaded or via email) then OS vulnerabilities are not your biggest problem (although they could be used for elevated rights, e.g. to install something more permanently and hidden, tamper with anti-virus or backup software, or just break your system etc.).
But it’s very likely the current, non-elevated user has access to most of your private data already so depending on their motives it’s already bad enough.

There are some interesting possibilities though, e.g. regarding misusing CPU branch prediction. This Spectre and Meltdown stuff is quite interesting, especially because it’s really hard to fix. Though it doesn’t seem to be easily exploitable too, after those couple of years I still haven’t really seen something in the wild which could be a proper threat.

Otherwise you would have to directly connect to my network (or hijack another device there) to try to exploit vulnerabilities on my Windows 7 and 10 systems over the network (which better be SMB or ICMP related or affects the Windows firewall).

Oh I do have malware installed. I’m blocking so much telemetry stuff it’s not funny anymore…

But what do you know about my browsers?

Can’t wait for the answers now…

BTW: Delores ran fine on my otherwise buggy and unstable win10 laptop

Open ports or other network related security holes, enabling attackers to sneak into your computer from the outside. Sometimes just a modified package is enough. The other possibility would be modified WAV, PDF, etc. files.

You gave the answer yourself:

It escalates more quickly.

You wrote:

Tell me your browser version and I give you a list of possible security issues (you can google it yourself). Sometimes it would be enough to watch an ad (on a trustworthy site) to get infected.

Also this should be moved into a separate thread, but we will have to wait in what direction this goes to know the thread title

Well, Microsoft and especially the Browser developers don’t warn about security issues just for fun.

Yup. But we are here in the TWP forum.

I could also Google your browser versions, what does this proof?

How did you get access to my network again?

I don’t use the OS to process such files. It’s either a browser or a dedicated 3rd party software.

The actual answer is to not manually run malicious software or get an antivirus application which stops you from doing it.

I’d suspect something like Lynx, but that’s only updated about once every 5 years, it seems .

That your browser is vulnerable and could be successfully attacked.

Port scan. Phishy internet site.

… that are using some of the OS libraries.

So you are absolutely sure that you will never ever start manually malicious software? In the past we had already big trustworthy sites spreading malware. But you won’t visit them because you known in advance where malware is hidden.

It’s not impossible a browser having OS specific vulnerabilites. But it’s not a reason to think your browser is much safer just because your OS is up-to-date.
Your browsers are nearly as vulnerable than mine, you better keep them up-to-date!

(When I wrote “I’m updating my browser at least once a year, this should be enough ” followed “But seriously …” you may have understood it wrong)

We are talking about Windows, my router runs Linux (which doesn’t mean it doesn’t have vulnerabilities).

If you can use your browser to send malformed packets into your network you should probably update your browser.

Yes, that’s a possibility. Still normally it additionally requires you to get some fishy content.

No. But don’t get too cocky: having a “super-uber-patched-system” won’t safe you in the long run too.

PODCAST INCOMING!

@Nor_Treblig: We could discuss this forever as it seems. So I wish you good luck with your setup.

In preparation for the weekend I tried to get DirectX 12 running on a pre-2015 OS, but as it turned out there is no such thing: they only back-ported some DirectX libraries to use for specific games.

So with the current state of that engine it won’t run on an older Windows system:

• When I try to start it on Windows 8.1 it complains about a missing DirectX 12 DLL.
• When I try to start it on Windows 7 it fails earlier because GetSystemTimePreciseAsFileTime (kernel32) is missing (only Win8 or newer).

I haven’t made any further compatibility checks.

Thanks for the info. My Win 7 dxdiag shows Dx11 and I wasn’t sure if I didn’t have a correct patch or is it busted somehow.