Windows 7 is no longer supported by Microsoft. Wikipedia says: * Mainstream support ended on January 13, 2015. * Extended support ended on January 14, 2020.
I'm not sure that this specific Python issue is the worst issue of using Windows 7. A workaround is to upgrade Windows to a maintained version, no? Only Windows 7 is affected. The other option is to wait for a Python release. Victor Le mer. 29 janv. 2020 à 14:01, Marlon Luis Petry <marlonpe...@gmail.com> a écrit : > > Steve Dower, > > Thanks for sharing this with us. > > Any workaround to mitigate this? > > Cheers, > Marlon Petry > > > > On Tue, Jan 28, 2020, 23:48 Steve Dower <steve.do...@python.org> wrote: > > > A DLL hijacking vulnerability has been discovered in CPython 3.6, 3.7 > > and 3.8 when running on Windows 7 or earlier. > > > > An attacker who is able to place a DLL "api-ms-win-core-path-l1-1-0.dll" > > earlier on the DLL search path than the System32 directory could cause > > their file to be loaded and executed at interpreter startup instead of > > the system one. > > > > Prior to Windows 7, this file does not exist and may be placed anywhere > > on the search path. After Windows 7, the DLL is loaded directly from its > > API set and not using the search path. Only Windows 7 is impacted. > > > > Patches to ensure that only the System32 copy of the file is loaded are > > linked from the bug page below. The next release of each version > > (3.6.11, 3.7.7, 3.8.2) will include the fixes. Python 3.9 does not > > support Windows 7, and so is unimpacted. > > > > Note that this attack will likely work against other applications on > > Windows 7, and it is not unique to CPython. Upgrading to a supported > > operating system is recommended. > > > > CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8315 > > Bug page: https://bugs.python.org/issue39401 > > > > Cheers, > > Steve Dower and the Python Security Response Team > > _______________________________________________ > > Security-announce mailing list -- security-annou...@python.org > > To unsubscribe send an email to security-announce-le...@python.org > > https://mail.python.org/mailman3/lists/security-announce.python.org/ > > > ----------------------------- > Python Security Response Team > Unsubscribe: > https://mail.python.org/mailman/options/psrt/vstinner%40python.org -- Night gathers, and now my watch begins. It shall not end until my death. _______________________________________________ Security-SIG mailing list -- security-sig@python.org To unsubscribe send an email to security-sig-le...@python.org https://mail.python.org/mailman3/lists/security-sig.python.org/
