Windows 7 is no longer supported by Microsoft. Wikipedia says:

* Mainstream support ended on January 13, 2015.
* Extended support ended on January 14, 2020.

I'm not sure that this specific Python issue is the worst issue of
using Windows 7.

A workaround is to upgrade Windows to a maintained version, no? Only
Windows 7 is affected.

The other option is to wait for a Python release.

Victor

Le mer. 29 janv. 2020 à 14:01, Marlon Luis Petry
<marlonpe...@gmail.com> a écrit :
>
> Steve Dower,
>
> Thanks for sharing this with us.
>
> Any workaround to mitigate this?
>
> Cheers,
> Marlon Petry
>
>
>
> On Tue, Jan 28, 2020, 23:48 Steve Dower <steve.do...@python.org> wrote:
>
> > A DLL hijacking vulnerability has been discovered in CPython 3.6, 3.7
> > and 3.8 when running on Windows 7 or earlier.
> >
> > An attacker who is able to place a DLL "api-ms-win-core-path-l1-1-0.dll"
> > earlier on the DLL search path than the System32 directory could cause
> > their file to be loaded and executed at interpreter startup instead of
> > the system one.
> >
> > Prior to Windows 7, this file does not exist and may be placed anywhere
> > on the search path. After Windows 7, the DLL is loaded directly from its
> > API set and not using the search path. Only Windows 7 is impacted.
> >
> > Patches to ensure that only the System32 copy of the file is loaded are
> > linked from the bug page below. The next release of each version
> > (3.6.11, 3.7.7, 3.8.2) will include the fixes. Python 3.9 does not
> > support Windows 7, and so is unimpacted.
> >
> > Note that this attack will likely work against other applications on
> > Windows 7, and it is not unique to CPython. Upgrading to a supported
> > operating system is recommended.
> >
> > CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8315
> > Bug page: https://bugs.python.org/issue39401
> >
> > Cheers,
> > Steve Dower and the Python Security Response Team
> > _______________________________________________
> > Security-announce mailing list -- security-annou...@python.org
> > To unsubscribe send an email to security-announce-le...@python.org
> > https://mail.python.org/mailman3/lists/security-announce.python.org/
> >
> -----------------------------
> Python Security Response Team
> Unsubscribe: 
> https://mail.python.org/mailman/options/psrt/vstinner%40python.org



-- 
Night gathers, and now my watch begins. It shall not end until my death.
_______________________________________________
Security-SIG mailing list -- security-sig@python.org
To unsubscribe send an email to security-sig-le...@python.org
https://mail.python.org/mailman3/lists/security-sig.python.org/

Reply via email to