Microsoft Confirms Zero-Day Hours After Exploit 53
CWmike writes "Microsoft confirmed on Tuesday an unpatched vulnerability in Windows just hours after a hacking toolkit published an exploit for the bug. A patch is under construction, but Microsoft does not plan to issue an emergency update to fix the flaw. The bug was first discussed Dec. 15 at a South Korean security conference, but got more attention Tuesday when the open-source Metasploit penetration tool posted an exploit module crafted by researcher Joshua Drake. Metasploit says successful attacks are capable of compromising victimized PCs, then introducing malware to the machines to pillage them for information or enlist them in a criminal botnet."
Bashfest (Score:1, Interesting)
You should check out the one-sided bashfest that was posted on Ars Technica [arstechnica.com] over this.
If the maintainer of the tool is to be believed, MS has known of this flaw for almost six months and done nothing, and had several days of notice that the new version was going to be released (not that the new version appears to have mattered.)