Microsoft Confirms Zero-Day Hours After Exploit

CWmike writes "Microsoft confirmed on Tuesday an unpatched vulnerability in Windows just hours after a hacking toolkit published an exploit for the bug. A patch is under construction, but Microsoft does not plan to issue an emergency update to fix the flaw. The bug was first discussed Dec. 15 at a South Korean security conference, but got more attention Tuesday when the open-source Metasploit penetration tool posted an exploit module crafted by researcher Joshua Drake. Metasploit says successful attacks are capable of compromising victimized PCs, then introducing malware to the machines to pillage them for information or enlist them in a criminal botnet."

Bashfest

[Microlith]

You should check out the one-sided bashfest that was posted on Ars Technica [arstechnica.com] over this.

If the maintainer of the tool is to be believed, MS has known of this flaw for almost six months and done nothing, and had several days of notice that the new version was going to be released (not that the new version appears to have mattered.)

Re:Bashfest

[Microlith]

Oh wait, this is a NEW bug. Not the one noted above. Silly me.

Re:Bashfest

[BBTaeKwonDo]

That's a different exploit. The new one at http://www.microsoft.com/technet/security/advisory/2490606.mspx [microsoft.com] affects the graphics rendering engine, the one you linked to http://www.microsoft.com/technet/security/advisory/2488013.mspx [microsoft.com] refers to CSS.

Re:

[Microlith]

Right, which is why I replied to my own comment ;)

Re:

[Monkeedude1212]

If the maintainer of the tool is to be believed, MS has known of this flaw for almost six months and done nothing

In all fairness, bugreport@microsoft.com is just an Exchange mailbox that forwards to gates@microsoft.com, which Bill lost the password to years ago and simply started up bgates@microsoft.com, and forwarded the old address to the new one, and then because his wife was a little untrustworthy she secretly went into Active Directory one day and created an account, Jay Smith, and forwarded Bills new account to jsmith@micrsoft.com and she checks that every other week or so, and of course Bill is no longer really

Re:

[Teun]

+ insightful!

Re:

[antifoidulus]

Bashfest? I didn't think Windows shipped with the Bourne Again Shell, does this exploit install it?

*Rimshot

Re:

[Red Flayer]

Bashfest? I didn't think Windows shipped with the Bourne Again Shell, does this exploit install it?

*Rimshot

What the hell do Blackberries have to do with this exploit? Do Blackberries even run Windows?

Would it kill you to link to the Microsoft article

[BBTaeKwonDo]

http://www.microsoft.com/technet/security/advisory/2490606.mspx [microsoft.com]

Re:

[vistapwns]

Windows 7 is not affected, for people who are too lazy to click the link.

Re:Would it kill you to link to the Microsoft arti

[__aaqvdr516]

I'm too lazy to click the link. What about us under Win98?

Re:

[monkyyy]

what av do u use?

Re:

[ae1294]

The honourable gentleman FAILS IT.

Yes, I forget I was on /. where no one has a girlfriend and so erections aren't the needful...

Non-Affected Software

[BasharTeg]

Non-Affected Software
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems

Re:

[Technician]

Any version not using thumbnail view.

Turn off thumbnail view.

Re:

[Red Flayer]

So Windows doesn't give a flying fuck about any OS that's already EOLed or it's EOLing soon?

Who woulda thunk it?

Re:Non-Affected Software

[Red Flayer]

My point was that MS hasn't bothered to hotfix it because it doesn't affect their latest-gen OSes... even though some of the OSes it DOES affect are not yet EOLed.

Did you miss the part about this affecting OSes that are't yet EOLed (but will be in the next year or so)?

Re:

[mug funky]

if you can hold off from running every exe you get in your email until next tuesday, you'll be fine.

honestly, it's not like every zero-day is a new botnet.

Re:

[Culture20]

if you can hold off from running every exe you get in your email until next tuesday, you'll be fine.

honestly, it's not like every zero-day is a new botnet.

From FTA:
"Attackers could feed users malicious PowerPoint or Word documents containing a malformed thumbnail, then exploit their PCs if the document was opened or even previewed, said Microsoft. Alternately, hackers could hijack machines by convincing users to view a rigged thumbnail on a network shared folder or drive, or in an online WebDAV file-sharing folder."

Re:

[Culture20]

"hackers could hijack machines by convincing users to view a rigged thumbnail ... in an online WebDAV file-sharing folder." redirects to webdav sites are something hard for users to look out for on the web

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[mcgrew]

So don't blame on malice what can easily be explained by just requiring a shitload of work

Never attribute to malice what laziness will explain? I usually say attribute to incompetence or stupidity what greedy self-interest will explain, which isn't much different, I guess.

Re:

[mcgrew]

Please show me one manufacture that supports their products after 'end of life'.

Ford, GM, Chysler, Toyota, Honda... if a manufacturing or design defect is found in your fifteen year old car, the manufacturer will recall it and repair it. Why can't Microsoft fix all the bugs that are still in XP? They don;t even have to recall it, just patch it over the internet.

Why can you get free software that works, and gets patched seemingly forever, you can buy machinery that just works and is recalled if a manufacturi

Re:

[DavidIQ]

Your 15 year-old statement for automotive defects is incorrect. From http://www.enotes.com/everyday-law-encyclopedia/recalls-by-manufacturers [enotes.com]:

There are a few restrictions on consumers' rights to take advantage of recalls. For example, there is a limitation regarding the age of the vehicle. In order to be eligible for free repairs, refund, or replacement, the vehicle must be less than 8 years old on the date the defect.

So you'll be notified...but it'll be up to you to fix it out of your own pocket afte

Two minor bits...

[symbolset]

1. Windows XP still has more market share [hitslink.com] (57%) than Windows Vista (12%) and Windows 7 (21%) combined. More to the point since Vista and XP are affected, more than three quarters of Windows systems are affected. They should care. We sure as hell care. If all Microsoft cares about is W7, that tells us a lot about their commitment to support and security. It's not 2002 [cnet.com] any more. It's now 2011, and if being "all in" in the cloud and "all in [infoworld.com]" in mobile, and committed to "Dynamics [devsource.com]" (whatever the heck that

Re:

[onionman]

Non-Affected Software...
Windows Server 2008 R2 for Itanium-based Systems

Good thing for that guy!

Interesting, but ..

[ackthpt]

A co-worker and I have witnessed multiple attempts by CutePDF Writer to install itself, unbidden. I haven't ever used it, as far as I know and haven't been to any pages I can think of which would require me to save something in PDF. As a wary user I don't trust anything which just pops up without my asking, particularly to install software. Could this be the result of accessing a web page which is retrieving content from a compromised site? Seems such that the CutePDF install request could really be a s

Re:

[BitZtream]

I've found CutePDF bundled with a few other packages that seemed extremely odd, perhaps you installed it without noticing that you didn't uncheck a box on some stupid installer? It seems to be the next big thing for shoveling crapware (not that I think CutePDF is crapware, I actually like it) on people without them consenting. I say without consent not because they never give you the option to not install it (some do) but because they intentionally obscure the option or wording so you don't realize that i

Re:

[ackthpt]

I've found CutePDF bundled with a few other packages that seemed extremely odd, perhaps you installed it without noticing that you didn't uncheck a box on some stupid installer? It seems to be the next big thing for shoveling crapware (not that I think CutePDF is crapware, I actually like it) on people without them consenting. I say without consent not because they never give you the option to not install it (some do) but because they intentionally obscure the option or wording so you don't realize that its going to install something, or the make it an opt out, where you have to check to box to not install it rather than the natural assumption of checking it too install it.

Second thing I did was look through all installed software - no CutePDF anywhere. I found a CutePDF.tmp running when checking tasks. It's highly unusual.

Obligatory

[dragonhunter21]

Oh, FORK THAT!

What does zero-day mean now?

[shish]

I always thought that "zero-day" means "before the product is released publicly" -- so eg "zero-day crack" would be a cracked, leaked copy of some software, "one-day exploit" would be an exploit found the same day it was released, etc. But now it seems that "zero-day" is being applied to absolutely every exploit ever. Am I totally mis-remembering? Mis-understanding? Can anyone explain?

it is a one-day now

[poppopret]

The moment Microsoft confirmed the zero-day, it was no longer a zero-day. Microsoft can never become aware of a zero-day, because by doing so they make it a one-day.

zero-day release isn't quite the same

[YesIAmAScript]

We're talking about a zero day exploit not a zero-day release.

With a zero-day exploit it means you had zero days of warning to patch the flaw before an exploit was spotted in the wild. So basically it means someone out there found this bug on their own and was using it for their own nefarious means before the good guys even knew about it the existence of the bug.

Not every exploit is a zero-day one, but for some reason they are all called zero-day exploits now.

This one doesn't seem like a zero-day exploit si

Re:

[Rashkae]

That is Microsoft's new definition of zero day. Traditionally, Zero day exploit means that the software maintainer/creator did not know about the flaw until after an exploit is in the wild. However, according to the summary, this flaw was publicly announced at a security conference December 15. So in Microsoft speach, Zero-day now means an exploit to a known flaw they never bothered to patch.

Would starcraft 2 custom games be vulnerable?

[Rooked_One]

The article noted affecting a graphics rendering engine... There are lots of custom games on starcraft 2 and a LOT of players making their own maps...

Holy cow!

[ericvids]

They discovered an exploit to give us zero-day hours? And it's confirmed? W00t! Better call Stephen Hawking! ... oh.

Re:

[VGPowerlord]

Remember when they kept saying vista and win7 were built from the ground up - LMFAO forgot about that didnt you?

They did? I remember them saying that it was originally being built on the Windows XP codebase, but MS dropped what they currently had and started rebuilding Vista on top of the Windows Server 2003 Service Pack 1 codebase, but that's hardly "building from the ground up."

Stupid signedness at work again

[koro666]

Developpers needs to stop using int's when unsigned int's would have done the job.

Then all those "oh god, we did not anticipate a negative number here!" bugs would be fixed already.