Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Confirms Zero-Day Hours After Exploit

CmdrTaco posted more than 3 years ago | from the that's-sum-sploit dept.

Bug 53

CWmike writes "Microsoft confirmed on Tuesday an unpatched vulnerability in Windows just hours after a hacking toolkit published an exploit for the bug. A patch is under construction, but Microsoft does not plan to issue an emergency update to fix the flaw. The bug was first discussed Dec. 15 at a South Korean security conference, but got more attention Tuesday when the open-source Metasploit penetration tool posted an exploit module crafted by researcher Joshua Drake. Metasploit says successful attacks are capable of compromising victimized PCs, then introducing malware to the machines to pillage them for information or enlist them in a criminal botnet."

cancel ×

53 comments

Bashfest (1, Interesting)

Microlith (54737) | more than 3 years ago | (#34760212)

You should check out the one-sided bashfest that was posted on Ars Technica [arstechnica.com] over this.

If the maintainer of the tool is to be believed, MS has known of this flaw for almost six months and done nothing, and had several days of notice that the new version was going to be released (not that the new version appears to have mattered.)

Re:Bashfest (4, Informative)

Microlith (54737) | more than 3 years ago | (#34760236)

Oh wait, this is a NEW bug. Not the one noted above. Silly me.

Re:Bashfest (-1)

Anonymous Coward | more than 3 years ago | (#34760264)

You should check out the one-sided bashfest that was posted on Ars Technica [arstechnica.com] over this.

You should check out the one-sided bashfest about to show up on /. over this!

Re:Bashfest (3, Informative)

BBTaeKwonDo (1540945) | more than 3 years ago | (#34760266)

That's a different exploit. The new one at http://www.microsoft.com/technet/security/advisory/2490606.mspx [microsoft.com] affects the graphics rendering engine, the one you linked to http://www.microsoft.com/technet/security/advisory/2488013.mspx [microsoft.com] refers to CSS.

Re:Bashfest (1)

Microlith (54737) | more than 3 years ago | (#34760384)

Right, which is why I replied to my own comment ;)

Re:Bashfest (3, Funny)

Monkeedude1212 (1560403) | more than 3 years ago | (#34760316)

If the maintainer of the tool is to be believed, MS has known of this flaw for almost six months and done nothing

In all fairness, bugreport@microsoft.com is just an Exchange mailbox that forwards to gates@microsoft.com, which Bill lost the password to years ago and simply started up bgates@microsoft.com, and forwarded the old address to the new one, and then because his wife was a little untrustworthy she secretly went into Active Directory one day and created an account, Jay Smith, and forwarded Bills new account to jsmith@micrsoft.com and she checks that every other week or so, and of course Bill is no longer really with Microsoft, just a shareholder, so whenever she comes across a bug report she forwards it now to the new actual address, support@microsoft.com, which is actually a mailbox that no one checks regulary but they have an application designed to take in new emails and generate work tickets based on the requests, though it only does the generating of emails once a day. Then of course the IT Manager gets hundreds of these unassigned tickets a day, and he has to sift through them and designate them to the proper Microsoft Technicians who will then fix the bug, however the subject field in the application was only a few characters long and all the Manager could see was "FWD:FWD:FWD:FWD:..." and thought it was another chain message, so he put it in the junk folder.

So really - while I believe the maintainer of the tool probably did try to inform MS of the flaw - I think he might have chosen the wrong email address.

Re:Bashfest (2)

Teun (17872) | more than 3 years ago | (#34760686)

+ insightful!

Re:Bashfest (2)

antifoidulus (807088) | more than 3 years ago | (#34760478)

Bashfest? I didn't think Windows shipped with the Bourne Again Shell, does this exploit install it?

*Rimshot

Re:Bashfest (2)

Red Flayer (890720) | more than 3 years ago | (#34760650)

Bashfest? I didn't think Windows shipped with the Bourne Again Shell, does this exploit install it?

*Rimshot

What the hell do Blackberries have to do with this exploit? Do Blackberries even run Windows?

Would it kill you to link to the Microsoft article (4, Informative)

BBTaeKwonDo (1540945) | more than 3 years ago | (#34760216)

Re:Would it kill you to link to the Microsoft arti (1)

vistapwns (1103935) | more than 3 years ago | (#34760254)

Windows 7 is not affected, for people who are too lazy to click the link.

Re:Would it kill you to link to the Microsoft arti (3, Funny)

Jaktar (975138) | more than 3 years ago | (#34760364)

I'm too lazy to click the link. What about us under Win98?

Re:Would it kill you to link to the Microsoft arti (0)

davester666 (731373) | more than 3 years ago | (#34760606)

You all are still losers. Same as always.

Re:Would it kill you to link to the Microsoft arti (0)

Anonymous Coward | more than 3 years ago | (#34760864)

I spat my coffee out all over my 2 day old keyboard. Thank you.

Re:Would it kill you to link to the Microsoft arti (-1)

Anonymous Coward | more than 3 years ago | (#34761504)

Here, just click this link to updates your banking passwords and you will be fine: https://sitekey.bankofamerica.com/sas/signonScreen.do?state=FL [bit.ly]

Re:Would it kill you to link to the Microsoft arti (1)

monkyyy (1901940) | more than 3 years ago | (#34762732)

what av do u use?

Taco was just being prudent... (0)

Anonymous Coward | more than 3 years ago | (#34761724)

didn't want to accidentally /. Microsoft

Re:Would it kill you to link to the Microsoft arti (0)

Anonymous Coward | more than 3 years ago | (#34762162)

First Post (-1, Redundant)

ae1294 (1547521) | more than 3 years ago | (#34760218)

Buy ch3ap V1agra!

Re:First Post (1)

Bobby Onions (735795) | more than 3 years ago | (#34763198)

The honourable gentleman FAILS IT.

Re:First Post (1)

ae1294 (1547521) | more than 3 years ago | (#34771296)

The honourable gentleman FAILS IT.

Yes, I forget I was on /. where no one has a girlfriend and so erections aren't the needful...

avg sees 2nd link as a threat (0)

Anonymous Coward | more than 3 years ago | (#34760318)

avg sees 2nd link as a threat

Non-Affected Software (4, Informative)

BasharTeg (71923) | more than 3 years ago | (#34760402)

Non-Affected Software
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems

Re:Non-Affected Software (1)

Technician (215283) | more than 3 years ago | (#34760524)

Any version not using thumbnail view.

Turn off thumbnail view.

Re:Non-Affected Software (2)

Red Flayer (890720) | more than 3 years ago | (#34760666)

So Windows doesn't give a flying fuck about any OS that's already EOLed or it's EOLing soon?

Who woulda thunk it?

Re:Non-Affected Software (0)

BitZtream (692029) | more than 3 years ago | (#34760882)

...

WTF?

The current OSes are not effected, could just be an accident, could be a bug that someone found during Windows 7 development and didn't bother to see that it got backported to Vista or XP.

MS didn't say 'we're not going to fix it!'

They said 'we're not going to fix it outside our normal patch release schedule'.

Theres a big difference.

In reality however.

No, MICROSOFT does not give a shit about any OS that has been officially end of lifed, do you expect them to add fix bugs and add features to old versions of the OS forever? They're just supposed to maintain all their old products till the end of time?

Please show me one manufacture that supports their products after 'end of life'. End of life means ... its fucking dead jim, move the fuck on, we're not supporting it any more.

Re:Non-Affected Software (3, Informative)

Red Flayer (890720) | more than 3 years ago | (#34761270)

My point was that MS hasn't bothered to hotfix it because it doesn't affect their latest-gen OSes... even though some of the OSes it DOES affect are not yet EOLed.

Did you miss the part about this affecting OSes that are't yet EOLed (but will be in the next year or so)?

Re:Non-Affected Software (1)

mug funky (910186) | more than 3 years ago | (#34761382)

if you can hold off from running every exe you get in your email until next tuesday, you'll be fine.

honestly, it's not like every zero-day is a new botnet.

Re:Non-Affected Software (1)

Culture20 (968837) | more than 3 years ago | (#34761908)

if you can hold off from running every exe you get in your email until next tuesday, you'll be fine.

honestly, it's not like every zero-day is a new botnet.

From FTA:
"Attackers could feed users malicious PowerPoint or Word documents containing a malformed thumbnail, then exploit their PCs if the document was opened or even previewed, said Microsoft. Alternately, hackers could hijack machines by convincing users to view a rigged thumbnail on a network shared folder or drive, or in an online WebDAV file-sharing folder."

Re:Non-Affected Software (1)

Culture20 (968837) | more than 3 years ago | (#34761928)

"hackers could hijack machines by convincing users to view a rigged thumbnail ... in an online WebDAV file-sharing folder." redirects to webdav sites are something hard for users to look out for on the web

Re:Non-Affected Software (0)

Anonymous Coward | more than 3 years ago | (#34761656)

Or perhaps some coder wrote some new code for Win7 that was forward ported to W2K8, without realizing that he'd just eliminated a security vulerability.

Re:Non-Affected Software (0)

Anonymous Coward | more than 3 years ago | (#34762330)

or maybe it is because pretty much everyone at microsoft takes december off.

Re:Non-Affected Software (3, Insightful)

hairyfeet (841228) | more than 3 years ago | (#34762468)

Or maybe, just maybe, it could be because the bug is in the graphics rendering subsystem which had been changed and tweaked a lot for Win 7, and is therefor unaffected. Do you have ANY idea how many apps call upon the Windows graphics subsystems? And we are also talking about WinXP here, aka "hey lets all run as admin" which means apps can REALLY hook into the graphics subsystem and when the patch tweaks that?

Don't forget that the big selling point of Windows is its backwards compatibility which means when you are gonna patch it damned well better be tested! Can you imagine the royal shitfits if everyone came to work on Wednesday after Patch Tuesday and found their PS Pro, Photoshop, Picasa, and many of the other apps that use graphics went tits up? Hell the support lines would be hit so hard it would be a miracle if the lines didn't melt.

So don't blame on malice what can easily be explained by just requiring a shitload of work. imagine YOU were tasked to fix a graphics subsystem in 10 year old code that the original designers have done skipped off to greener pastures? Where if you don't patch it just right you can break thousands of third party app s that you have NO control over but which your customers depend on? man I wouldn't want that job, no way in hell. I bet those guys have ulcers and are bald by 30 just from the stress.

Re:Non-Affected Software (1)

mcgrew (92797) | more than 3 years ago | (#34765098)

So don't blame on malice what can easily be explained by just requiring a shitload of work

Never attribute to malice what laziness will explain? I usually say attribute to incompetence or stupidity what greedy self-interest will explain, which isn't much different, I guess.

Re:Non-Affected Software (1)

mcgrew (92797) | more than 3 years ago | (#34764754)

Please show me one manufacture that supports their products after 'end of life'.

Ford, GM, Chysler, Toyota, Honda... if a manufacturing or design defect is found in your fifteen year old car, the manufacturer will recall it and repair it. Why can't Microsoft fix all the bugs that are still in XP? They don;t even have to recall it, just patch it over the internet.

Why can you get free software that works, and gets patched seemingly forever, you can buy machinery that just works and is recalled if a manufacturing or design defect is found, but you can't buy software that works?

It looks like fraud to me.

Re:Non-Affected Software (1)

DavidIQ (971233) | more than 3 years ago | (#34765386)

Your 15 year-old statement for automotive defects is incorrect. From http://www.enotes.com/everyday-law-encyclopedia/recalls-by-manufacturers [enotes.com] :

There are a few restrictions on consumers' rights to take advantage of recalls. For example, there is a limitation regarding the age of the vehicle. In order to be eligible for free repairs, refund, or replacement, the vehicle must be less than 8 years old on the date the defect.

So you'll be notified...but it'll be up to you to fix it out of your own pocket after that. The equivalent here would be that you'd have to buy a new OS. Besides you're comparing safety recalls, which can cause death, to a software "bug" that is actually caused by the user themselves. Also your statement about "free software getting patched seemingly forever" is totally false, incorrect, and missleading. There are tons of free software that is unsafe and no longer being maintained or patched. Does that sound like fraud too? No...more like the EoL of software (that sounds familiar...)

Two minor bits... (1)

symbolset (646467) | more than 3 years ago | (#34763906)

1. Windows XP still has more market share [hitslink.com] (57%) than Windows Vista (12%) and Windows 7 (21%) combined. More to the point since Vista and XP are affected, more than three quarters of Windows systems are affected. They should care. We sure as hell care. If all Microsoft cares about is W7, that tells us a lot about their commitment to support and security. It's not 2002 [cnet.com] any more. It's now 2011, and if being "all in" in the cloud and "all in [infoworld.com] " in mobile, and committed to "Dynamics [devsource.com] " (whatever the heck that was) has distracted from their commitment to security, then we need to know because WE USE THEIR SOFTWARE for more than a year or two.

2. Windows is a brand. A label. A blank symbol. It's not, and never was an operating system. It has been an operating environment for some time, or as some would say, several. It doesn't, and can't, "give a flying fuck" about anything. Windows is a brand that's owned by a legal fiction, a "corporate person". Since there is some fictional personhood attached to the legal entity Microsoft, and some history, we may be able to ascribe some motivation to that with the understanding that anthropomorphizing soulless corporations is in itself a trap. Some here would probably say that Microsoft is the cruel bargainer the devil himself hopes to be someday, but at least we're agreed that it has some personification to hang motivations on. Please don't say "Windows" when you mean "Microsoft" it confuses many issues. They also make very good mice. Ok, they don't actually make the mice, but you should get my drift.

And yeah if it drives adoption of their new product off of their old product without too much escape to actually good product as a goal, we'd all have thunk it. Because that's what they do. The prevention of actual progress is their goal.

Re:Non-Affected Software (2)

onionman (975962) | more than 3 years ago | (#34762198)

Non-Affected Software...
Windows Server 2008 R2 for Itanium-based Systems

Good thing for that guy!

Interesting, but .. (1)

ackthpt (218170) | more than 3 years ago | (#34760684)

A co-worker and I have witnessed multiple attempts by CutePDF Writer to install itself, unbidden. I haven't ever used it, as far as I know and haven't been to any pages I can think of which would require me to save something in PDF. As a wary user I don't trust anything which just pops up without my asking, particularly to install software. Could this be the result of accessing a web page which is retrieving content from a compromised site? Seems such that the CutePDF install request could really be a spoof trying install malware.

Re:Interesting, but .. (1)

BitZtream (692029) | more than 3 years ago | (#34760922)

I've found CutePDF bundled with a few other packages that seemed extremely odd, perhaps you installed it without noticing that you didn't uncheck a box on some stupid installer? It seems to be the next big thing for shoveling crapware (not that I think CutePDF is crapware, I actually like it) on people without them consenting. I say without consent not because they never give you the option to not install it (some do) but because they intentionally obscure the option or wording so you don't realize that its going to install something, or the make it an opt out, where you have to check to box to not install it rather than the natural assumption of checking it too install it.

Re:Interesting, but .. (1)

ackthpt (218170) | more than 3 years ago | (#34761614)

I've found CutePDF bundled with a few other packages that seemed extremely odd, perhaps you installed it without noticing that you didn't uncheck a box on some stupid installer? It seems to be the next big thing for shoveling crapware (not that I think CutePDF is crapware, I actually like it) on people without them consenting. I say without consent not because they never give you the option to not install it (some do) but because they intentionally obscure the option or wording so you don't realize that its going to install something, or the make it an opt out, where you have to check to box to not install it rather than the natural assumption of checking it too install it.

Second thing I did was look through all installed software - no CutePDF anywhere. I found a CutePDF.tmp running when checking tasks. It's highly unusual.

Obligatory (1)

dragonhunter21 (1815102) | more than 3 years ago | (#34761292)

Oh, FORK THAT!

What does zero-day mean now? (1)

shish (588640) | more than 3 years ago | (#34761372)

I always thought that "zero-day" means "before the product is released publicly" -- so eg "zero-day crack" would be a cracked, leaked copy of some software, "one-day exploit" would be an exploit found the same day it was released, etc. But now it seems that "zero-day" is being applied to absolutely every exploit ever. Am I totally mis-remembering? Mis-understanding? Can anyone explain?

it is a one-day now (1)

poppopret (1740742) | more than 3 years ago | (#34761562)

The moment Microsoft confirmed the zero-day, it was no longer a zero-day. Microsoft can never become aware of a zero-day, because by doing so they make it a one-day.

zero-day release isn't quite the same (2)

YesIAmAScript (886271) | more than 3 years ago | (#34761742)

We're talking about a zero day exploit not a zero-day release.

With a zero-day exploit it means you had zero days of warning to patch the flaw before an exploit was spotted in the wild. So basically it means someone out there found this bug on their own and was using it for their own nefarious means before the good guys even knew about it the existence of the bug.

Not every exploit is a zero-day one, but for some reason they are all called zero-day exploits now.

This one doesn't seem like a zero-day exploit since the bug was found 20 days before there was any known exploit.

Re:zero-day release isn't quite the same (1)

Rashkae (59673) | more than 3 years ago | (#34761816)

That is Microsoft's new definition of zero day. Traditionally, Zero day exploit means that the software maintainer/creator did not know about the flaw until after an exploit is in the wild. However, according to the summary, this flaw was publicly announced at a security conference December 15. So in Microsoft speach, Zero-day now means an exploit to a known flaw they never bothered to patch.

Would starcraft 2 custom games be vulnerable? (1)

Rooked_One (591287) | more than 3 years ago | (#34762364)

The article noted affecting a graphics rendering engine... There are lots of custom games on starcraft 2 and a LOT of players making their own maps...

Re:Would starcraft 2 custom games be vulnerable? (0)

Anonymous Coward | more than 3 years ago | (#34762622)

In-game, probably not.

Holy cow! (1)

ericvids (227598) | more than 3 years ago | (#34762442)

They discovered an exploit to give us zero-day hours? And it's confirmed? W00t! Better call Stephen Hawking! ... oh.

pfff (0)

Anonymous Coward | more than 3 years ago | (#34763212)

I am still tired of ms win7 giving me the worst, most shtlss performance of any o/s ever. At least if they tank I will not have any expectations of at least moderate performance.

Sorry!! I am one guy they forgot to bribe and have been using IT for 30 years, so the sht on a platter that they sell is nothing so spellbiding for me.

As long as you keep buying their repackaged usless crap the more they will ignore you and the issues. Remember when they kept saying vista and win7 were built from the ground up - LMFAO forgot about that didnt you?

Re:pfff (1)

VGPowerlord (621254) | more than 3 years ago | (#34764674)

Remember when they kept saying vista and win7 were built from the ground up - LMFAO forgot about that didnt you?

They did? I remember them saying that it was originally being built on the Windows XP codebase, but MS dropped what they currently had and started rebuilding Vista on top of the Windows Server 2003 Service Pack 1 codebase, but that's hardly "building from the ground up."

Stupid signedness at work again (1)

koro666 (947362) | more than 3 years ago | (#34765700)

Developpers needs to stop using int's when unsigned int's would have done the job.

Then all those "oh god, we did not anticipate a negative number here!" bugs would be fixed already.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...