Oops! Missed One Fix — Windows Attacks Under Way
CWmike writes "Microsoft says attackers are now exploiting a critical Windows bug that it didn't get around to fixing in its biggest batch of security patches in more than five years, issued yesterday. Microsoft said that 'limited and targeted' attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. If Microsoft patches the WordPad problem on its monthly schedule, the first opportunity for fixing the flaw would be Jan. 9, 2009." Update: 12/10 22:28 GMT by T : OK, there might have been more than one: reader Simon (S2) writes "There is an even more serious flaw ... From SANS: 'There is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon. This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine. The exploit is a typical heap overflow that appears to be exploiting something in the XML parser.'"
Pffff. What could possibly happen in only a month?
This guy's the limit!
I wondered this as well, it couldn't very well be remote code execution or privilege escalation or anything like that, so I opened up the article. It appears that Wordp
I will shortly be posting more details on this exploit in Wordpad format. Stay tuned!
This information is in the article, BTW.
In the what, now?
It's very simple, really; the attacker breaks into your home or office, knocks you unconscious with a blunt instrument, boots up your computer and opens Wordpad.
You mean all someone has to do is click on an attachment called "biggest breasts ever.wri"? Oh, NOBODY would be that dumb!
-- Wondering how long until the internet becomes fully corporatist, like television.
Oh please. Wordpad is like Notepad, only it can't make up its mind whether to be richtext or plaintext and it doesn't open files when you drop them into it.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
I'd put a notice at the top of the file. "This naughty image is only compatible with the following versions of Windows: ..."
I'm sure many victims would kindly downgrade as needed to make my exploit work.
"Strangers have the best candy" -Me