Microsoft Confirms Zero-Day Hours After Exploit

← Back to Stories (view on slashdot.org)

Microsoft Confirms Zero-Day Hours After Exploit

Posted by CmdrTaco on Tuesday January 4, 2011 @11:49AM from the that's-sum-sploit dept.

CWmike writes "Microsoft confirmed on Tuesday an unpatched vulnerability in Windows just hours after a hacking toolkit published an exploit for the bug. A patch is under construction, but Microsoft does not plan to issue an emergency update to fix the flaw. The bug was first discussed Dec. 15 at a South Korean security conference, but got more attention Tuesday when the open-source Metasploit penetration tool posted an exploit module crafted by researcher Joshua Drake. Metasploit says successful attacks are capable of compromising victimized PCs, then introducing malware to the machines to pillage them for information or enlist them in a criminal botnet."

53 comments

Min score:

Reason:

Sort:

Bashfest by Microlith · 2011-01-04 11:52 · Score: 1, Interesting

You should check out the one-sided bashfest that was posted on Ars Technica over this.
If the maintainer of the tool is to be believed, MS has known of this flaw for almost six months and done nothing, and had several days of notice that the new version was going to be released (not that the new version appears to have mattered.)
1. Re:Bashfest by Microlith · 2011-01-04 11:54 · Score: 4, Informative
  
  Oh wait, this is a NEW bug. Not the one noted above. Silly me.
2. Re:Bashfest by BBTaeKwonDo · 2011-01-04 11:57 · Score: 3, Informative
  
  That's a different exploit. The new one at http://www.microsoft.com/technet/security/advisory/2490606.mspx affects the graphics rendering engine, the one you linked to http://www.microsoft.com/technet/security/advisory/2488013.mspx refers to CSS.
3. Re:Bashfest by Monkeedude1212 · 2011-01-04 12:03 · Score: 3, Funny
  
  If the maintainer of the tool is to be believed, MS has known of this flaw for almost six months and done nothing
  In all fairness, bugreport@microsoft.com is just an Exchange mailbox that forwards to gates@microsoft.com, which Bill lost the password to years ago and simply started up bgates@microsoft.com, and forwarded the old address to the new one, and then because his wife was a little untrustworthy she secretly went into Active Directory one day and created an account, Jay Smith, and forwarded Bills new account to jsmith@micrsoft.com and she checks that every other week or so, and of course Bill is no longer really with Microsoft, just a shareholder, so whenever she comes across a bug report she forwards it now to the new actual address, support@microsoft.com, which is actually a mailbox that no one checks regulary but they have an application designed to take in new emails and generate work tickets based on the requests, though it only does the generating of emails once a day. Then of course the IT Manager gets hundreds of these unassigned tickets a day, and he has to sift through them and designate them to the proper Microsoft Technicians who will then fix the bug, however the subject field in the application was only a few characters long and all the Manager could see was "FWD:FWD:FWD:FWD:..." and thought it was another chain message, so he put it in the junk folder.
  So really - while I believe the maintainer of the tool probably did try to inform MS of the flaw - I think he might have chosen the wrong email address.
4. Re:Bashfest by Microlith · 2011-01-04 12:10 · Score: 1
  
  Right, which is why I replied to my own comment ;)
5. Re:Bashfest by antifoidulus · 2011-01-04 12:25 · Score: 2
  
  Bashfest? I didn't think Windows shipped with the Bourne Again Shell, does this exploit install it?
  
  *Rimshot
  
  --
  Monstar L
6. Re:Bashfest by Red+Flayer · 2011-01-04 12:42 · Score: 2
  
  Bashfest? I didn't think Windows shipped with the Bourne Again Shell, does this exploit install it?
  
  *Rimshot
  
  What the hell do Blackberries have to do with this exploit? Do Blackberries even run Windows?
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
7. Re:Bashfest by Teun · 2011-01-04 12:46 · Score: 2
  
  + insightful!
  
  --
  "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Would it kill you to link to the Microsoft article by BBTaeKwonDo · 2011-01-04 11:52 · Score: 4, Informative

http://www.microsoft.com/technet/security/advisory/2490606.mspx
Re:Would it kill you to link to the Microsoft arti by vistapwns · 2011-01-04 11:56 · Score: 1

Windows 7 is not affected, for people who are too lazy to click the link.

--
"...I think the Microsoft hatred is a disease." - Linus Torvalds
avg sees 2nd link as a threat by Anonymous Coward · 2011-01-04 12:03 · Score: 0

avg sees 2nd link as a threat
Re:Would it kill you to link to the Microsoft arti by __aaqvdr516 · 2011-01-04 12:09 · Score: 3, Funny

I'm too lazy to click the link. What about us under Win98?
Non-Affected Software by BasharTeg · 2011-01-04 12:13 · Score: 4, Informative

Non-Affected Software
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
1. Re:Non-Affected Software by Technician · 2011-01-04 12:31 · Score: 1
  
  Any version not using thumbnail view.
  Turn off thumbnail view.
  
  --
  The truth shall set you free!
2. Re:Non-Affected Software by Red+Flayer · 2011-01-04 12:43 · Score: 2
  
  So Windows doesn't give a flying fuck about any OS that's already EOLed or it's EOLing soon?
  
  Who woulda thunk it?
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
3. Re:Non-Affected Software by BitZtream · 2011-01-04 13:08 · Score: 0
  
  ...
  WTF?
  The current OSes are not effected, could just be an accident, could be a bug that someone found during Windows 7 development and didn't bother to see that it got backported to Vista or XP.
  MS didn't say 'we're not going to fix it!'
  They said 'we're not going to fix it outside our normal patch release schedule'.
  Theres a big difference.
  In reality however.
  No, MICROSOFT does not give a shit about any OS that has been officially end of lifed, do you expect them to add fix bugs and add features to old versions of the OS forever? They're just supposed to maintain all their old products till the end of time?
  Please show me one manufacture that supports their products after 'end of life'. End of life means ... its fucking dead jim, move the fuck on, we're not supporting it any more.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
4. Re:Non-Affected Software by Red+Flayer · 2011-01-04 13:52 · Score: 3, Informative
  
  My point was that MS hasn't bothered to hotfix it because it doesn't affect their latest-gen OSes... even though some of the OSes it DOES affect are not yet EOLed.
  
  Did you miss the part about this affecting OSes that are't yet EOLed (but will be in the next year or so)?
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
5. Re:Non-Affected Software by mug+funky · 2011-01-04 14:09 · Score: 1
  
  if you can hold off from running every exe you get in your email until next tuesday, you'll be fine.
  honestly, it's not like every zero-day is a new botnet.
6. Re:Non-Affected Software by Anonymous Coward · 2011-01-04 14:48 · Score: 0
  
  Or perhaps some coder wrote some new code for Win7 that was forward ported to W2K8, without realizing that he'd just eliminated a security vulerability.
7. Re:Non-Affected Software by Culture20 · 2011-01-04 15:29 · Score: 1
  
  if you can hold off from running every exe you get in your email until next tuesday, you'll be fine.
  honestly, it's not like every zero-day is a new botnet.
  From FTA:
  "Attackers could feed users malicious PowerPoint or Word documents containing a malformed thumbnail, then exploit their PCs if the document was opened or even previewed, said Microsoft. Alternately, hackers could hijack machines by convincing users to view a rigged thumbnail on a network shared folder or drive, or in an online WebDAV file-sharing folder."
8. Re:Non-Affected Software by Culture20 · 2011-01-04 15:32 · Score: 1
  
  "hackers could hijack machines by convincing users to view a rigged thumbnail ... in an online WebDAV file-sharing folder." redirects to webdav sites are something hard for users to look out for on the web
9. Re:Non-Affected Software by onionman · 2011-01-04 16:13 · Score: 2
  
  Non-Affected Software...
  Windows Server 2008 R2 for Itanium-based Systems
  Good thing for that guy!
10. Re:Non-Affected Software by Anonymous Coward · 2011-01-04 16:38 · Score: 0
  
  or maybe it is because pretty much everyone at microsoft takes december off.
11. Re:Non-Affected Software by hairyfeet · 2011-01-04 17:09 · Score: 3, Insightful
  
  Or maybe, just maybe, it could be because the bug is in the graphics rendering subsystem which had been changed and tweaked a lot for Win 7, and is therefor unaffected. Do you have ANY idea how many apps call upon the Windows graphics subsystems? And we are also talking about WinXP here, aka "hey lets all run as admin" which means apps can REALLY hook into the graphics subsystem and when the patch tweaks that?
  Don't forget that the big selling point of Windows is its backwards compatibility which means when you are gonna patch it damned well better be tested! Can you imagine the royal shitfits if everyone came to work on Wednesday after Patch Tuesday and found their PS Pro, Photoshop, Picasa, and many of the other apps that use graphics went tits up? Hell the support lines would be hit so hard it would be a miracle if the lines didn't melt.
  So don't blame on malice what can easily be explained by just requiring a shitload of work. imagine YOU were tasked to fix a graphics subsystem in 10 year old code that the original designers have done skipped off to greener pastures? Where if you don't patch it just right you can break thousands of third party app s that you have NO control over but which your customers depend on? man I wouldn't want that job, no way in hell. I bet those guys have ulcers and are bald by 30 just from the stress.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
12. Re:Non-Affected Software by mcgrew · 2011-01-05 02:42 · Score: 1
  
  Please show me one manufacture that supports their products after 'end of life'.
  Ford, GM, Chysler, Toyota, Honda... if a manufacturing or design defect is found in your fifteen year old car, the manufacturer will recall it and repair it. Why can't Microsoft fix all the bugs that are still in XP? They don;t even have to recall it, just patch it over the internet.
  Why can you get free software that works, and gets patched seemingly forever, you can buy machinery that just works and is recalled if a manufacturing or design defect is found, but you can't buy software that works?
  It looks like fraud to me.
  
  --
  Free Martian Whores!
13. Re:Non-Affected Software by mcgrew · 2011-01-05 03:14 · Score: 1
  
  So don't blame on malice what can easily be explained by just requiring a shitload of work
  Never attribute to malice what laziness will explain? I usually say attribute to incompetence or stupidity what greedy self-interest will explain, which isn't much different, I guess.
  
  --
  Free Martian Whores!
14. Re:Non-Affected Software by DavidIQ · 2011-01-05 03:43 · Score: 1
  
  Your 15 year-old statement for automotive defects is incorrect. From http://www.enotes.com/everyday-law-encyclopedia/recalls-by-manufacturers:
  
  There are a few restrictions on consumers' rights to take advantage of recalls. For example, there is a limitation regarding the age of the vehicle. In order to be eligible for free repairs, refund, or replacement, the vehicle must be less than 8 years old on the date the defect.
  
  So you'll be notified...but it'll be up to you to fix it out of your own pocket after that. The equivalent here would be that you'd have to buy a new OS. Besides you're comparing safety recalls, which can cause death, to a software "bug" that is actually caused by the user themselves. Also your statement about "free software getting patched seemingly forever" is totally false, incorrect, and missleading. There are tons of free software that is unsafe and no longer being maintained or patched. Does that sound like fraud too? No...more like the EoL of software (that sounds familiar...)
Re:Would it kill you to link to the Microsoft arti by davester666 · 2011-01-04 12:37 · Score: 0

You all are still losers. Same as always.

--
Sleep your way to a whiter smile...date a dentist!
Interesting, but .. by ackthpt · 2011-01-04 12:46 · Score: 1

A co-worker and I have witnessed multiple attempts by CutePDF Writer to install itself, unbidden. I haven't ever used it, as far as I know and haven't been to any pages I can think of which would require me to save something in PDF. As a wary user I don't trust anything which just pops up without my asking, particularly to install software. Could this be the result of accessing a web page which is retrieving content from a compromised site? Seems such that the CutePDF install request could really be a spoof trying install malware.

--

A feeling of having made the same mistake before: Deja Foobar
1. Re:Interesting, but .. by BitZtream · 2011-01-04 13:13 · Score: 1
  
  I've found CutePDF bundled with a few other packages that seemed extremely odd, perhaps you installed it without noticing that you didn't uncheck a box on some stupid installer? It seems to be the next big thing for shoveling crapware (not that I think CutePDF is crapware, I actually like it) on people without them consenting. I say without consent not because they never give you the option to not install it (some do) but because they intentionally obscure the option or wording so you don't realize that its going to install something, or the make it an opt out, where you have to check to box to not install it rather than the natural assumption of checking it too install it.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
2. Re:Interesting, but .. by ackthpt · 2011-01-04 14:41 · Score: 1
  
  I've found CutePDF bundled with a few other packages that seemed extremely odd, perhaps you installed it without noticing that you didn't uncheck a box on some stupid installer? It seems to be the next big thing for shoveling crapware (not that I think CutePDF is crapware, I actually like it) on people without them consenting. I say without consent not because they never give you the option to not install it (some do) but because they intentionally obscure the option or wording so you don't realize that its going to install something, or the make it an opt out, where you have to check to box to not install it rather than the natural assumption of checking it too install it.
  Second thing I did was look through all installed software - no CutePDF anywhere. I found a CutePDF.tmp running when checking tasks. It's highly unusual.
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
Re:Would it kill you to link to the Microsoft arti by Anonymous Coward · 2011-01-04 13:05 · Score: 0

I spat my coffee out all over my 2 day old keyboard. Thank you.
Obligatory by dragonhunter21 · 2011-01-04 13:56 · Score: 1

Oh, FORK THAT!

--
Sent from my CR-48
What does zero-day mean now? by shish · 2011-01-04 14:07 · Score: 1

I always thought that "zero-day" means "before the product is released publicly" -- so eg "zero-day crack" would be a cracked, leaked copy of some software, "one-day exploit" would be an exploit found the same day it was released, etc. But now it seems that "zero-day" is being applied to absolutely every exploit ever. Am I totally mis-remembering? Mis-understanding? Can anyone explain?

--
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
1. Re:What does zero-day mean now? by Anonymous Coward · 2011-01-04 14:22 · Score: 0
  
  https://secure.wikimedia.org/wikipedia/en/wiki/Zero_day_exploit
it is a one-day now by poppopret · 2011-01-04 14:32 · Score: 1

The moment Microsoft confirmed the zero-day, it was no longer a zero-day. Microsoft can never become aware of a zero-day, because by doing so they make it a one-day.
Taco was just being prudent... by Anonymous Coward · 2011-01-04 15:01 · Score: 0

didn't want to accidentally /. Microsoft
zero-day release isn't quite the same by YesIAmAScript · 2011-01-04 15:02 · Score: 2

We're talking about a zero day exploit not a zero-day release.
With a zero-day exploit it means you had zero days of warning to patch the flaw before an exploit was spotted in the wild. So basically it means someone out there found this bug on their own and was using it for their own nefarious means before the good guys even knew about it the existence of the bug.
Not every exploit is a zero-day one, but for some reason they are all called zero-day exploits now.
This one doesn't seem like a zero-day exploit since the bug was found 20 days before there was any known exploit.

--
http://lkml.org/lkml/2005/8/20/95
1. Re:zero-day release isn't quite the same by Rashkae · 2011-01-04 15:12 · Score: 1
  
  That is Microsoft's new definition of zero day. Traditionally, Zero day exploit means that the software maintainer/creator did not know about the flaw until after an exploit is in the wild. However, according to the summary, this flaw was publicly announced at a security conference December 15. So in Microsoft speach, Zero-day now means an exploit to a known flaw they never bothered to patch.
Re:Would it kill you to link to the Microsoft arti by Anonymous Coward · 2011-01-04 16:08 · Score: 0

timothy is working on it.
Would starcraft 2 custom games be vulnerable? by Rooked_One · 2011-01-04 16:44 · Score: 1

The article noted affecting a graphics rendering engine... There are lots of custom games on starcraft 2 and a LOT of players making their own maps...
1. Re:Would starcraft 2 custom games be vulnerable? by Anonymous Coward · 2011-01-04 17:55 · Score: 0
  
  In-game, probably not.
Holy cow! by ericvids · 2011-01-04 17:04 · Score: 1

They discovered an exploit to give us zero-day hours? And it's confirmed? W00t! Better call Stephen Hawking! ... oh.

--
Pet peeve: Profane people propagating perfunctory pedantry.
Re:Would it kill you to link to the Microsoft arti by monkyyy · 2011-01-04 18:21 · Score: 1

what av do u use?

--
warning pointless sig
pfff by Anonymous Coward · 2011-01-04 20:48 · Score: 0

I am still tired of ms win7 giving me the worst, most shtlss performance of any o/s ever. At least if they tank I will not have any expectations of at least moderate performance.
Sorry!! I am one guy they forgot to bribe and have been using IT for 30 years, so the sht on a platter that they sell is nothing so spellbiding for me.
As long as you keep buying their repackaged usless crap the more they will ignore you and the issues. Remember when they kept saying vista and win7 were built from the ground up - LMFAO forgot about that didnt you?
1. Re:pfff by VGPowerlord · 2011-01-05 02:35 · Score: 1
  
  Remember when they kept saying vista and win7 were built from the ground up - LMFAO forgot about that didnt you?
  They did? I remember them saying that it was originally being built on the Windows XP codebase, but MS dropped what they currently had and started rebuilding Vista on top of the Windows Server 2003 Service Pack 1 codebase, but that's hardly "building from the ground up."
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Two minor bits... by symbolset · 2011-01-05 00:38 · Score: 1

1. Windows XP still has more market share (57%) than Windows Vista (12%) and Windows 7 (21%) combined. More to the point since Vista and XP are affected, more than three quarters of Windows systems are affected. They should care. We sure as hell care. If all Microsoft cares about is W7, that tells us a lot about their commitment to support and security. It's not 2002 any more. It's now 2011, and if being "all in" in the cloud and "all in" in mobile, and committed to "Dynamics" (whatever the heck that was) has distracted from their commitment to security, then we need to know because WE USE THEIR SOFTWARE for more than a year or two.
2. Windows is a brand. A label. A blank symbol. It's not, and never was an operating system. It has been an operating environment for some time, or as some would say, several. It doesn't, and can't, "give a flying fuck" about anything. Windows is a brand that's owned by a legal fiction, a "corporate person". Since there is some fictional personhood attached to the legal entity Microsoft, and some history, we may be able to ascribe some motivation to that with the understanding that anthropomorphizing soulless corporations is in itself a trap. Some here would probably say that Microsoft is the cruel bargainer the devil himself hopes to be someday, but at least we're agreed that it has some personification to hang motivations on. Please don't say "Windows" when you mean "Microsoft" it confuses many issues. They also make very good mice. Ok, they don't actually make the mice, but you should get my drift.
And yeah if it drives adoption of their new product off of their old product without too much escape to actually good product as a goal, we'd all have thunk it. Because that's what they do. The prevention of actual progress is their goal.

--
Help stamp out iliturcy.
Stupid signedness at work again by koro666 · 2011-01-05 04:11 · Score: 1

Developpers needs to stop using int's when unsigned int's would have done the job.
Then all those "oh god, we did not anticipate a negative number here!" bugs would be fixed already.
Re:First Post by ae1294 · 2011-01-05 11:25 · Score: 1

The honourable gentleman FAILS IT.
Yes, I forget I was on /. where no one has a girlfriend and so erections aren't the needful...