Microsoft Confirms Zero-Day Hours After Exploit

CWmike writes "Microsoft confirmed on Tuesday an unpatched vulnerability in Windows just hours after a hacking toolkit published an exploit for the bug. A patch is under construction, but Microsoft does not plan to issue an emergency update to fix the flaw. The bug was first discussed Dec. 15 at a South Korean security conference, but got more attention Tuesday when the open-source Metasploit penetration tool posted an exploit module crafted by researcher Joshua Drake. Metasploit says successful attacks are capable of compromising victimized PCs, then introducing malware to the machines to pillage them for information or enlist them in a criminal botnet."

Would it kill you to link to the Microsoft article

[BBTaeKwonDo]

http://www.microsoft.com/technet/security/advisory/2490606.mspx

Re:Bashfest

[Microlith]

Oh wait, this is a NEW bug. Not the one noted above. Silly me.

Re:Bashfest

[BBTaeKwonDo]

That's a different exploit. The new one at http://www.microsoft.com/technet/security/advisory/2490606.mspx affects the graphics rendering engine, the one you linked to http://www.microsoft.com/technet/security/advisory/2488013.mspx refers to CSS.

Non-Affected Software

[BasharTeg]

Non-Affected Software
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems

Re:Non-Affected Software

[Red+Flayer]

My point was that MS hasn't bothered to hotfix it because it doesn't affect their latest-gen OSes... even though some of the OSes it DOES affect are not yet EOLed.

Did you miss the part about this affecting OSes that are't yet EOLed (but will be in the next year or so)?