Researchers Catch Microsoft Zero-Day Used To Install Government Spyware

An anonymous reader quotes a report from Motherboard: Government hackers were using a previously-unknown vulnerability in Microsoft's .NET Framework, a development platform for building apps, to hack targets and infect them with spyware, according to security firm FireEye. The firm revealed the espionage campaign on Tuesday, on the same day Microsoft patched the vulnerability. According to FireEye, the bug, which until today was a zero-day, was being used by a customer of FinFisher, a company that sells surveillance and hacking technologies to governments around the world. The hackers sent a malicious Word RTF document to a "Russian speaker," according to Ben Read, FireEye's manager of cyber espionage research. The document was programmed to take advantage of the recently-patched vulnerability to install FinSpy, spyware designed by FinFisher. The spyware masqueraded as an image file called "left.jpg," according to FireEye.

Re: Purpose of using Zero Day moniker?

Also, if MS put out a patch today then it wasn't a zero day until today.

Zero day = the manufacturer doesn't know about it at all. Not how many days has a patch been available.

If it's a backdoor then it was never a zero day as the manufacturer always knew it was there.

Re: Purpose of using Zero Day moniker?

[Monster_user]

Microsoft knew about it for far further back than today. To patch an exploit, it first has to be reported. Then it has to be reported by a reputable source, with information on how to recreate it, in order to prove there is a flaw that can be exploited. Then the developers have to come up with a solution to the exploit, and then spend man hours coding the remedy into a patch. The patch must then be tested to make sure it doesn't break existing functionality. If it breaks anything then a judgement call regarding the patchability of the flaw, or a rewrite of the patch will be required. Once the patch passes internal QA testing, it must then be rolled into the patch distribution system, and vendors notified of the patch's release and availability. The time it takes depends on the severity of the exploit, the complexity of the code affected, and the experience and creativity of the programmers resolving the issue. I'd expect the time Microsoft knew about this flaw to be "days" at minimum, especially given a standard release schedule of once month.

Re:NORTH KOREA or THE NSA

[Plus1Entropy]

I think that's a bit disingenuous. Both things are threats to our liberty, in different ways and to different degrees. Just because I am concerned about Russia interfering in our elections doesn't mean that I am not concerned about the rise of the surveillance state.