Microsoft confirms new Windows zero-day bug - Computerworld: "Microsoft today confirmed an unpatched vulnerability in Windows just hours after a hacking toolkit published an exploit for the bug.
A patch is under construction, but Microsoft does not plan to issue an emergency, or 'out-of-band,' update to fix the flaw.
The bug was first discussed Dec. 15 at a South Korean security conference, but got more attention Tuesday when the open-source Metasploit penetration tool posted an exploit module crafted by researcher Joshua Drake.
According to Metasploit, successful attacks are capable of compromising victimized PCs, then introducing malware to the machines to pillage them for information or enlist them in a criminal botnet.
The vulnerability exists in Windows' graphics rendering engine, which improperly handles thumbnail images, and can be triggered when a user views a folder containing a specially crafted thumbnail with Windows' file manager, or opens or views some Office documents.
Microsoft acknowledged the bug in a security advisory, and said Windows XP, Vista, Server 2003 and Server 2008 were vulnerable. The newest operating systems, Windows 7 and Server 2008 R2, were not."
Friday, 7 January 2011
Microsoft confirms new Windows zero-day bug - Computerworld
LinkWithin
0 comments:
Post a Comment