…“The vulnerable driver ships with every version of Windows, up to and including Server 2025,” Adam Barnett, lead software engineer at Rapid7, said. “Maybe your fax modem uses a different chipset, and so you don’t need the Agere driver? Perhaps you’ve simply discovered email? Tough luck. Your PC is still vulnerable, and a local attacker with a minimally privileged account can elevate to administrator.”…
To anyone misreading this, these exploits were patched yesterday and thus were included as the final patch for Windows 10 before the extended security updates requirements kick in.
Known exploits are always reported to the company first to give them time to patch it before releasing info on the exploits.
All Windows 10 users will continue to have access to the patches in this final freely available patch Tuesday for Windows 10. They just can’t get new updates without joining the ESU program.
I hate Microsoft too and only use Linux, but let’s stop the circlejerk of false claims here please and thank you.
Yeah, until something like this happens again a year or two down the line. Not to mention all unpatched or lagging systems
It already happened with Windows 7. They still released the patch there.
Zero-day means the company had 0 days to fix it before the exploits were made public. Maybe the headline is wrong?
Nope, 0-day means it was exploited in the wild before the company knew about it. Basically, the company had to rush to patch it because it was already being exploited. It means black-hat hackers found it and exploited it before the white/grey-hat hackers reported it. If white-hat hackers found it first, they’d have already alerted the company and given time to patch it before they announced the vulnerability. But since the black-hat hackers found it first, it was a 0-day.
0-day patches are often a bodge, at best. They often consist of “just disable the vulnerable component entirely” to give the company time to work on a more long-term solution. And that’s exactly what happened here. MS didn’t take time to actually fix the driver; They just ripped it out and said “sucks if you needed it. It’s gone now.”
Nope 0 days means
Zero-day vulnerability: A software flaw that attackers discover before the developer does.
Zero-day exploit: The method hackers use to take advantage of this unknown vulnerability.
Zero-day attack: An attack that uses a zero-day exploit to damage a system, steal data, or plant malware before a patch is available. This is a serious risk because no defenses are in place for this specific flaw yet.
The first is the most common one found in the press and is usually reported to the company so they can patch it, before press release.
But it would be weird to call something a “zero-day” if it wasn’t being exploited. Like if I discover a vuln, it shouldn’t be considered a zero-day, even if I report it, if I’m not exploiting it in the wild.
It was exploited. That’s how they proved it worked. They just didn’t exploit it to do anything nefarious.
Ahh TIL. Thanks for the clarification!
Perhaps, either that or they made a very quick fix making updates to address them the day before this patch release.