Microsoft Failed to Fix a Zero-Day and Now Every Version of Windows Is at Risk

Read the Story

Show Top Comments

A somewhat hyperbolic headline. > An attacker using the methods described must already have access and the ability to run code on a target victim’s machine And Microsoft are aware of it, and will do something about it.

ISayISayISay

Can someone more versed in security tell me why this is true? > This isn’t a remote exploit though, so bad actors would need physical access to your device to carry out the attack. And if this is true, then why is this vulnerability such a big deal? I can carry out a pretty simply ddos attack if I had physical access to your machine… by pouring maple syrup on your motherboard. If a malicious actor got physical access to my machine, I would immediately assume everything is already compromised

SyrupLamp

>Requires physical access to the machine Then who fucking cares? If an attacker has physical access to your machine you’re fucked regardless (the so-called “evil maid” scenario). Yeah, they could do this, or do literally anything else. They could install a physical keylogger, get your encrypted data by dumping liquid nitrogen on your RAM to preserve the data while it’s quickly transferred to another machine (assuming it was unencrypted at the time), boot into a live Linux distro to bypass Windows entirely, pull out the HDD and do forensics, or literally anything else.

iprocrastina

I remember a post a few days ago about this. I downloaded the sample code but I couldn’t get it to work the way I’d seen it shown. If I run it normally it just tells me the arguments, even though the examples I’ve seen have it running without arguments. I did notice in the code some references to Microsoft Edge. I’ve got a bunch of MS Edge stuff stubbed out via Image File Execution Options, which could be why it doesn’t work. Though There’s no description of how Edge is relasted to this exploit either, if it’s Windows Installer why is that service involved?

BCProgramming

How about not pushing out bullshit code and leaving it to the customer base to identify these issues. It might mean a slightly smaller yacht for some middle manager, but not impossible.

ToughGrape7560