Microsoft Acknowledges New Windows Zero-Day Flaw

This week, a security vulnerability researcher used to Twitter to blurt out information about a zero-day flaw in Windows for some reason. So Microsoft was forced to acknowledge it, and says it will fix the flaw on the next scheduled Path Tuesday.

“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” a Microsoft statement explains. “Our standard policy is to provide solutions via our current Update Tuesday schedule.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

That statement is surprisingly uncritical of the idiot who published information about the vulnerability on Twitter with a link to proof-of-concept software code on GitHub.

I am not linking to that tweet on purpose. But as The Register reports, the flaw was quickly confirmed by CERT/CC vulnerability analyst Will Dormann.

“I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system,” he tweeted. “[Local privilege escalation] right to SYSTEM!”

What really sucks here, frankly, is that the security vulnerability researcher not only tweeted information about the vulnerability publicly, and without first warning Microsoft, but they also apparently tried to sell this information about a month earlier.

“A Reddit user with the same name [as the Tweeter] posted a number of times on Reddit asking about ‘selling Windows 0days’,” ZDNet reports. “However, at the time of writing, the posts have been deleted.”

And that researcher has since apologized for their actions, noting that “[they] screwed up, not [Microsoft]. (they are actually a cool company). Depression sucks … Anyway, I’m done with security.”

A bewildered world thanks you for the career change.

 

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 21 comments

  • chrisrut

    Premium Member
    29 August, 2018 - 9:26 am

    <p>What a world… Fortunately the next Patch Tuesday isn't that far off. But naturally it's the day I'm flying to EU… Lovely…</p><p>I wonder if society needs to move toward a higher standard of accountability on public postings… Should freedoms – like speech – include a concomitant responsibility for outcomes?</p>

    • Daekar

      29 August, 2018 - 9:38 am

      <blockquote><em><a href="#310174">In reply to chrisrut:</a></em></blockquote><p>Tempting. However, that's like blaming the person that pointed out an unlocked safe door for the actions of the thieves that steal the money. If we take this road, it is going to be pretty damn ugly in short order.</p>

      • marshalltm

        Premium Member
        29 August, 2018 - 9:50 am

        <blockquote><em><a href="#310181">In reply to Daekar:</a></em></blockquote><p>You make a good point and in general I agree. But this guy spray-painted on the front of the building, “unlocked safe inside”. Free speech is defined at the margins, by dubious behavior. It definitely is wrong, but I guess a free society means it should remain legal.</p>

      • Sprtfan

        29 August, 2018 - 9:53 am

        <blockquote><em><a href="#310181">In reply to Daekar:</a></em></blockquote><p>I don't think that analogy really works. it is more like there is a locked safe and I can give you detailed plans on how to break into the building and the safe. If you plan a break in and someone else does it I think you'd still be an accomplice</p>

      • AnOldAmigaUser

        Premium Member
        29 August, 2018 - 9:57 am

        <blockquote><em><a href="#310181">In reply to Daekar:</a></em></blockquote><p>Not sure if your analogy is correct…one can take simple actions to close the safe or post a guard once someone points out the door is open. This cannot be done in this case, whether Microsoft releases an out of band patch or fixes it on the next patch Tuesday, this exploit will be usable until then.</p><p>I am not a fan of limiting free speech, but I think the ability to claim free speech also requires taking personal responsibility for the statement…if you are going to say these things, you should not be able to hide behind a pseudonym.</p>

      • RonH

        Premium Member
        29 August, 2018 - 11:38 am

        <blockquote><em><a href="#310181">In reply to Daekar:</a></em></blockquote><p>He did try to sell the vulnerability…. </p>

    • jbinaz

      29 August, 2018 - 9:50 am

      <blockquote><em><a href="#310174">In reply to chrisrut:</a></em></blockquote><p><br></p><p>Outcomes for freedoms of speech (and other forms of freedom) that are harmful come about because of laws. Libel and slander come to mind, and while that probably wouldn't apply in this case, if someone does get harmed from this vulnerability, they can seek recourse via lawsuit.</p>

  • jchampeau

    Premium Member
    29 August, 2018 - 11:14 am

    <p>Is "Path Tuesday" the Barcelona version of Patch Tuesday?</p>

  • lvthunder

    Premium Member
    29 August, 2018 - 11:34 am

    <p>It sounds like a mentally disturbed individual. I hope he seeks the help that he desperately needs. Between his original tweet which I read somewhere else and this one he definitely needs help.</p>

    • Jaxidian

      30 August, 2018 - 12:16 pm

      <blockquote><em><a href="#310318">In reply to lvthunder:</a></em></blockquote><p>Aren't most of us in IT somewhat mentally disturbed? I mean, who would want to sit on their butts all day and kill their health just to see a bunch of little lights light up all day and then have all of our family members and in-laws ask us how to find their documents on their computers and clean out the malware they install once an hour? I mean, really, IT kinda sucks. :-P</p>

  • SRLRacing

    29 August, 2018 - 2:31 pm

    <p>Basically, he tried to hit it big by selling a Windows vulnerability on the open market. Failed. And instead of turning it in to Microsoft's bug bounty program, where he could still possibly get paid and do the right thing as a security researcher, he decides to tweet it for free? Smart one. </p>

  • jamiet

    29 August, 2018 - 10:24 pm

    <p>Sounds like the guy was just wanting attention</p>

  • Pierre Masse

    30 August, 2018 - 12:17 am

    <p>Pseudonyms doesn't garantee your anonymity nowadays. I bet some big arms from Microsoft got to the guy and made an "offer" he couldn't refuse.</p>

  • ballcar

    30 August, 2018 - 1:45 am

    <p><br></p><p>I feel truly terrible for individuals in this economy; I like everybody have been battling. At the same time I let you know what I've done I've taken life into my own particular hands being answerable for myself. I knew trading was the response for me and I've acquired distinctive courses at better places and the best course I've found far and away is at the site Emini S&amp;P Trading Secret, simply Google them and discover them and do as I did they begin trading for yourself and take life into your own particular hands.</p><p><br></p>

  • randallcorn

    Premium Member
    30 August, 2018 - 12:40 pm

    <p>Could have been like the NSA and don't tell anyone about the security flaw so they could take advantage of it to "keep us safe"</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC