• OMG! Run for the hills! FIVE new Windows zero-days published

    I love the headlines these days. “Microsoft warns meeeeelions of customers that the world is coming to an end!” “New zero-days announced and you better get patched NOW!” “Microsoft says your computer is at risk from Snidely Whiplash or somebody who looks just like him.”

    I just read a tweet from Catalin Cimpanu — the ZDNet security guy — that puts a refreshing spin on things.

    Seems that late last week the Trend Micro Zero Defense Intiative, ZDI, published descriptions of five new Windows zero-days. Four of the five are Privilege Escalation Vulnerabilities. (OMG! Those are the WORST KIND.) Microsoft (those scoundrels!) didn’t patch them quickly enough, so ZDI acted according to its conventions – waited four months to give Microsoft time to fix the hole – and then published “a limited advisory.” I can read the Forbes headline already: More than a billion Windows users at risk and there’s no fix. Take THAT, you languid Windows lizards!


    The five zero-days aren’t very interesting. Microsoft told ZDI they wouldn’t be patching them any time soon. ZDI has a policy of disclosing what they’ve found if a particular security hole isn’t fixed in 120 days. Thus, the post.

    Here’s what Cimpanu says:

    These appear to be the most harmless 0-days in the history of 0-days, so no need to panic… and most likely the reason MSFT didn’t hurry to patch them

    And that seems, to me, to describe the situation perfectly.