Microsoft Acknowledges New Windows Zero-Day Flaw

Posted on August 29, 2018 by Paul Thurrott in Windows 10 with 20 Comments

This week, a security vulnerability researcher used to Twitter to blurt out information about a zero-day flaw in Windows for some reason. So Microsoft was forced to acknowledge it, and says it will fix the flaw on the next scheduled Path Tuesday.

“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” a Microsoft statement explains. “Our standard policy is to provide solutions via our current Update Tuesday schedule.”

That statement is surprisingly uncritical of the idiot who published information about the vulnerability on Twitter with a link to proof-of-concept software code on GitHub.

I am not linking to that tweet on purpose. But as The Register reports, the flaw was quickly confirmed by CERT/CC vulnerability analyst Will Dormann.

“I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system,” he tweeted. “[Local privilege escalation] right to SYSTEM!”

What really sucks here, frankly, is that the security vulnerability researcher not only tweeted information about the vulnerability publicly, and without first warning Microsoft, but they also apparently tried to sell this information about a month earlier.

“A Reddit user with the same name [as the Tweeter] posted a number of times on Reddit asking about ‘selling Windows 0days’,” ZDNet reports. “However, at the time of writing, the posts have been deleted.”

And that researcher has since apologized for their actions, noting that “[they] screwed up, not [Microsoft]. (they are actually a cool company). Depression sucks … Anyway, I’m done with security.”

A bewildered world thanks you for the career change.


Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (20)

20 responses to “Microsoft Acknowledges New Windows Zero-Day Flaw”

  1. chrisrut

    What a world... Fortunately the next Patch Tuesday isn't that far off. But naturally it's the day I'm flying to EU... Lovely...

    I wonder if society needs to move toward a higher standard of accountability on public postings... Should freedoms - like speech - include a concomitant responsibility for outcomes?

    • Daekar

      In reply to chrisrut:

      Tempting. However, that's like blaming the person that pointed out an unlocked safe door for the actions of the thieves that steal the money. If we take this road, it is going to be pretty damn ugly in short order.

      • marshalltm

        In reply to Daekar:

        You make a good point and in general I agree. But this guy spray-painted on the front of the building, “unlocked safe inside”. Free speech is defined at the margins, by dubious behavior. It definitely is wrong, but I guess a free society means it should remain legal.

      • Sprtfan

        In reply to Daekar:

        I don't think that analogy really works. it is more like there is a locked safe and I can give you detailed plans on how to break into the building and the safe. If you plan a break in and someone else does it I think you'd still be an accomplice

      • AnOldAmigaUser

        In reply to Daekar:

        Not sure if your analogy is can take simple actions to close the safe or post a guard once someone points out the door is open. This cannot be done in this case, whether Microsoft releases an out of band patch or fixes it on the next patch Tuesday, this exploit will be usable until then.

        I am not a fan of limiting free speech, but I think the ability to claim free speech also requires taking personal responsibility for the statement...if you are going to say these things, you should not be able to hide behind a pseudonym.

      • RonH

        In reply to Daekar:

        He did try to sell the vulnerability....

    • jbinaz

      In reply to chrisrut:

      Outcomes for freedoms of speech (and other forms of freedom) that are harmful come about because of laws. Libel and slander come to mind, and while that probably wouldn't apply in this case, if someone does get harmed from this vulnerability, they can seek recourse via lawsuit.

  2. jchampeau

    Is "Path Tuesday" the Barcelona version of Patch Tuesday?

  3. lvthunder

    It sounds like a mentally disturbed individual. I hope he seeks the help that he desperately needs. Between his original tweet which I read somewhere else and this one he definitely needs help.

    • Jaxidian

      In reply to lvthunder:

      Aren't most of us in IT somewhat mentally disturbed? I mean, who would want to sit on their butts all day and kill their health just to see a bunch of little lights light up all day and then have all of our family members and in-laws ask us how to find their documents on their computers and clean out the malware they install once an hour? I mean, really, IT kinda sucks. :-P

  4. SRLRacing

    Basically, he tried to hit it big by selling a Windows vulnerability on the open market. Failed. And instead of turning it in to Microsoft's bug bounty program, where he could still possibly get paid and do the right thing as a security researcher, he decides to tweet it for free? Smart one.

  5. jamiet

    Sounds like the guy was just wanting attention

  6. Pierre Masse

    Pseudonyms doesn't garantee your anonymity nowadays. I bet some big arms from Microsoft got to the guy and made an "offer" he couldn't refuse.

  7. ballcar

    I feel truly terrible for individuals in this economy; I like everybody have been battling. At the same time I let you know what I've done I've taken life into my own particular hands being answerable for myself. I knew trading was the response for me and I've acquired distinctive courses at better places and the best course I've found far and away is at the site Emini S&P Trading Secret, simply Google them and discover them and do as I did they begin trading for yourself and take life into your own particular hands.

  8. randallcorn

    Could have been like the NSA and don't tell anyone about the security flaw so they could take advantage of it to "keep us safe"