MS Windows Local Privilege Escalation Zero-Day in The Wild

fireeye ^ | November 27, 2013 | Xiaobo Chen and Dan Caselden

[Utilizer]

Article has link to MS security advisory. Comments and suggestions also on "http://tech.slashdot.org/story/13/11/29/1936245/new-windows-xp-zero-day-under-attack"

[flintsilver7]

?

Windows XP is more than ten years old and it’s four versions old.

[Utilizer]

I run several flavours of ‘doze in quite a few machines for testing purposes. This is yet another reminder of why I never allow any machine not running Linux to connect to the Internet.

[Utilizer]

Some of us still run other versions of OS than ‘doze 8.1-latest.

[Utilizer]

You coders might wish to explore if a similar exploit exists in other releases, just in case.

[JRandomFreeper]

Ping.

And what is a Windoze?

/johnny

[Steely Tom]

Every year, I find Adobe a little more annoying.

The number one thing about them I find annoying is the way you have to watch their installer like a hawk.

If you don’t read every word of every screen, you will end up installing Google Chrome and the Google Toolbar on your Windows computer.

This is true of both Flash and Acrobat, and who knows what else.

[Kirkwood]

As of 2013, 1/3rd of all PCs are still running XP.

[Utilizer]

*snicker* If you had ever run a PC game in DOS and then attempted to run the same game in windows, you would already understand the “doze” reference. Worse even than accessing the internet through AOL instead of a real browser and ISP. *grin*

[Utilizer]

It's not just Adobe. "Security" / Antivirus proggies are a constant headache since they seem to trash your system quite often, and the tales of MS updates rendering some poor user's computer inoperable are years-long in the histories.

Flash players I leave to only the last-stable version of whatever browser I happen to be using at the moment. Gave up on .pdf files long ago. I have a quite stable pdf-reader in Linux for the occasional need, but other than that -no thanks.

[null and void]

I use XP.

[Fzob]

Windows local privilege escalation vulnerability in the wild.

Sounds like someone should shoot it. What it is.

[Utilizer]

I know of quite a few individuals still running ‘doze v8.0, v7, Vista, XP, ME, and 2k. At over one hundred dollars apiece for each OS as it came out, that is over seven hundred dollars saved just in software. Add in the cost of new systems capable of running the “latest” software and the cost is unacceptable for most people living on a budget, let alone a small business on a shoestring.

[JRandomFreeper]

I've been using linux since slackware was on 6 floppy disks. I'm not familiar with windoze, past 3.1.

/johnny

[JimRed]

FireEye Labs has identified a new Windows local privilege escalation vulnerability in the wild. The vulnerability cannot be used for remote code execution but could allow a standard user account to execute code in the kernel.

Translation, please? In the wild? Kernel? Local privilege escalation vulnerability I think I get- risk of someone being able to do something on the machine that you are not permitted to do.

I grew up with #2 & 4 pencils, lined and unlined paper, fountain pens and ballpoints. Not to mention long division. Keyboards? Guys didn't do 'em- you had girl secretaries for typing. I'm barely catchin' up and more stuff keeps comin' along!

8^(

[Utilizer]

*laugh* No worries, mate. Means that if you are using the “Windows XP” operating system online there is the possibility that someone can take over your machine and endanger your personal files (modify, delete, or encrypt against your useage) or otherwise render your machine unusable.

[Utilizer]

Excerpt from the slashdot forums:

"It sounds like he might be running a PC based CNC system that uses a PC for control. You posted a DNC box that is for uploading programs via DNC which has always been serial. Some older PC based CNC controllers used the parallel port (especially common for stepper systems). Systems that used brushless servos typically used some type of dedicated hardware to close the servo loop and is commanded via the PC. Typically those were ISA cards with a DSP on board but also parallel based units were available.

I also support the PC based CNC systems at my place of work. The system is quite advanced and uses a real time subsystem which only supports Windows 2000/XP. One of the systems is XP and the others are Windows 2000. New software costs about 4k and depending on the drives used, may require new drives at a cost of $1700 per axis."

[Utilizer]

I run some quite advanced Engineering programs, as in the baseline package retails for five digits. They have releases for Unix and Windows-whatever-version machines. However, Linux Is Not UniX so there are some minor compatability issues.

Ask any of their engineers if they intend to produce a 'Mac' version if you need a bout of hilarity to liven up a business meeting.

[JRandomFreeper]

Before culinary school, I was an engineer. I understand mission specific requirements.

In retrospect, being a cook is less frustrating. ;)

/johnny

[Utilizer]

I hear you, mate. I remember not so long ago I was constantly going out on dates and spending everything I had attempting to find a keep-worthy woman and perhaps one not working solely on the furtherance of her career while attempting to remake this poor soul into something she deemed "better"

Then I took up studying Assembly Language.

Now I am a lot more calm and content in life. Much less stressful than attempting to understand women. *grin*