Zombie Vulnerability Affects Every Version of Windows

By Adam Clark Estes on at

A team of researchers recently found a zombie vulnerability that affects every single version of Windows — including the Windows 10 preview. Microsoft is downplaying the vulnerability.

The vulnerability is a zombie, because it’s an undead version of a vulnerability that first appeared in 1997. Working with Cylance, a team of security researchers at Carnegie Mellon’s CERT Division found the same weakness enables a new way of stealing usernames and passwords from Windows, as well as software from 31 different vendors, including Adobe, Apple, Oracle and Symantec.

Basically, a hacker can trick the Windows Server Message Block into surrendering log in credentials if the user clicks on a certain kind of link.

Seems bad, right? Well, it’s worth pointing out that this vulnerability has only been recreated in the lab, it has not been exploited. So it’s not like a team of evil hackers have stolen millions of Microsoft passwords and gone on a shopping spree — though that already happened once this year. That said, Microsoft still hasn’t released a patch to fix the vulnerability, apparently because they think it would be too complicated to exploit. And people wonder why Windows has a bad reputation for security.

Image via Shutterstock / Microsoft

Contact the author at adam@gizmodo.com.
Public PGP key
PGP fingerprint: 91CF B387 7B38 148C DDD6 38D2 6CBC 1E46 1DBF 22