Responsible for discovering this bug is Dmitri Kaslov of Telspace Systems, who passed it along to Trend Micro’s Zero-Day Initiative (ZDI), a project that intermediates the vulnerability disclosure process between independent researchers and larger companies.
ZDI experts reported the issue to Microsoft back in January, but Microsoft has yet to release a patch for this vulnerability. Yesterday, ZDI published a summary containing light technical details about the bug.
According to this summary, the vulnerability allows remote attackers to execute malicious code on users’ PCs.
“Due to the sensitivity of the bug, we don’t want to provide too many technical details until a full fix from Microsoft is available,” Brian Gorenc, director of Trend Micro’s Zero Day Initiative, told Bleeping Computer in an email today.
Flaw does not lead to full system compromise
Gorenc told us the vulnerability is not as dangerous as it sounds, as it does not allow a full system compromise.
“The flaw only allows code execution within a sandboxed environment,” Gorenc said. “An attacker would need additional exploits to escape the sandbox and execute their code on the target system.”
The vulnerability has received a 6.8 rating out of 10 on the CVSSv2 severity scale, which is a pretty high score, when compared to most vulnerabilities.
Microsoft is working on a patch
According to Gorenc, a patch is coming. “To the best of our knowledge, Microsoft does still intend to release a fix for this bug. However, they did not complete the fix within the timelines set out in our disclosure policy.”
ZDI usually gives companies 120 days to patch reported flaws before they go public with their advisories. According to a timeline of Microsoft’s replies, the OS maker had a hard time reproducing the proof-of-concept code needed to trigger the vulnerability, losing around 75% of the 120 disclosure timeline, leaving its engineers little time to put together and test a patch in time for May’s Patch Tuesday.
While Microsoft did not provide an exact timeline of when it plans to roll out a patch, a spokesperson confirmed they are working on a fix.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Cybersecurity services that can protect your company:
Other Location for Online Courses: