Submitted via IRC for SoyCow3941
An unidentified hacker group appears to have accidentally exposed two fully-working zero-days when they've uploaded a weaponized PDF file to a public malware scanning engine.
The zero-days where[sic] spotted by security researchers from Slovak antivirus vendor ESET, who reported the issues to Adobe and Microsoft, which in turn, had them patched within two months.
Anton Cherepanov, the ESET researcher who spotted the zero-days hidden inside the sea of malware samples, believes he caught the zero-days while the mysterious hacker(s) were still working on fine-tuning their exploits.
"The sample does not contain a final payload, which may suggest that it was caught during its early development stages," Cherepanov said.
The two zero-days are CVE-2018-4990, affecting Adobe's Acrobat/Reader PDF viewer, and CVE-2018-8120, affecting the Win32k component of Windows.
(Score: 0) by Anonymous Coward on Saturday May 19 2018, @09:01AM
Just how I like my hackers! Shadowy, with the perfect smokey-eye! If only we had more really interesting Fine Articles like this here on the Home Shopping Soylent!@
(Score: 0) by Anonymous Coward on Saturday May 19 2018, @10:18AM (7 children)
> reported the issues to Adobe and Microsoft, which in turn, had them patched within two months.
Um, the phrasing makes it seem like that was a very fast response, but two months seems like a very long time for patching software security issues. It's almost criminally irresponsible when they have direct *proof* that black hats are almost ready to start exploiting them.
Kudos to the sharp-eyed security researcher, and screw Adobe and MS.
(Score: 0) by Anonymous Coward on Saturday May 19 2018, @10:22AM (6 children)
Yes, seriously, 2 months AFTER the issue has been spotted "in the wild" is ridiculously bad, especially if no warning was given to users that they are under an immediate threat.
(Score: 0) by Anonymous Coward on Saturday May 19 2018, @11:09AM (5 children)
Security analysis, development, QA and release are done by different departments each scheduling this fix around different issues.
(Score: 1, Insightful) by Anonymous Coward on Saturday May 19 2018, @12:14PM (4 children)
And NSA grace time, so they can take advantage for a while.
(Score: 1, Interesting) by Anonymous Coward on Saturday May 19 2018, @02:39PM
NSA has probably known about these issues for a long time, perhaps since their inception. Ditto other similar agencies. And proprietary software vendors just love calling any bug a zero day, it's pretty hard for the rest of us to prove otherwise...
(Score: 1, Interesting) by Anonymous Coward on Saturday May 19 2018, @05:44PM (2 children)
It's so weird that there is this idea that the US government has some kind of cooperation to get security holes. Sometimes the claim is purposely unpatched holes, and other times the claim is intentional backdoor access that the government forces or purchases.
Come on, seriously... those companies are full of foreigners and unpatriotic leftists. They can't be trusted.
I get $150,000 per year in a cheap location (like $300,000 per year in San Francisco) to make shit happen. We do things the hard way, same as probably every country that isn't China. If the government wants to hack into something, they pay millions of dollars for a team of people like me to think real hard. If a team of 5 works for 4000 hours while billing $200/hour (allowing overhead costs) then that is $4 million.
I'm very glad there are no backdoors. That'd put my company out of business.
(Score: -1, Troll) by Anonymous Coward on Saturday May 19 2018, @05:59PM (1 child)
If you're telling the truth, you're scum who should be killed.
If you're lying, you're scum who should be killed.
Kill yourself and save us the trouble.
(Score: 0) by Anonymous Coward on Saturday May 19 2018, @06:36PM
We provide a needed service. We charge the market rate; feel free to bid on the contracts if you think you can do it cheaper.
Throwing a $billion at this stuff is enough for hundreds of 0-day exploits. That is pocket change for the US government.
Stuxnet is a great example. It had multiple 0-day exploits and some extra code. All together, it probably went for $50 million. It set back Iran's nuclear weapons program by years. That was a bargain.
People may have died because of my work. I like that.
(Score: 3, Insightful) by requerdanos on Saturday May 19 2018, @06:31PM
Okay. To determine whether an exploit is "fully working", "partially working", "an abject failure non-working", and so on, it's necessary to first know what the exploit was intended to do in the mind of its source, in order to compare that to the effect that the exploit actually has.
Since we don't have this, "fully-working" is meaningless. (And "zero-days" just means "zero-day exploits." Thus)
Now. Something that does not work is not an exploit, by definition. Something that is an exploit, by definition, works. Like "fully", the word "working" is just clickbaity padding. Down to:
Now, to determine whether the disclosure was accidental, again we need to know the mind of the uploader. We don't. "Accidently exposed" becomes merely "uploaded."
Since they were uploaded to "a public malware scanning engine" by persons unidentified, we are left with
Which isn't nearly exciting in a clickbaity way.
Maybe it's a super-exciting derring-do hacker spy thing, sure, but no evidence of such has been presented.