Microsoft just published a new security bulletin which reveals there is a bug in Windows which needs fixing immediately. Is this the key to understanding all these stories about dangerous viruses?
f you have followed the tech press these last few weeks you will know that Flame is the most advanced virus ever found. It´s so sophisticated that it can use a blutooth phone to spy on users and it contained a highly sophisticated cryptographic attack which has never been seen before. https://plus.google.com/u/0/118292867302583509179/posts/fHyQtEcYrpw
Everything around it sounds scary including the puzzle how it could enter a fully protected Windows 7 computer. But is it really that hard?
What you need is a so called zero day exploit; a fancy name for a bug in Windows or one of the programs running on it which hasn´t been discovered yet by Microsoft. As yesterdays bulletin shows this is not as rare as you may think. Today´s warning and temporary fix explain that a bug has been found which has gone unnoticed ever since XP and Office 2003 and still works on Windows 7.
Just by visiting a carefully crafted webpage an attacker could abuse this bug to enter malicious code on your system. It was not a theoretical possibility as Google confirmed that they found it ´in the wild´ and immediately reported it to Microsoft.
These bugs in code go unnoticed by Microsoft but not to people hunting for these zero day exploits. And don´t think they are duly reported the moment someone stumbles upon them. Nope, they are just sold at the highest bidder by companies who get hundred thousands of dollars for a very good exploit.
Need some help finding one? Try French company http://www.vupen.com/english which has a good track record after getting down Chrome and IE9 on last years contest. Exclusive and extremely sophisticated exploits for offensive security to help achieve offensive and lawful intercept missions using extremely sophisticated codes says the website. The bummer? They only accept trusted countries and Government agencies
So although it sounds scary to hear about stealthy zero day exploits found by spy agencies, the reality is that a well funded war chest is sufficient for governments to buy a spare set to your digital front door.
The security advisory: http://technet.microsoft.com/en-us/security/advisory/2719615