The vulnerability is a zombie, because it’s an undead version of a vulnerability that first appeared in 1997. Working with Cylance, a team of security researchers at Carnegie Mellon’s CERT Division found the same weakness enables a new way of stealing usernames and passwords from Windows, as well as software from 31 different vendors, including Adobe, Apple, Oracle and Symantec.
Basically, a hacker can trick the Windows Server Message Block into surrendering log in credentials if the user clicks on a certain kind of link.
Seems bad, right? Well, it’s worth pointing out that this vulnerability has only been recreated in the lab, it has not been exploited. So it’s not like a team of evil hackers have stolen millions of Microsoft passwords and gone on a shopping spree—though that already happened once this year. That said, Microsoft still hasn’t released a patch to fix the vulnerability, apparently because they think it would be too complicated to exploit.
Image via Shutterstock / Microsoft