Zombie Vulnerability Affects Every Version of Windows

Illustration for article titled Zombie Vulnerability Affects Every Version of Windows

A team of researchers recently found a zombie vulnerability that affects every single version of Windows—including the Windows 10 preview. Microsoft has no plans to fix the vulnerability.


The vulnerability is a zombie, because it’s an undead version of a vulnerability that first appeared in 1997. Working with Cylance, a team of security researchers at Carnegie Mellon’s CERT Division found the same weakness enables a new way of stealing usernames and passwords from Windows, as well as software from 31 different vendors, including Adobe, Apple, Oracle and Symantec.

Basically, a hacker can trick the Windows Server Message Block into surrendering log in credentials if the user clicks on a certain kind of link.

Seems bad, right? Well, it’s worth pointing out that this vulnerability has only been recreated in the lab, it has not been exploited. So it’s not like a team of evil hackers have stolen millions of Microsoft passwords and gone on a shopping spree—though that already happened once this year. That said, Microsoft still hasn’t released a patch to fix the vulnerability, apparently because they think it would be too complicated to exploit.

Image via Shutterstock / Microsoft

Contact the author at adam@gizmodo.com.
Public PGP key
PGP fingerprint: 91CF B387 7B38 148C DDD6 38D2 6CBC 1E46 1DBF 22



I forgot my password to an old windows 7 laptop I have. After a minute on google, found a way to easily reset the password by tricking windows to bring out CMD on the login screen and a few command lines later, I have a new password. I like using windows but realizing how easy it was to change admin password on windows 7 is pretty unsettling.