Chinese web giant finds Windows zero-day, stays schtum on specifics
Quihoo 360 plays the responsible disclosure game
Chinese company Quihoo 360 says it's found a Windows zero-day in the wild, but because it's notified Microsoft, it's not telling anyone else how it works.
In this Weibo post (unless you speak Mandarin you'll need a translation tool), the company announced an “APT attack” on the unspecified zero-day “on a global scale”.
It called the vulnerability a “double kill” bug, said it exploits “the latest version of Internet Explorer and applications that use the IE kernel”, and added that it's being spread in Microsoft Office documents that include a malicious Web page.
If a victim opens the document, the post claims, the malicious code will run in the background to execute the unspecified attack program.
Its only illustration of the attack is in the Chinese-language-annotated image below.
Microsoft would far prefer that users stopped using Internet Explorer and adopted its Edge browser instead. Some users are proving stubborn, though: according to Net Market Share, IE still has a rusted-on 12 per cent of the browser market.
That's why last week's Patch Tuesday plugged a serious, if legacy, IE vulnerability: CVE-2014-0322, a remote code execution bug. ®
Similar topics
Broader topics
Narrower topics
- Azure
- Bing
- BSoD
- Excel
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- .NET
- Office 365
- Outlook
- Patch Tuesday
- Pluton
- SharePoint
- Skype
- SQL Server
- Visual Studio
- Visual Studio Code
- Windows
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox
- Xbox 360
- Y2K
- Zero Day Initiative
