Chinese web giant finds Windows zero-day, stays schtum on specifics

Quihoo 360 plays the responsible disclosure game

Chinese company Quihoo 360 says it's found a Windows zero-day in the wild, but because it's notified Microsoft, it's not telling anyone else how it works.

In this Weibo post (unless you speak Mandarin you'll need a translation tool), the company announced an “APT attack” on the unspecified zero-day “on a global scale”.

polygonal canary

Windows 10 Spring Creators Update team explains the hold-up: You little BSOD!

READ MORE

It called the vulnerability a “double kill” bug, said it exploits “the latest version of Internet Explorer and applications that use the IE kernel”, and added that it's being spread in Microsoft Office documents that include a malicious Web page.

If a victim opens the document, the post claims, the malicious code will run in the background to execute the unspecified attack program.

Its only illustration of the attack is in the Chinese-language-annotated image below.

Quihoo360's enigmatc disclosure

Microsoft would far prefer that users stopped using Internet Explorer and adopted its Edge browser instead. Some users are proving stubborn, though: according to Net Market Share, IE still has a rusted-on 12 per cent of the browser market.

That's why last week's Patch Tuesday plugged a serious, if legacy, IE vulnerability: CVE-2014-0322, a remote code execution bug. ®

Sponsored: Minds Mastering Machines - Call for papers now open


Biting the hand that feeds IT © 1998–2018