Microsoft's software updates in July failed to address two vulnerabilities in SharePoint, allowing attackers, including state-sponsored groups, to execute code remotely. After an exploit was showcased at the Pwn2Own competition in May, the researcher provided Microsoft with a detailed write-up of the method. However, attackers subsequently used this information to create a zero-day exploit. This situation raises concerns about the security of disclosed vulnerabilities and the implications of unpatched systems.
A leak happened here somewhere,” Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), told The Register. “And now you’ve got a zero-day exploit in the wild, and worse than that, you’ve got a zero-day exploit in the wild that bypasses the patch, which came out the next day.
The most recent contest occurred in Berlin, beginning May 15. On day 2 of the event, Vietnamese researcher Dinh Ho Anh Khoa combined an auth bypass and an insecure deserialization bug to exploit Microsoft SharePoint and win $100,000.
After demonstrating a successful exploit, the bug hunter and vendor are whisked away into a private room where the researcher explains what they did and provides the technology company with a full write-up of the exploit. Assuming it's not a duplicate or already known vulnerability, the vendor then has 90 days to issue a fix before the bug and exploit are made public.
So Microsoft received the working exploit in a white paper describing everything on that day.
Collection
[
|
...
]