this post was submitted on 15 Oct 2025

418 points (99.3% liked)

Technology

76089 readers

2850 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

L4s@hackingne.ws

418

Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped (thehackernews.com)

submitted 1 day ago by Delta_V@lemmy.world to c/technology@lemmy.world

50 comments fedilink hide all child comments

..."The vulnerable driver ships with every version of Windows, up to and including Server 2025," Adam Barnett, lead software engineer at Rapid7, said. "Maybe your fax modem uses a different chipset, and so you don't need the Agere driver? Perhaps you've simply discovered email? Tough luck. Your PC is still vulnerable, and a local attacker with a minimally privileged account can elevate to administrator."...

top 50 comments

sorted by: hot top controversial new old

[–] lechekaflan@lemmy.world 0 points 2 hours ago* (last edited 2 minutes ago) (1 children)

So put two and two and the vulnerability requires the presence of an installed modem. Not a network chipset. A fucking modem chipset or an external modem hooked up thru serial or USB.

The last PC that I used which also had an onboard modem was back in 2003. We stopped using dialup later that year and switched entirely to DSL.

Whatever. Somebody more knowledgeable about this looks hard at more specialized PCs that still use modems are likely to be brought down using this vulnerability.

[–] muusemuuse@sh.itjust.works 1 points 1 hour ago

Nope. You don’t need to be using the driver. The article explains that an attacker call upon it and exploit it simply because it is there.

[–] paraphrand@lemmy.world 63 points 23 hours ago* (last edited 23 hours ago) (5 children)

It’s interesting that this supposedly goes back to Windows 3.1 and the original release…

[–] 87Six@lemmy.zip 7 points 2 hours ago

Ah yes the 0-decade vulnerability...

Boi will I miss the ever-encompasing shield of Microsoft when my Windows 10 stops receiving updates...

[–] EndlessNightmare@reddthat.com 21 points 18 hours ago

I was curious about the "every version ever shipped."

This gets really old school.

[–] SnotFlickerman@lemmy.blahaj.zone 53 points 22 hours ago* (last edited 22 hours ago) (3 children)

Other articles make more clear why that is.

https://cyberpress.org/windows-agere-modem-driver-0-day-flaws/

Rather than issuing a traditional patch for each vulnerability, Microsoft’s October cumulative update completely removes the ltmdm64.sys driver from affected systems.

As a result, all fax modem hardware relying on the Agere Modem driver will cease to function. While mail and messaging over IP have largely supplanted analog modems, some industrial and legacy applications still depend on fax modems.

Organizations must therefore audit their environments for any remaining modem dependencies and either migrate to supported alternatives or implement workarounds where available.

Microsoft’s advisory explicitly recommends that customers eliminate any reliance on the deprecated hardware to avoid service disruptions.

So maybe not all the way back to the original release, but back to the first release that included this specific telephony modem driver, ltmdm64.sys. If I recall correctly, Windows 3.1 brought networking capabilities.

However, another article claims it has only been shipped with every version of Windows since 2006.

https://www.thestack.technology/windows-users-hacked-due-to-legacy-fax-modem-driver/

CVE-2025-24990 was credited to a security researcher going by the handle @shitsecure who told The Stack by DM “it’s a driver from 2006, never changed… I think it was historically shipped with everything, although that doesn’t make sense at all.”

Which honestly makes a lot more sense, since the "64" part of the driver name implies it's for 64 bit systems, which were first introduced in 2003.

Some more extraneous info on this driver/hardware:

https://www.sysnative.com/forums/drivers/1216/driver

https://theretroweb.com/chips/10725

https://en.wikipedia.org/wiki/Agere_Systems

[–] muusemuuse@sh.itjust.works 2 points 1 hour ago

That’s still a lot of people that use that damn driver. I know at least in medical billing there’s always someone still using a damn fax machine. Almost every claim passes through fax technology at some point, although more and more of it is being emulated.

Where I work, it’s used mostly by emergency rooms that don’t want to use anything else.

This is not an environment where you want an exploit.

[–] floquant@lemmy.dbzer0.com 2 points 2 hours ago

Are there any figures for how widespread that Agere chip is? I wonder if any German companies are going to be bit in the aas by this lol

[–] paraphrand@lemmy.world 8 points 22 hours ago* (last edited 22 hours ago) (1 children)

Thanks for the details!

I wonder how often they clean stuff up like this. That crossed my mind earlier, I’m sure there is a bunch of “dormant” software that could be cleaned out or made optional in some way.

But the making it optional idea is easier said than done. Especially from a standpoint of discoverability and usability.

[–] SnotFlickerman@lemmy.blahaj.zone 5 points 22 hours ago* (last edited 22 hours ago) (1 children)

Right, it was referenced in one of the articles that a bunch of legacy industrial machines likely still use this hardware, so the people using those old machines are probably going to have to go dig up PCI modems from that era without the Agere/Lucent chipset.

I'm sure you're right and there's lots of stuff they've missed like this over the years that they sort of kept on for compatibility but that opens exploits due to how old they are.

[+] adespoton@lemmy.ca -7 points 21 hours ago (1 children)

People using that legacy hardware generally can’t run Windows 10, which just ended support this month. The patch is only for Windows 11, which won’t run on older hardware.

[–] SnotFlickerman@lemmy.blahaj.zone 16 points 20 hours ago* (last edited 20 hours ago) (1 children)

The patch is for Windows 10, Windows 11, and Server 2008 up to Server 2025.

Further, there's companies that make custom-built modern machines that support classic PCI and modern operating systems and classic operating systems.

It's conceivable that legacy systems are using modern OSes with virtualization running a legacy OS and legacy PCI cards, for example. It's not beyond the realm of possibility.

https://nixsys.com/legacy-computers/pci-slot-computers

[–] mic_check_one_two@lemmy.dbzer0.com 3 points 3 hours ago

Further, there's companies that make custom-built modern machines that support classic PCI and modern operating systems and classic operating systems.

Yeah, some extremely expensive equipment at my job runs on Adobe Flash. Modern machines won’t even allow Flash to run because it’s so insecure. We just updated the control PC for that equipment last year; It’s a computer that is dual-booting Windows 11 and Windows XP. It boots into WinXP by default, to be able to run Flash. Then if you ever need to update it, you can swap over to Win11 to be able to connect to the internet.

[–] Agent641@lemmy.world 14 points 20 hours ago

Personally I blame Dave Plummer.

[–] Delta_V@lemmy.world 5 points 22 hours ago (1 children)

makes you wonder if/how/by who its been used all these years

[–] deathbird@mander.xyz 5 points 19 hours ago

I expect it's stuff like ATMs, Coinstar machines. Things that may need to phone home regularly but don't need to sit online constantly.

[–] SnotFlickerman@lemmy.blahaj.zone 173 points 1 day ago (2 children)

To anyone misreading this, these exploits were patched yesterday and thus were included as the final patch for Windows 10 before the extended security updates requirements kick in.

Known exploits are always reported to the company first to give them time to patch it before releasing info on the exploits.

All Windows 10 users will continue to have access to the patches in this final freely available patch Tuesday for Windows 10. They just can't get new updates without joining the ESU program.

I hate Microsoft too and only use Linux, but let's stop the circlejerk of false claims here please and thank you.

[–] floquant@lemmy.dbzer0.com 3 points 2 hours ago (1 children)

Yeah, until something like this happens again a year or two down the line. Not to mention all unpatched or lagging systems

[–] Alaknar@sopuli.xyz 1 points 2 hours ago

It already happened with Windows 7. They still released the patch there.

[–] sourhill@lemmy.sdf.org 11 points 1 day ago (3 children)

Zero-day means the company had 0 days to fix it before the exploits were made public. Maybe the headline is wrong?

[–] mic_check_one_two@lemmy.dbzer0.com 4 points 3 hours ago* (last edited 3 hours ago)

Nope, 0-day means it was exploited in the wild before the company knew about it. Basically, the company had to rush to patch it because it was already being exploited. It means black-hat hackers found it and exploited it before the white/grey-hat hackers reported it. If white-hat hackers found it first, they’d have already alerted the company and given time to patch it before they announced the vulnerability. But since the black-hat hackers found it first, it was a 0-day.

0-day patches are often a bodge, at best. They often consist of “just disable the vulnerable component entirely” to give the company time to work on a more long-term solution. And that’s exactly what happened here. MS didn’t take time to actually fix the driver; They just ripped it out and said “sucks if you needed it. It’s gone now.”

[–] MrNesser@lemmy.world 75 points 1 day ago (3 children)

Nope 0 days means

Zero-day vulnerability: A software flaw that attackers discover before the developer does.

Zero-day exploit: The method hackers use to take advantage of this unknown vulnerability.

Zero-day attack: An attack that uses a zero-day exploit to damage a system, steal data, or plant malware before a patch is available. This is a serious risk because no defenses are in place for this specific flaw yet.

The first is the most common one found in the press and is usually reported to the company so they can patch it, before press release.

[–] Attacker94@lemmy.world 1 points 13 minutes ago

Maybe I was just missing pertinent information, but I thought a zero day was an attack that could be exploited in a very short time frame that has remained unpatched, I didn't realize there was a hierarchy to the different stages.

[–] frongt@lemmy.zip 24 points 1 day ago (1 children)

But it would be weird to call something a "zero-day" if it wasn't being exploited. Like if I discover a vuln, it shouldn't be considered a zero-day, even if I report it, if I'm not exploiting it in the wild.

[–] Cethin@lemmy.zip 9 points 18 hours ago

It was exploited. That's how they proved it worked. They just didn't exploit it to do anything nefarious.

[–] sourhill@lemmy.sdf.org 12 points 1 day ago

Ahh TIL. Thanks for the clarification!

[–] SnotFlickerman@lemmy.blahaj.zone 3 points 1 day ago

Perhaps, either that or they made a very quick fix making updates to address them the day before this patch release.

[–] NotMyOldRedditName@lemmy.world 96 points 1 day ago (1 children)

People have probably been sitting on exploits for months or longer. There will probably be another wave after the 1 year extended support ends.

[–] REDACTED@infosec.pub 7 points 3 hours ago (2 children)

If I remember correctly, MS still pushed some critical patches to Win7 after the support ended as they realized 1/3 of world's computers turning into botnets is probably not in their interests.

[–] Attacker94@lemmy.world 1 points 10 minutes ago

Except they will stay on their high horse and only give it to extended support this time around, that way they get what they want and they'll be able to spin it against the people who didn't opt in.

[–] NotMyOldRedditName@lemmy.world 1 points 2 hours ago

Wow, that's hilarious.

[–] zleap@techhub.social 50 points 1 day ago (3 children)

@Delta_V

It will be interesting what happens with this Windows 10 end of support, this just happens to crop up the day after support ends.

[–] SnotFlickerman@lemmy.blahaj.zone 35 points 1 day ago* (last edited 1 day ago) (1 children)

The exploits are addressed in the patch released yesterday, on the final day of support.

Generally such exploits aren't released to the public until they have been patched, to prevent wider abuse of the exploits in the meantime.

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-24990

As you can see here near the bottom of the page it lists security updates for this epxloit having been released on October 14rh, 2025, the final day of Win10 support. These updates will still be available to Windows 10 systems even after October 14th, they will just be unable to get new patches after that date.

[–] Delta_V@lemmy.world 24 points 1 day ago

yeah, the timing is 'interesting'

[–] Alphane_Moon@lemmy.world 1 points 21 hours ago (1 children)

They will continue to releases major security updates for Windows 10 as long as it has double digit installed base share.

[–] mic_check_one_two@lemmy.dbzer0.com 1 points 2 hours ago* (last edited 2 hours ago)

Yeah, they did the same for Win7 for a long time. Win7 was so widely used (and people were so hesitant to upgrade after the awful 8/8.1 mess) that like 25-30% of all the computers in the world were still using it several years after support officially ended. It forced MS to continue issuing critical vulnerability patches for Win7, long after support officially ended. Because they didn’t want to be responsible for creating a massive “literally a quarter of all PCs in the world” botnet when they stopped patching things.

[–] Rhaedas@fedia.io 43 points 1 day ago (1 children)

So stick with my Linux and don't boot into Windows again. Got it.

Lots of these exploits can be very specific cases so aren't going to threaten the average user. However the point is, Windows 10 is now a huge target and there are lots who would love to take advantage of a freshly open gate.

[–] FreedomAdvocate@lemmy.net.au 7 points 1 day ago* (last edited 1 day ago) (1 children)

This is fixed, and the attacked required physical access to the hardware.

[–] frog_meister@lemmings.world -1 points 15 hours ago (1 children)

These are fixed, but microsoft still includes backdoors for Israel.

[–] REDACTED@infosec.pub 0 points 3 hours ago

Please go away

[–] FreedomAdvocate@lemmy.net.au 9 points 1 day ago (1 children)

Fixed and required physical access to the machine. If someone malicious has physical access to your machine you’re already done.

[–] utopiah@lemmy.world 0 points 19 hours ago (1 children)

Does it mean you don't think login password with physical token with disk encryption work?

[–] FreedomAdvocate@lemmy.net.au 2 points 14 hours ago (1 children)

The attacker had to already be logged in to the machine for this exploit.

[–] utopiah@lemmy.world 1 points 12 hours ago

Thanks for clarifying, guess you meant "required physical access to the machine AND being logged in." then which makes a huge difference.

[–] Rentlar@lemmy.ca 10 points 1 day ago

And it's not likely to be the last.

[–] yoriaiko@lemmy.blahaj.zone -3 points 1 day ago

If true:

Totally none did wait for most popular win10 end supports...

If fake:

Totally none sus this for being fake scarecrow against anyone who would like to stay on non-service, standalone system.