Finding a 0-day exploit from the first couple of errors reported by Windows Error

Finding a 0-day exploit from the first couple of errors reported by Windows Error Reporting.

Originally shared by Wayne Radinsky

MS08-067 was a security exploit in netapi32.dll that was discovered within its first 6 uses and 400 million Windows machines were patched before the attackers could use it. It was discovered in the “long tail” of reports from the Windows Error Reporting system that users can use to send crash data to Microsoft.
http://blogs.technet.com/b/johnla/archive/2015/09/26/the-inside-story-behind-ms08-067.aspx

Great story. As exploits are developed, they crash. That’s a needle in a haystack of millions of crashes per day. Or an egghunt in shellcode in a crash dump.
“We had a vulnerabilty, that could be exploited remotely, anonymously, that affected all versions of Windows. It was wormable and someone was already exploiting it.”