[thinkythought]

This is still a huge target. I used to be in point of sale engineering, and the majority of the quality terminals the big OEMs(NCR and their sub brands, posiflex, etc) were pushing were running these for a LONG time past when you'd think C3 was "dead". Similar vendors i bumped into were pushing stuff with them in it still when i got out of that industry.

There are a LOT of machines out there which will be run essentially until they break down(and a lot are fanless, and will pretty much last until they can't be kept up to date). You have to remember, a lot of big chains(and banks!) paid for extended XP support and then extended-extended XP in the form of windows POS.

This is a "every terminal in a huge fast food chain gets owned and no one finds out for years" sort of vulnerability. This is the first step to something like the target breach all over again.

[ryanlol]

>This is a "every terminal in a huge fast food chain gets owned and no one finds out for years" sort of vulnerability. This is the first step to something like the target breach all over again.

Utter nonsense, this bug will not lead to RCE.

You might be able to implement a fancy rootkit with this, but that's all. Advanced rootkit tech is neither necessary nor particularly helpful for these sorts of breaches.