[userbinator]

but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it

What's next, "Zero-day Impacting All Versions of All Operating Systems - allows users to download and execute arbitrary code"? I suppose if you're a fan of user-hostile walled-garden trusted-computing models you might consider that a vulnerability, but I think it's safe to assume that most people consider the ability to "download and execute arbitrary code" to be a very useful and fundamental feature of an OS.

from Vista SP2 to Windows 8.1

I'm curious if this "vulnerability" also exists in XP.

[personZ]

The exploit seems to leverage PowerPoint files which are generally considered safe, and thus are allowed through mail systems and most normal good-practice behaviors. It uses a sideband exploit that allows PowerPoint to download and execute arbitrary content via a system service.

That is absolutely an exploit, similar to if I linked to an imgur jpeg that actually ran a trojan on your machine.

[Anderkent]

Kinda depends under what level of privilege the code runs.

Also secure environments often strip down the ability to download and run arbitrary code, but might still allow theoretically-data-only formats to be downloaded and opened (such as .ppt files), in which case this is definitely relevant.

[omh]

I'm curious if this "vulnerability" also exists in XP

I was curious as well. Elsewhere the article says it's not vulnerable:

...a zero-day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted)

Are there any significant Windows vulnerabilities for XP since the EOL? I was waiting for the first one that isn't patched, will be interesting to see how the bad guys use it.

[melchebo]

XP Embedded is still a supported operating system. This CVE applies to all of those. So, yes.

[sauere]

Don't forget to spice up your report with "THE RUSSIANS DID IT!!!!!!!!!!111!1".