Google engineer slams Microsoft over vulnerability disclosure handling
Microsoft confirms it's looking into flaw that could allow hackers additional privileges on target computers.
A security researcher working for Google has accused Microsoft of treating external bug hunters with "great hostility".
Google's Tavis Ormandy posted information about a security flaw in Windows late last week on a public web site. The vulnerability is in the Windows kernel driver, Win32k.sys. The exploit could allow hackers to carry out denial-of-service attacks of elevate privileges in the OS. However, the vulnerability cannot be exploited remotely from malware infected websites.
We have not detected any attacks against this issue, but will take appropriate action to protect our customers
In a posting on the Full Disclosure section of Seclists.org, Ormandy said there was a "pretty obvious bug" in Windows, which he first reported in March.
"I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation," he said.
In an advisory, IT security company Secunia said that the vulnerability is "caused due to an error within 'win32k.sys' when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege."
"The vulnerability is confirmed on a fully patched Windows 7 x86 Professional (win32k.sys version 6.1.7601.18126) and reported on Windows 8. Other versions may also be affected."
But Ormandy said that Microsoft did not treat security researchers with respect. He said in his personal blog that "Microsoft treats vulnerability researchers with great hostility, and are often very difficult to work with. I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."
Microsoft failed to respond to Ormandy's jibes but did acknowledge the flaw.
"We are aware of an issue affecting Microsoft Windows and are investigating. We have not detected any attacks against this issue, but will take appropriate action to protect our customers," said Dustin Childs, group manager at Microsoft Trustworthy Computing.
Microsoft did not disclose whether it had been aware of the flaw before it appeared on the Full Disclosure website or when a patch would be available.
In a second posting, Ormandy provided a demonstration of code that could exploit the bug.
"I have a working exploit that grants SYSTEM on all currently supported versions of Windows," said Ormandy. "Code is available on request to students from reputable schools."
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device programFree download
The business value of Red Hat OpenShift
Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShiftFree download
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain securityFree download
Digital remote monitoring and dispatch services’ impact on edge computing and data centres
Seven trends redefining remote monitoring and field service dispatch service requirementsFree download