Google engineer slams Microsoft over vulnerability disclosure handling

Microsoft confirms it's looking into flaw that could allow hackers additional privileges on target computers.

Hacking

A security researcher working for Google has accused Microsoft of treating external bug hunters with "great hostility".

Google's Tavis Ormandy posted information about a security flaw in Windows late last week on a public web site. The vulnerability is in the Windows kernel driver, Win32k.sys. The exploit could allow hackers to carry out denial-of-service attacks of elevate privileges in the OS. However, the vulnerability cannot be exploited remotely from malware infected websites.

We have not detected any attacks against this issue, but will take appropriate action to protect our customers

In a posting on the Full Disclosure section of Seclists.org, Ormandy said there was a "pretty obvious bug" in Windows, which he first reported in March.

"I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation," he said.

In an advisory, IT security company Secunia said that the vulnerability is "caused due to an error within 'win32k.sys' when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege."

"The vulnerability is confirmed on a fully patched Windows 7 x86 Professional (win32k.sys version 6.1.7601.18126) and reported on Windows 8. Other versions may also be affected."

But Ormandy said that Microsoft did not treat security researchers with respect. He said in his personal blog that "Microsoft treats vulnerability researchers with great hostility, and are often very difficult to work with. I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."

Microsoft failed to respond to Ormandy's jibes but did acknowledge the flaw.

"We are aware of an issue affecting Microsoft Windows and are investigating. We have not detected any attacks against this issue, but will take appropriate action to protect our customers," said Dustin Childs, group manager at Microsoft Trustworthy Computing.

Microsoft did not disclose whether it had been aware of the flaw before it appeared on the Full Disclosure website or when a patch would be available.

In a second posting, Ormandy provided a demonstration of code that could exploit the bug.

"I have a working exploit that grants SYSTEM on all currently supported versions of Windows," said Ormandy. "Code is available on request to students from reputable schools."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Iranian hacking group continues to target US citizens
hacking

Iranian hacking group continues to target US citizens

18 Oct 2021
Ennoconn and Google Cloud enter a strategic alliance
Cloud

Ennoconn and Google Cloud enter a strategic alliance

14 Oct 2021
Google Workspace adds Jira and AppSheet integrations
collaboration

Google Workspace adds Jira and AppSheet integrations

13 Oct 2021
Google Cloud reveals edge-focused Distributed Cloud portfolio
cloud computing

Google Cloud reveals edge-focused Distributed Cloud portfolio

13 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021