Sunday, May 26, 2013
Windows zero day vulnerability publically exposed by google engineer
A Google security
expert who has clashed with Microsoft in
the past over how it discloses Windows security flaws is at it again.
Tavis Ormandy, an information security
engineer at Google, has found what he's calling "a pretty obvious
bug" in Windows
7 and Windows 8.
On
Monday, Ormandy
posted detailed information about it to Full Disclosure, a mailing
list for security experts. That could be used
to crash PCs or gain additional access rights. The issue is less critical than
other flaws as it's not a remotely exploitable one.
Ormandy
said on Full Disclosure, "I don't have much free time to work on silly
Microsoft code, so I'm looking for ideas on how to fix the final obstacle for
exploitation.
Ormandy
said he's written code that hackers could use to take advantage of the Windows
flaw—known in security circles as a "working exploit".
He
isn't releasing it to the public, but is making it "available on request
to students from reputable schools." This means other security
researchers, not college students.
Ormandy
first published details about the Windows bug on Github, a site that lets
developers collaborate on projects, in March. But he hasn't said whether he's
reached out to Microsoft, which is standard procedure in these
situations.
Microsoft
says it's aware of Ormandy's latest Windows flaw and is investigating.
"We
have not detected any attacks against this issue, but will take appropriate
action to protect our customers," Dustin Childs, a group manager in
Microsoft's Trustworthy Computing unit, told Business Insider in an
email.
We've
reached out to Ormandy to see if he contacted Microsoft before his May 17 post
to the Full Disclosure list. We've also reached out to Google for
comment.
As
Windows security flaws go, this isn't a major one because hackers can't use it
to take control of machines over an Internet connection. Still, because so many
people use Windows, Microsoft will probably fix this bug soon.
Security
researchers usually contact the vendor first before they talk publicly about a
bug they've found. But Ormandy and Microsoft have a rocky history.
In
2010, Ormandy discovered a previously unknown bug in Windows XP's Help and
Support Center, and posted a working exploit to the web five days after telling
Microsoft about it.
Hackers
quickly figured out how to use it, and began attacking Windows XP PCs.
Microsoft,
which released
an emergency fix for the bug, wasn't pleased. This sparked a big IT
industry debate about how long researchers should wait after informing a vendor
about a security flaw before going public with it.
This article was written by: Rajesh Darvesh
He is a Ethical Hacking and Security Professional, with experience in various aspects of Information Security and Founder of The Hacker Voice Other than this : He is an Internet Activist, Strong supporter of Anonymous and Wikileaks you can Follow him on Twitter
Subscribe to:
Post Comments (Atom)
0 Responses to “Windows zero day vulnerability publically exposed by google engineer”
Post a Comment