Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Google engineer bashes Microsoft's handling of security researchers, discloses Windows zero-day

Gregg Keizer | May 27, 2013
A Google security engineer accused Microsoft of treating outside researchers with "great hostility" days before posting details of an unpatched vulnerability in Windows that could be used to crash PCs or gain additional access rights.

A Google security engineer accused Microsoft of treating outside researchers with "great hostility" just days before posting details of an unpatched vulnerability in Windows that could be used to crash PCs or gain additional access rights.

Microsoft acknowledged the vulnerability late Tuesday. "We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating," said Dustin Childs, a spokesman for the company's security response group, in an email. "We will take the appropriate action to protect our customers."

Childs declined to answer additional questions, including whether Microsoft had been aware of the vulnerability before it surfaced on the Full Disclosure security mailing list May 17, or when it would release a patch.

Tavis Ormandy, a Google security engineer, revealed the bug on Full Disclosure, where he discussed the flaw in the Windows kernel driver, "Win32k.sys," and asked for help in overcoming a roadblock. "I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation," he wrote.

Ormandy had first published information about the vulnerability in March to GitHub in an effort to solicit help or entice other researchers to investigate. That information no longer appears on GitHub, however.

On Monday, Ormandy again posted to Full Disclosure, going into more detail and providing demonstration code. "I have a working exploit that grants SYSTEM on all currently supported versions of Windows," claimed Ormandy. "Code is available on request to students from reputable schools."

Tuesday, Danish vulnerability research firm Secunia published a skeletal advisory, claiming it had confirmed the bug in a fully-patched copy of Windows 7 Professional and that Windows 8 and other editions might also be affected.

Secunia said that the vulnerability could be exploited to generate a denial-of-service (DoS) attack or to give an attacker elevated privileges.

Microsoft dubs the latter an "elevation of privilege," or EoP, vulnerability.

While the bug cannot be exploited remotely -- by sneaking attack code onto a compromised website, for example -- it still should be considered serious, said Andrew Storms, director of security operations at TripWire's nCircle Security.

"If you consider that it takes a number of different vulnerabilities to successfully exploit Windows or a Microsoft application, a local EoP is an important step in that chain of breaking into a Windows system," Storms said in an email.

"Note that one person responded to his [Full Disclosure message] requesting some code in hopes of adding it to Metasploit," Storms continued, referring to the popular open-source penetration testing framework used by security professionals as well as by cyber criminals. "So it might not be a big remote code bug, but it could be useful for attackers nonetheless."

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.