In May Google security engineer Tavis Ormandy disclosed the full details of a Windows kernel driver flaw, CVE-2013-3660, which affects all Windows-based platforms. He was quickly criticized by many security researchers for making the full disclosure without first notifying Microsoft privately about the bug. To Microsoft's defense, it had no time to prepare a fix before the public was made aware of the flaw.
Now seven weeks later, Microsoft has issued a fix as part of the company's scheduled monthly release of patches for the Windows platforms. "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability as an elevation of privilege vulnerability through Internet Explorer 8," the company stated on July 9 in a security bulletin, indicating that hackers already began to take advantage of Ormandy's findings.
"You have to ask yourself if the public disclosure of this vulnerability before Microsoft was ready to protect against it was really to the benefit of internet users," said independent security researcher Graham Cluley on Tuesday. "I’m not questioning Tavis Ormandy’s expertise at finding security holes, or his skills as a vulnerability researcher. I just wish that Microsoft and Ormandy could find a way of working more reasonably with each other so that vulnerabilities are only disclosed in a responsible fashion, once a patch is available."
Ormandy claimed back in May that dealing with Microsoft in regards to reporting vulnerabilities continues to be difficult. The Redmond company, he claims, treats vulnerability researchers with great hostility. He recommends communicating with Microsoft using a pseudonym, Tor software, and an anonymous email to protect themselves.
"If you solve the mystery and determine this is a security issue, send me an email and I'll update this post," he said. "If you confirm it is exploitable, feel free to send your work to Microsoft if you feel so compelled, if this is your first time researching a potential vulnerability it might be an interesting experience."
On Tuesday Microsoft said its latest security update involves two publicly disclosed and six privately reported vulnerabilities in Microsoft Windows. The most severe vulnerability, according to the security alert, could allow remote code execution if a user views shared content that embeds TrueType font files. If successful with an exploit, hackers could take complete control of the system.
"The security update addresses these vulnerabilities by correcting the way Windows handles specially crafted TrueType Font (TTF) files and by correcting the way that Windows handles objects in memory," the company said.