Sign in with
Sign up | Sign in

Google Researcher Discovery Led to Windows Hackings

By - Source: Reuters | B 13 comments

Microsoft has confirmed that hackers have exploited a vulnerability unearthed by a Google researcher.

In May Google security engineer Tavis Ormandy disclosed the full details of a Windows kernel driver flaw, CVE-2013-3660, which affects all Windows-based platforms. He was quickly criticized by many security researchers for making the full disclosure without first notifying Microsoft privately about the bug. To Microsoft's defense, it had no time to prepare a fix before the public was made aware of the flaw.

Now seven weeks later, Microsoft has issued a fix as part of the company's scheduled monthly release of patches for the Windows platforms. "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability as an elevation of privilege vulnerability through Internet Explorer 8," the company stated on July 9 in a security bulletin, indicating that hackers already began to take advantage of Ormandy's findings.

"You have to ask yourself if the public disclosure of this vulnerability before Microsoft was ready to protect against it was really to the benefit of internet users," said independent security researcher Graham Cluley on Tuesday. "I’m not questioning Tavis Ormandy’s expertise at finding security holes, or his skills as a vulnerability researcher. I just wish that Microsoft and Ormandy could find a way of working more reasonably with each other so that vulnerabilities are only disclosed in a responsible fashion, once a patch is available."

Ormandy claimed back in May that dealing with Microsoft in regards to reporting vulnerabilities continues to be difficult. The Redmond company, he claims, treats vulnerability researchers with great hostility. He recommends communicating with Microsoft using a pseudonym, Tor software, and an anonymous email to protect themselves.

"If you solve the mystery and determine this is a security issue, send me an email and I'll update this post," he said. "If you confirm it is exploitable, feel free to send your work to Microsoft if you feel so compelled, if this is your first time researching a potential vulnerability it might be an interesting experience."

On Tuesday Microsoft said its latest security update involves two publicly disclosed and six privately reported vulnerabilities in Microsoft Windows. The most severe vulnerability, according to the security alert, could allow remote code execution if a user views shared content that embeds TrueType font files. If successful with an exploit, hackers could take complete control of the system.

"The security update addresses these vulnerabilities by correcting the way Windows handles specially crafted TrueType Font (TTF) files and by correcting the way that Windows handles objects in memory," the company said.

Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • -8 Hide
    antilycus , July 11, 2013 6:48 AM
    Why should this guy required to do MS's job? What would he get for it? NOTHING. You can't pay your bills with self satisfaction. He (and the rest) have every right to throw MS, Apple, Linux under the bus because users are expecting the O/S to do it's job.

    There is no reward (that I am aware of) to help MS out. it's why Google pays people for reporting
  • -5 Hide
    weierstrass , July 11, 2013 7:07 AM
    Making it public was probably the best way to put high pressure an MS to fix it. Remember how long it took Oracle to fix some Java vulnerability?
  • 7 Hide
    wiyosaya , July 11, 2013 7:31 AM
    Maybe it does push M$ to fix problems, however, it also potentially a lot of computers at risk. For highly technical people like those of us at this site, a risk like this is something that we are able to easily mitigate.

    However, there are many people out there who simply do not possess the technical skills to either ward off or remove a threat from their PC - whether we like it or not.

    I am not defending M$. Personally, I think they are an exceptionally arrogant company - maybe equally arrogant as crApple.

    If anyone exploited a hack made public, it really would not be M$ that suffered, it would be those people who had their computers attacked, and we all know that due to EULAs, there would be no recompense for those owning attacked computers. However, I could see someone suing anyone who made an exploit public knowledge.

    To me, its common sense - let M$ know privately regardless of whether you are treated like a terd or not. Wait a month or two - then make it public. As I see it, the burden would then be on M$ if they had not fixed it yet as they were informed of the exploit.
  • Display all 13 comments.
  • 3 Hide
    ninjustin , July 11, 2013 7:32 AM
    While I understand that communication for these Security Researchers to Microsoft should be easier to do, He shouldn't have released it to the public unless Microsoft absolutely refused to listen to him.

    Really what he did was take a vulnerability that he found that at the very most was being used in rare cases but probably not at all in the wild, then he gave it our for people to everyone then people could take his work to attack the public with.

    What he did was dangerous to the public for whatever his reasoning it doesn't change that.
  • 2 Hide
    DRosencraft , July 11, 2013 8:32 AM
    I will give Ormandy the benefit of the doubt and say there was no malicious intent intended at any level. However, a basic professional courtesy would dictate that you tell someone that you came across a problem with their tech. Google and MSFT have cooperated in this area in the past. There was no good reason to release the full details about a security vulnerability to the public before the relevant party has a chance to fix it, when a decent number of users of your own products are going to be exposed to that vulnerability. He shouldn't lose his job over something like this, but some form of reprimand is appropriate I would think.
  • -1 Hide
    Pailin , July 11, 2013 8:39 AM
    I got from that article that He Did try to tell M$ who did not respond as expected & hoped.

    To force their hand in closing the vulnerability he himself was forced to publicly declare the details.

    Still better than this going on long term and such attacks going on unheard of.
    - How many Chinese hoping for a big break to make it rich etc are looking for similar things to exploit on the quiet...?
  • 0 Hide
    agentbb007 , July 11, 2013 10:02 AM
    Tavis Ormandy sounds like an arrogant jerk who just wanted to make microsoft look bad and get some of their boxes hacked. Patch is out now we can move along and hopefully Tavis will be a little more diplomatic in the future.
  • 0 Hide
    back_by_demand , July 11, 2013 10:14 AM
    So because this guy felt intimidated by MS, he decided to endanger public safety? Sorry but if it was Visa and not Microsoft not a single one of you would be siding with the security guy, especially if someone gimped your PC because of his recklessness. Put your obvious anti-MS fanboy hatred aside, because it looks ignorant.
  • 1 Hide
    pjmelect , July 11, 2013 10:23 AM
    The thing that puzzles me is that Windows XP for example has been around for a long time now and that you would have thought that over time as the bugs have been found that the number of possible security breaches would be reduced. But Microsoft issues about the same number of bug fixes a month as it did ten years ago. It is not following the normal curve of complex software that most of the problems are found shortly after release and the number of reported problems reduces over time.
    They must be patching the patches many times over. Perhaps they should get it right the first time,
  • 0 Hide
    milktea , July 11, 2013 10:28 AM
    On top of sending the exploit to M$ and waiting. He should give M$ a deadline, say he'll release the exploit to public in 2 weeks. That should give M$ sufficient pressure to release a hot fix (if M$ decides that it's important enough), plus it'll show good professionalism and integrity.

    He shouldn't wait for ever for M$ to release a fix, at the same time, he should not just announce it to the public without giving M$ a head start. That's just not professional, unless he has other motives.
  • 1 Hide
    bryonhowley , July 11, 2013 10:49 AM
    I have a few friends that have worked with Microsoft on vulnerability's in the past and they have always found Microsoft very easy to work with. As far as I can see this guy is a nut job. His actions have put every one that uses a Windows based system at risk. And as far as I can tell only because he does not like Microsoft I see no other reason.
  • 0 Hide
    Pailin , July 11, 2013 11:33 AM
    Hmm, seems he tried to give M$ a chance to respond:

    " (he released the exploit)...a month after Ormandy gave the software company five days to respond to a zero-day he published back then."


    "Despite Microsoft's approach, Metasploit founder and CTO of security firm Rapid7, HD Moore says Ormandy's release of the exploit in this case was fair enough."
  • 0 Hide
    dalethepcman , July 11, 2013 11:56 AM
    Many of you need to get off your high horse. I have submitted bug reports to microsoft back when XP SP3 came out related to "run as" with the task manager and ending/relaunching the explorer.exe process. This bug is still in effect now and what I got back from Microsoft was "Try Vista"

    The human factor plays a large role in this. The people that work the positions to screen this information at Microsoft probably hate their job, and the researches just want to let them know they found a problem. The researchers don't get paid to follow Microsoft requests for a bug. That would leave me with very little incentive to deal with bull shit.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS