Google Researcher Discovery Led to Windows Hackings

In May Google security engineer Tavis Ormandy disclosed the full details of a Windows kernel driver flaw, CVE-2013-3660, which affects all Windows-based platforms. He was quickly criticized by many security researchers for making the full disclosure without first notifying Microsoft privately about the bug. To Microsoft's defense, it had no time to prepare a fix before the public was made aware of the flaw.

Now seven weeks later, Microsoft has issued a fix as part of the company's scheduled monthly release of patches for the Windows platforms. "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability as an elevation of privilege vulnerability through Internet Explorer 8," the company stated on July 9 in a security bulletin, indicating that hackers already began to take advantage of Ormandy's findings.

"You have to ask yourself if the public disclosure of this vulnerability before Microsoft was ready to protect against it was really to the benefit of internet users," said independent security researcher Graham Cluley on Tuesday. "I’m not questioning Tavis Ormandy’s expertise at finding security holes, or his skills as a vulnerability researcher. I just wish that Microsoft and Ormandy could find a way of working more reasonably with each other so that vulnerabilities are only disclosed in a responsible fashion, once a patch is available."

Ormandy claimed back in May that dealing with Microsoft in regards to reporting vulnerabilities continues to be difficult. The Redmond company, he claims, treats vulnerability researchers with great hostility. He recommends communicating with Microsoft using a pseudonym, Tor software, and an anonymous email to protect themselves.

"If you solve the mystery and determine this is a security issue, send me an email and I'll update this post," he said. "If you confirm it is exploitable, feel free to send your work to Microsoft if you feel so compelled, if this is your first time researching a potential vulnerability it might be an interesting experience."

On Tuesday Microsoft said its latest security update involves two publicly disclosed and six privately reported vulnerabilities in Microsoft Windows. The most severe vulnerability, according to the security alert, could allow remote code execution if a user views shared content that embeds TrueType font files. If successful with an exploit, hackers could take complete control of the system.

"The security update addresses these vulnerabilities by correcting the way Windows handles specially crafted TrueType Font (TTF) files and by correcting the way that Windows handles objects in memory," the company said.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • antilycus
    Why should this guy required to do MS's job? What would he get for it? NOTHING. You can't pay your bills with self satisfaction. He (and the rest) have every right to throw MS, Apple, Linux under the bus because users are expecting the O/S to do it's job.

    There is no reward (that I am aware of) to help MS out. it's why Google pays people for reporting
  • weierstrass
    Making it public was probably the best way to put high pressure an MS to fix it. Remember how long it took Oracle to fix some Java vulnerability?
  • wiyosaya
    Maybe it does push M$ to fix problems, however, it also potentially a lot of computers at risk. For highly technical people like those of us at this site, a risk like this is something that we are able to easily mitigate.

    However, there are many people out there who simply do not possess the technical skills to either ward off or remove a threat from their PC - whether we like it or not.

    I am not defending M$. Personally, I think they are an exceptionally arrogant company - maybe equally arrogant as crApple.

    If anyone exploited a hack made public, it really would not be M$ that suffered, it would be those people who had their computers attacked, and we all know that due to EULAs, there would be no recompense for those owning attacked computers. However, I could see someone suing anyone who made an exploit public knowledge.

    To me, its common sense - let M$ know privately regardless of whether you are treated like a terd or not. Wait a month or two - then make it public. As I see it, the burden would then be on M$ if they had not fixed it yet as they were informed of the exploit.