At least one version of Windows, and possibly others, could be open to a recently disclosed zero-day exploit, which was found by Google security engineer Tavis Ormandy. He posted news of the exploit late last week on a public web site.
Computerworld.com reports that, according to Ormandy, the flaw is in the Windows kernel driver, Win32k.sys. Earlier this week, the security firm Secunia confirmed that it found the issue in Windows 7 Professional, and added that Windows 8 and other versions could have the same flaw.
The exploit, in theory, could be used by hackers to perform denial-of-service attacks, or give someone an elevation of privilege on the OS. However, this flaw apparently cannot be exploited via a remote source, such as putting in malware in an infected website.
Microsoft spokesperson Dustin Childs stated, "We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating. We have not detected any attacks against this issue, but will take appropriate action to protect our customers."
Ormandy apparently feels Microsoft does not hold security engineers with a lot of respect In a personal blog post earlier this month, before he disclosed the Windows zero-day bug, he stated, "Note that Microsoft treat[s] vulnerability researchers with great hostility, and are often very difficult to work with. I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."
Source: Computerworld | Image via Wikipedia