Google engineer publicly discloses zero-day Windows exploit

At least one version of Windows, and possibly others, could be open to a recently disclosed zero-day exploit, which was found by Google security engineer Tavis Ormandy. He posted news of the exploit late last week on a public web site.

Computerworld.com reports that, according to Ormandy, the flaw is in the Windows kernel driver, Win32k.sys. Earlier this week, the security firm Secunia confirmed that it found the issue in Windows 7 Professional, and added that Windows 8 and other versions could have the same flaw.

The exploit, in theory, could be used by hackers to perform denial-of-service attacks, or give someone an elevation of privilege on the OS. However, this flaw apparently cannot be exploited via a remote source, such as putting in malware in an infected website.

Microsoft spokesperson Dustin Childs stated, "We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating. We have not detected any attacks against this issue, but will take appropriate action to protect our customers."

Ormandy apparently feels Microsoft does not hold security engineers with a lot of respect In a personal blog post earlier this month, before he disclosed the Windows zero-day bug, he stated, "Note that Microsoft treat[s] vulnerability researchers with great hostility, and are often very difficult to work with. I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."

Source: Computerworld | Image via Wikipedia

Report a problem with article
Previous Story

Lenovo posts record sales just as PC market shrinks

Next Story

Microsoft's new mice include a Windows button, built for Windows 8

32 Comments

Commenting is disabled on this article.

Hello,

While I certainly don't consider myself having anywhere near Mr. Ormandy's expertise in reverse-engineering, I have worked in the information security field for years and even dealt with Microsoft innumerable times, including one disclosure-type issue.

At every step of the way, Microsoft's security personnel were nothing but polite and cordial to deal with--at no time did I feel talked-down to or otherwise marginalized in any way, and I can say that Microsoft acted with impressive speed and agility in responding--the issue was resolved in well under 24 hours.

As far as I know, the vulnerability Mr. Ormandy revealed was neither being exploited publicly or privately at the time of his announcement, so any usage of it is presumably going to be attributable to his release on FD.

Regards,

Aryeh Goretsky

So, this moron is basically offering exploit developers a way to escape Chrome's sandbox on windows.

considering the high number of flaws discovered in chrome and webkit every year, this disclosure is risky for chrome users.

many security researchers say that chrome's sandbox is the only thing making it secure, because webkit itself is full of flaws.

Brony said,
Well, specifically Microsoft or a partner of Microsoft.

Might want to look at a CVE list. Just for example, in 2012 Chrome was in the #1 spot for having the highest number of vulnerabilities, almost 6 times as many as the Windows 7 operating system. For 2013 they're currently #2 on the list of most vulnerabilities, and #4 on the all-time list. Sorry, but it's not just Microsoft saying there's security issues.

Brony said,

Well, specifically Microsoft or a partner of Microsoft.


nope.
http://www.zdnet.com/pwn2own-d...ll-the-browsers-7000012283/

"The weakness in Chrome is Webkit and the strength is the sandbox"

vupen said that, and they're not exactly friends with Microsoft...

other hackers said something similar.
and as you can see from vulnerability statistics, chrome had indeed a very high number of flaws over the last 3years.
much higher than any MS product.
and of course, the only thing preventing exploitation is the sandbox, which is technically based on the use of the host OS security features.

Ormandy previously revealed a serious vulnerability in Windows XP's Help and Support Center that allowed attackers to compromise machines using specially crafted websites before Microsoft had patched the bug.

Some security researchers have previously branded Ormandy "irresponsible," but his motives may be related to Microsoft's "interesting experience" of dealing with vulnerabilities. In a blog post days before his most recent disclosure, Ormandy claims Microsoft is "often very difficult to work with," advising researchers to speak to the software maker anonymously.

Graham Cluley, a senior technology consultant at Sophos, disputes Ormandy's claims. "Generally, Microsoft's security team does an excellent job," says Cluley in an email to The Verge. "Vulnerability researchers should work closely with Microsoft to fix problems responsibly, rather than risking assisting malicious hackers."

illegaloperation said,
Ormandy previously revealed a serious vulnerability in Windows XP's Help and Support Center that allowed attackers to compromise machines using specially crafted websites before Microsoft had patched the bug.

Some security researchers have previously branded Ormandy "irresponsible," but his motives may be related to Microsoft's "interesting experience" of dealing with vulnerabilities. In a blog post days before his most recent disclosure, Ormandy claims Microsoft is "often very difficult to work with," advising researchers to speak to the software maker anonymously.

Graham Cluley, a senior technology consultant at Sophos, disputes Ormandy's claims. "Generally, Microsoft's security team does an excellent job," says Cluley in an email to The Verge. "Vulnerability researchers should work closely with Microsoft to fix problems responsibly, rather than risking assisting malicious hackers."


at least Microsoft Security researchers are not as irresponsible as this moron!

when they discover flaws in Google products, Microsoft don't disclose them publicly before long after the fix is available... even when google takes 50days to fix an important flaw, like that old one:
http://technet.microsoft.com/e...ty/msvr/msvr11-001#section1

From Articel "Ormandy had first published information about the vulnerability in March to GitHub in an effort to solicit help or entice other researchers to investigate. That information no longer appears on GitHub, however."

On Monday, Ormandy again posted to Full Disclosure, going into more detail and providing demonstration code. "I have a working exploit that grants SYSTEM on all currently supported versions of Windows," claimed Ormandy. "Code is available on request to students from reputable schools."

I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."

HIDE YOUR WIFE,HIDE YOUR KIDS cause Microsoft is coming for you.


and its fitting he works at google, his blog looks like ****.

and just had a look at this vulnerability. this isn't some remote code execution. you actually have to run an exe that makes use of GDI that exploits a bug. nothing to see here,move along.

fobban said,
I bet Xbox One amazed you.

Oh no, somebody may have an opinion different than you. Of course, if somebody were to disagree with you, then you and the others would be whining about how Neowin doesn't allow other opinions, and how others are mean to you when all you are doing is expressing your opinions. But somebody is impressed with Xbox One, and unimpressed with PS4, and they are just too stupid to know better.

Well he works at Google. He's probably seen the kind of data they harvest from people. If I knew how much they knew, I'd be using Tor too.

Google hasn't amazed me in years... This years Google IO was another example... Now the rest of their engineers are coming out of the wood works... I guess they want to be known for something!

warwagon said,
Well that was nice of him.

I read a news about Google being responsible for more than half of the reports about bugs/exploits

warwagon said,
Well that was nice of him.

To report it publicly rather than to Microsoft so they can fix it before people start trying to use it? Sure was...

M_Lyons10 said,

To report it publicly rather than to Microsoft so they can fix it before people start trying to use it? Sure was...

"Note that Microsoft treat[s] vulnerability researchers with great hostility, and are often very difficult to work with. I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."

I'm sure you and Microsoft would like his ass to be locked up but somehow I believe he would beg to differ.

The Verge has a better explanation of this. there are other security researchers who disagree and this guy previously publicized an exploit that was then used by attackers. he's clearly biased against Microsoft.

rorrr said,
The Verge has a better explanation of this. there are other security researchers who disagree and this guy previously publicized an exploit that was then used by attackers. he's clearly biased against Microsoft.

Or Microsoft is clearly biased against him, hence his predicament.

Ridiculous extrapolation there, Mr. Overreaction. Nobody said to lock him up.

But come on! Posting a 0-day exploit publicly? Before disclosing it to the manufacturer? That's certainly not white hat hacking. Ormandy is a jerk, claiming to be a saint.

And this was no accident either. This isn't the first time this same guy has published exploits with little to no warning given to Microsoft.

The ecosystem "war" is going to be terrible for consumers. It really already is... instead of one webpage that all computer users can visit (like it is for desktop Linux, Mac, Windows), we now have to get the platform specific app to get the best experience. And the only ones losing here are us consumers, as ALL the major players are raking in the dough with no sign of slowing down.

The Verge has a better explanation of this. there are other security researchers who disagree and this guy previously publicized an exploit that was then used by attackers. he's clearly biased against Microsoft.

Pretty much this. Microsoft is usually extremely fast when it comes to bug reporting and holes being fixed. They wouldn't be able to do that if they were being extremely hostile to anyone who reported a bug.

recursive said,

"Note that Microsoft treat[s] vulnerability researchers with great hostility, and are often very difficult to work with. I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."

I'm sure you and Microsoft would like his ass to be locked up but somehow I believe he would beg to differ.

How much is google paying you?

FISKER_Q said,

Or Microsoft is clearly biased against him, hence his predicament.

Pathetic how you guys always come up with some stupid excuse to put the blame on MS.

coderchi said,

Pathetic how you guys always come up with some stupid excuse to put the blame on MS.

It wasn't an excuse, simply pointing out the fact it could just as well be the reverse.

What is pathetic though, is putting words in my mouth.

recursive said,

I'm sure you and Microsoft would like his ass to be locked up but somehow I believe he would beg to differ.

Why would Microsoft wants his ass to be locked up? he is finding bugs for free right? that's often very costly specially for an OS which happens to be the Leading OS.