Windows systems attacked via vulnerability made public by Google engineer

Microsoft is saying that some PCs have been attacked with hackers taking advantage of a vulnerability that was originally revealed by a Google engineer. The machines affected seem to belong to corporate or government organizations.

The engineer in question, Tavis Ormandy, first made the vulnerability public back in May in a full-disclosure blog post. His actions have been criticized by industry members saying that the proper action would have been to report this privately to Microsoft so they can issue a fix before the vulnerability gets used “in the wild”. Google has distanced itself from Ormandy's actions, saying that his method of revealing the issue was a personal choice and did not represent the company. 

Now Microsoft is saying that they have seen “targeted attacks” using this particular bug, which could allow attackers to elevate their privileges on targeted machines. Microsoft has declined to comment on whether they think Ormandy’s actions have led to these attacks.

If you’re worried about attacks you should ensure that you have Automatic Updates turned on, as this vulnerability has now been patched via a Windows Update.

Source: Microsoft Via: Reuters | Image via Wikipedia

Report a problem with article
Previous Story

Microsoft: Xbox One for small businesses is a great investment

Next Story

AdDuplex CEO: Lumia 520 is the most popular Windows Phone

33 Comments

Commenting is disabled on this article.

Microsoft makes it sound as if the vulnerability was created by the Google engineer. It's sad that such huge corporate entities do not accept their faults, rather play the blame game.

I remember him mentioning the hostility ms shows towards such researchers, wasn't untrue!!..... =|

TechJunkie81 said,
Maybe the dude should get some ethics then.

The vulnerability was reported to microsoft 3 years ago. They never bothered to patch it. God knows who else knew about this vulnerability, and how many machines got infected with backdoors as a result.

The Google engineer did the right thing. He saw that obviously MS didn't care about their customers, and posted it online so users would at least become aware of the issue.

Actually, if you read the stories, he found the bug in March of 2013, and posted the exploit request in May. He also found an issue 3 years ago in the XP Help Center code (with 5 days notice - looks like he's getting... "better"?), which is where I think you're confused - this is not the same exploit found 3 years ago by the same guy.

The question I have for Microsoft.

How long have you known about the vulnerability and why was it not address initially when the code was developed?

SpyCatcher said,
The question I have for Microsoft.

How long have you known about the vulnerability and why was it not address initially when the code was developed?

The question I have for you.

How long have you been utterly clueless about software development and why have you not made any attempt to educate yourself before posting such a moronic comment?

ALL software has bugs. It's impossible to find all bugs in software and some small subset of these can lead to security vulnerabilities. Microsoft has to be given time to fix them before they are disclosed publicly. They will also know about many vulnerabilities at any time and have to prioritise them, fixing the most dangerous first. By disclosing like this it means that MS have to go all out to fix this bug at the expense of other potentially more important bugs.

I really do not have the the time or the crayons to explain it to you. The vulnerability was reported to Microsoft three (3) years ago (check various sites for confirmation).

The problem with Microsoft, they are slow to react and only react as a last resort.

Edited by SpyCatcher, Jul 11 2013, 3:47pm :

When you apply critical thinking, the only company that can be blamed is Microsoft. The problems everyone has today (Individuals, Corporations, Governments) escalated after Microsoft gave the source code to various governments to review for NSA/CIA backdoors. After the code was released to those various governments, malware, bots, you name it has gotten out of control. If it was not for companies such as Karperkey, Bitdefender, many, if not all (we will call them viruses) would have gone unreported.

SpyCatcher said,
After the code was released to those various governments, malware, bots, you name it has gotten out of control.

While there may be a slight correlation, it's unlikely to be statistically relevant. As malware for platforms beyond Microsoft are even more targeted these days, particularly though Java. The fact is, malware has grown in pace with the shear value of computer data as the number of computer users and devices have grown. While folks using Windows may generally be #1 in value to attackers, these days malware is moving mostly through third party products. How many new billions of devices exist today that didn't exist 10 years ago?

There are far more people with programing skills in the world than there were 10 years ago. It has probably grown by several factors, especially in countries that are not the United States. This gives you a much larger pool of people who may write code with a vicious purpose, be they paid or just having fun.

Impossible. Google is the only company that releases non secure software....oh, wait.

Pretty funny considering MS just bashed Google for the same thing yesterday. Yes,
I know...different platforms but same subject.

techbeck said,
Impossible. Google is the only company that releases non secure software....oh, wait.

Pretty funny considering MS just bashed Google for the same thing yesterday. Yes,
I know...different platforms but same subject.

You're going to compare the two? It's only the same system because it allows people unfettered access to the system. Google's is effectively a backdoor whereas MS's is a bug.

Just what I was thinking...someone go round up all the silly fanboys and repost their comments...just replace (Android/Google) with (Microsoft). All software has issues, it's just the way it is, they all need to deal with more quickly.

MrHumpty said,
You're going to compare the two? It's only the same system because it allows people unfettered access to the system. Google's is effectively a backdoor whereas MS's is a bug.

They are both security issues. Really doesnt matter if it is a backdoor or a bug. Its problem which all software has. There has been tons of backdoor exploits exposed with MS software in the past as well.

techbeck said,

They are both security issues. Really doesnt matter if it is a backdoor or a bug. Its problem which all software has. There has been tons of backdoor exploits exposed with MS software in the past as well.

Actually they were both bugs. The difference is that MS released a patch and anyone can easily get the patch (with default settings they will get the patch automatically). With Android even if Google release a patch, almost nobody will actually be able to get it (blocked by operators / manufacturers). Anyone who does get it will probably get it in several months.

mog0 said,
Actually they were both bugs. The difference is that MS released a patch and anyone can easily get the patch (with default settings they will get the patch automatically). With Android even if Google release a patch, almost nobody will actually be able to get it (blocked by operators / manufacturers). Anyone who does get it will probably get it in several months.

Sure, and while we're at it, Microsoft has a, still unpatched, UAC bypass exploit that has existed since Windows 7(If not even earlier) and still exists today in 8 and 8.1 (To my knowledge)

The exploit basically allows you bypass UAC by hijacking official Microsoft software, not that different from how, lets say, an apk may hijack a system app and do bad things as well.

Atleast Android will eventually get the fix, Microsoft has sofar claimed that it is by design.

When you disable UAC (the fool who does) that won't be the only exploit you will be vulnerable too. Don't forget, disabling UAC basically disabled most of the operating system his security systems, like administrator being secondary logon, disabling access to critical system folders.
They have a patch for hundreds of thousands of exploits, its called UAC. Only fools disable UAC.

FISKER_Q said,

Sure, and while we're at it, Microsoft has a, still unpatched, UAC bypass exploit that has existed since Windows 7(If not even earlier) and still exists today in 8 and 8.1 (To my knowledge)

The exploit basically allows you bypass UAC by hijacking official Microsoft software, not that different from how, lets say, an apk may hijack a system app and do bad things as well.

Atleast Android will eventually get the fix, Microsoft has sofar claimed that it is by design.

Is this the one that's been going around for years where you need administrator access in order to modify files that will then give you administrator access?
It's not a security flaw if you need to have administrator access already...There is no possible way to defend against an administrator.
Windows has bugs and sometimes they take a long time to fix but if they declare it's by design there will be a good reason for this.

mog0 said,
Is this the one that's been going around for years where you need administrator access in order to modify files that will then give you administrator access?
It's not a security flaw if you need to have administrator access already...There is no possible way to defend against an administrator.
Windows has bugs and sometimes they take a long time to fix but if they declare it's by design there will be a good reason for this.

Nope, it's the exploit that's going around for years where you can use the fact that Microsoft bypasses UAC for certain Microsoft processes and use those to elevate other processes.

As any reasonable person understands, UAC is not a security *boundary*, it's a security *measure* as part of a defense-in-depth mechanism.

Also, to avoid the exploit, don't run as admin - that will kill the UAC bypass exploits and force a UAC prompt. Given Microsoft's directive is to *not* run a machine as admin, but to use an admin account only when necessary (and prompted by UAC to do so, or FUS to the account to perform the action and then back to the regular user to continue working), this shouldn't be an issue. This is only an issue for people who *don't* follow proper security guidance, thus making themselves targets for exploits.

cluberti said,
As any reasonable person understands, UAC is not a security *boundary*, it's a security *measure* as part of a defense-in-depth mechanism.

Also, to avoid the exploit, don't run as admin - that will kill the UAC bypass exploits and force a UAC prompt. Given Microsoft's directive is to *not* run a machine as admin, but to use an admin account only when necessary (and prompted by UAC to do so, or FUS to the account to perform the action and then back to the regular user to continue working), this shouldn't be an issue. This is only an issue for people who *don't* follow proper security guidance, thus making themselves targets for exploits.

Same with the Android exploit, it is only an issue for people who *don't* follow proper security guidance, however in this case it is actually Microsoft who *don't* follow proper security guidance for their own applications.

All in all I'm not sure you even know how UAC works given your post, but the purpose of UAC is that you have an account with administrative privileges, but these privileges need to be elevated through UAC before any administrative privileges are given.

The exploit works by exploiting Microsoft's own whitelisting of Microsoft processes, you do not need to run anything as admin, you can fix it yourself, but of course there's really no point to request elevation if you're going to make exceptions, so not only is it an exploit, but an inherent design flaw.

Believe it or not, I do understand how UAC works, and doesn't. The whole design is a balancing act between complete app breakage and backwards compatibility (apps that aren't LUA aware are still allowed to work). Running a whitelisted process silently (for example, regedit) doesn't actually *elevate* the process unless you're already logged on as an admin. When a whitelisted app runs, it runs the process with the highest rights of that user - hence, if the user is not admin, running a tool (such as regedit) doesn't make that user an admin magically. It will, however, if you are running the tool with an account who's highest privs available would be administrative.

Yes, I know how it works, and yes, I understand the implications. Running as a non-administrator keeps these things from being used for drive-by. It's a design choice (yes, one that can cause security implications if one is logged on as admin), but it is not a flaw. Going back to the original statement - it's only an issue for folks who run their boxes logged on with an admin account, which is neither recommended or wise. It is in these moments where knowing how UAC works, and that it isn't a boundary, should keep people from doing so. Alas, it does not.

cluberti said,
Believe it or not, I do understand how UAC works, and doesn't. The whole design is a balancing act between complete app breakage and backwards compatibility (apps that aren't LUA aware are still allowed to work). Running a whitelisted process silently (for example, regedit) doesn't actually *elevate* the process unless you're already logged on as an admin. When a whitelisted app runs, it runs the process with the highest rights of that user - hence, if the user is not admin, running a tool (such as regedit) doesn't make that user an admin magically. It will, however, if you are running the tool with an account who's highest privs available would be administrative.

Yes, I know how it works, and yes, I understand the implications. Running as a non-administrator keeps these things from being used for drive-by. It's a design choice (yes, one that can cause security implications if one is logged on as admin), but it is not a flaw. Going back to the original statement - it's only an issue for folks who run their boxes logged on with an admin account, which is neither recommended or wise. It is in these moments where knowing how UAC works, and that it isn't a boundary, should keep people from doing so. Alas, it does not.

There's no consideration taken into backwards compatibility, per default the program will be run un-elevated unless that application is on the whitelist, or using the exploit to bypass UAC.

Again, the point of UAC is to have administrative privileges without having them unless when necessary, if the other was true we could've sticked to the previous XP setup just fine and used run as.

Of course if the intention were that users should be running standard user accounts they could've done so in the user creation process, and they don't, because that's not what they intend.

Not the first time, nor will it be the last time this will happen. The only reason this one is different is because the guy works at Google. His disclosure is no different to all the others that happen daily.

Pretty much. Just like the guy who made all those comments that upset people about the XBOX ONE. The guy worked for MS, but not speaking for them.

techbeck said,
Pretty much. Just like the guy who made all those comments that upset people about the XBOX ONE. The guy worked for MS, but not speaking for them.
There may be people who publicly reveal bugs in MS code (not daily by any means) but they are generally not working for large corps who are direct competitors of MS and who should know better. This guy works at Google and frankly... should know better.

Your comparison to the guy on pastebin talking about the XBox DRM is childish. That guy didn't effect any other company or software, he was just speaking his mind anonymously and trying to frame the debate outside of the political correctness of corporate PR. This guy publicly outed a bug that was a serious security vulnerability in one of the most popular OS's in the world without first going through MS's openly known channels to report the bug.

MrHumpty said,
Your comparison to the guy on pastebin talking about the XBox DRM is childish.

Childish? Really? How is making a comparison childish. It may not be right compared to your opinion/thoughts but in no way is it childish. I did blast MS for anything Adam Orth did and actually defended MS because of his actions. I was not rude or tried to start anything either.

And my point was that people working for companies do stupid things and a lot of the times, the company itself has no control or doesnt know whats going on until after the fact.

mosi said,
Not the first time, nor will it be the last time this will happen. The only reason this one is different is because the guy works at Google. His disclosure is no different to all the others that happen daily.

No, it's because this guy has repeatedly made improper vulnerability disclosures on Microsoft products. It's not his first time doing so. Frankly, Google should fire him for repeated unethical behavior.

duddit2 said,
Google, its obvious.....stop being d**ks

Google have distanced themselves from this, which is not surprising: they would loose a credibility in the professional world if they didn't.

"Microsoft has declined to comment on whether they think Ormandy's actions have led to these attacks."

I think what they would want to say isn't press friendly, that's why.

alwaysonacoffebreak said,
"Microsoft has declined to comment on whether they think Ormandy's actions have led to these attacks."

I think what they would want to say isn't press friendly, that's why.

They already made their comment by releasing this bulletin, no need to involve the press they gobbled it up just beautifully