• United States



by John P. Mello, Jr.

Google researcher’s outing of Windows vulnerability may have led to cyber forays

Jul 10, 20134 mins
Application SecurityCybercrimeGoogle

Microsoft detects targeted attacks after Windows flaw made public

Following the outing of a vulnerability in Windows by a security researcher who works for Google, Microsoft said Tuesday that it detected a number of targeted attacks exploiting the flaw.

The revelation was made in a Security alert issued by Microsoft on the same day it addressed the vulnerability in its monthly “Patch Tuesday” package of fixes for July.

“Microsoft detected targeted elevation of privilege attacks after the issue became publicly known,” Microsoft Trustworthy Computing spokesperson Dustin Childs said in an email.

Microsoft would not elaborate on its findings.

The vulnerability was aired in May by Tavis Ormandy, who is employed by Google but claimed to be acting independently when he revealed the flaw in a security blog. The vulnerability in Windows 7 and 8 allows local users to obtain escalated privileges, making it easier for a hacker to compromise a system.

Ormandy did not respond to a request for an interview for this story.

Google also declined to comment, although it’s believed the company is working with Ormandy to improve communications between the researcher and Microsoft.

Ormandy has been criticized by some in the security community who subscribe to the practice that a vulnerability shouldn’t be made public until a software maker has an opportunity to fix it.

“In the past Tavis Ormandy has publicized vulnerabilities in Microsoft’s code that have then been exploited by malicious hackers to infect the computers of innocent Internet users,” security researcher Graham Cluley said.

“It’s hard to argue against the belief that those computer users would not have been hit if Tavis Ormandy had not shared demo code exploiting the vulnerabilities which hackers could build their own attacks upon,” he added.

Discovering a previously unknown or “Zero Day” vulnerability carries a lot of responsibility, said Bogdan Botezatu, a senior e-threat analyst with Bitdefender.

[Also see: Microsoft’s new app security rules dubbed a paper tiger]

“Most of the times, ethical hackers do not disclose proof-of-concept code for unpatched vulnerabilities, because this would dramatically impact the security of users running the respective software,” Botezatu said.

“Although in most of the cases disclosure is highly not recommended, more and more security researchers are doing it as a last resort, if the vendor postpones a fix or does not plan to treat the issue,” he said.

“Throwing the exploit code into the wild exposes the machines,” he added. “But also minimizes the window of opportunity and forces the vendor to come with a fix to avoid mass exploitation.”

Cluley explained that members of the  security community aren’t monolithic in how they treat the vulnerabilities they find.

“There is a hardcore section of the security researcher community who feel it is better for all information to be free, even if a fix is not yet available,” he said. “This is, essentially, a religious debate  — with neither side prepared to bend much to accept the others’ point of view.”

Cluley said that vulnerability researchers sometimes need to be realistic about the processes a firm needs to go through to evaluate a vulnerability report, replicate the behavior, produce a fix, test that the fix does not cause any other problems and incompatibilities and then roll it out to millions of users.

“Generally, Microsoft’s security team does an excellent job,” he said. “Vulnerability researchers should work closely with Microsoft to fix problems responsibly, rather than risking assisting malicious hackers.”

When vulnerabilities are made public, however, doesn’t address an even bigger problem facing software users, said George Tubin, a senior security strategist with Trusteer. 

“Vulnerabilities are there whether they’re disclosed or not, and there are other vulnerabilities out there right now that we don’t know about but somewhere down the road we will find out about them,” Tubin said.

“We have to realize that the software we’re using has vulnerabilities, and we need to put protections in place to protect us from them,” he said.