Google researcher publishes Windows zero-day exploit

Google researcher publishes Windows zero-day exploit

Summary: After releasing details about a Windows flaw without a fix from Microsoft, a researcher has now published an exploit for it.

SHARE:
46

A Google researcher who recently released details about a new flaw affecting Windows has now published a working exploit for it.

Google researcher Tavis Ormandy has had run-ins with Microsoft over vulnerability disclosure before and appears to be on course for a new one after publishing an exploit ahead of Microsoft releasing a patch for the flaw. The exploit is for a vulnerability that affects a Windows kernel function in Windows 2000, XP, Vista and 7 and 8 as well as Server 2003 and 2008.

Ormandy released the exploit on Full Disclosure on Sunday, three weeks after publishing details about the flaw along with a request for help to find a more reliable way to exploit it.

Microsoft has previously said it was investigating claims there was a flaw in Windows. However, it said it had not detected any attacks using it and nor had it issued an advisory confirming the vulnerability. Consequently there was no fix either.

Following Ormandy's latest release, Microsoft today acknowledged "an issue" was affecting Windows, but re-iterated it had not detected attacks that used it.

"We are aware of an issue affecting Microsoft Windows and are investigating. We have not detected any attacks against this issue, but will take appropriate actions to protect our customers," Dustin Childs, group manager of Microsoft Trustworthy Computing said in a statement to ZDNet.

Childs did not answer ZDNet's question whether it will release a patch for the flaw.  

Ormandy's decision to publish the flaw and the exploit jars with Microsoft's "coordinated vulnerability disclosure" strategy, which it announced in 2010 — a month after Ormandy gave the software company five days to respond to a zero-day he published back then.

Redmond's emphasis is on researchers working with the vendor before disclosure whether or not the flaw is being exploited in the wild. It does not use a hard timeline for disclosure.

Despite Microsoft's approach, Metasploit founder and CTO of security firm Rapid7, HD Moore says Ormandy's release of the exploit in this case was fair enough.

"Personally I think [releasing the exploit] helped. After all, Tavis published a note to the full-disclosure list a few weeks ago, and Microsoft (as well as the media) had an opportunity to respond then. It wasn't until a third-party took his proof-of-concept and released a working exploit that Tavis posted his own."

Moore added that the exploit for the same flaw that was released before Ormandy's was on a Chinese website; and that Ormandy had first released details of the flaw in March.    

Google recently cut its recommended disclosure timeline from 60 days to seven days for bugs that are being actively exploited. If the vendor of the product does not have a fix within that time, Google engineers said it should at least publish mitigations, which could include disabling a service or restricting access to it. 

Topics: Security, Google, Microsoft

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion
  • irresponsible, arrogant and negligent

    Goes to show how immature an enterprise Google is.

    I wouldn't be doing business with them if they knowingly and purposefully make everyone else vulnerable to hackers.
    hubivedder
    • If it was an OSX flaw, this guy would be behind bars

      This is just irresponsible. Apple would have taken on this guy much more strongly than what MS is doing.
      mm71
    • the swiss cheese in inherent in windoze

      All Travis did was to point it out ahead of time in an effort to get M$ to move it's ass. He held it back for a month and got no response. The usual dawdling.
      CaviarRed
      • Yeah, that sounds reasonable...

        Sort of like being a friendly neighbor and telling the guy across the street that his window is open...

        And then inviting a bunch of crack heads out to rob him if he doesn't close it.
        mrefuman
        • Then close your window

          That way you won't get a draft.
          CaviarRed
        • Not really

          No.
          The crackheads already know that the window lock is broken and it's just a matter of time before they come to steal everything. But the window manufacturer doesn't care about or acknowledge the problem.

          What he did is tell everyone ELSE, including the homeowner, that the window locks are broken.
          So they can all do something about it before the crackheads show up.
          So the "window manufacturer" is forced to fix the problem that THEY caused and that only THEY can fix.
          exolon
          • Hey, nice fantasy you got goin't there, pal

            lol...
            CaviarRed
    • Get it right Microsoft software has the vulnerability.

      "irresponsible, arrogant and negligent" absolutely and Microsoft should be held responsible for it. It is their software and their "responsibility. Is any piece of software 100%, no but who is responsible for it not being secure? The software maker! Not the users or some outside security firm (unless they are hired by the software maker). At best Mr. Ormandy may be a little rude, but it is always well 100% Microsoft's responsibility to fix their on flaws in a soon as reasonably possible regardless of outside influences.
      alex_darkness
      • housebreakers

        That is like saying that every house that was broken into is the fault of the door lock manufacturer.
        mswift@...
        • Are you kidding? Door locks?

          Really. Door locks can never really be secure because they're subject to physical assault. And if a flaw is found in a lock's design, the manufacturer can't simply _upload_ a new configuration to the lock.

          Software, on the other hand, can be designed such that it is not the weak link in the chain. If a major security flaw is found in software and reported, the vendor has the ability - and the responsibility - to produce and push a fix as soon as possible.

          It doesn't take weeks to fix bugs like this. It's well within their capabilities and they're obliged - if not legally, then by simple market forces - to secure their products to a reasonable degree.
          exolon
      • Hey....

        Why would you release details of the vulnerability to the public so the public as a whole could get hit with attacks or malware? You think that is right?
        Wasn't it just recently there was a vulnerability in Linux that was unpatchable for 2 years. did anyone take advantage? No. Either because (A) Linux is small potatoes or (B) This is a Google employee giving the fing to Google's enemy - Microsoft. Soft of like getting a kick in the nets.
        Gisabun
    • Microsoft

      gained too much fat for the last 20 years. This is especially pronounced in their retarded brain activity, accompanied by their peculiar arrogance and obnoxious temper.
      So, Mr. Ormandy is giving a helping hand to them to lose weight, recover some brain power and bring a little responsibility back to the table.
      eulampius
  • Google/M$ quarrel

    Well you see this plays into Google's little PR war against M$, right now they are almost direct competitors. Android vs. Winphone 8/WinRT/Windows 8, Chromium Vs. Windows 8, and various standards and programming languages as well.. So any chance for Google to sling a little mud and make them selves look better, well of course! Thier motto is do no evil, not earn no money.. But IMHO the researcher did the right thing by holding it secret for at least more than a month.. Now it's up to M$ to fix it..
    Nick Zamparello
    • Huge difference

      Notifiying a company of a vulnerability is one thing. Researching and then releasing an exploit to take advantage of that vulnerability is another.

      Criticize Microsoft for not acting fast enough to fix the problem, sure.
      That doesn't make it right for Google to put everyone in harms way to "make a point".
      Emacho
  • How does this help anything?

    I fail to see the logic in releasing the exploit? Is the researcher trying to light a fire under Microsoft to do better with updates? Or just trying to make a pitch for users to switch to Google Chrome?
    JohnnyES-25227553276394558534412264934521
    • Re: How does this help anything?

      Yes, it does and should, since, otherwise:
      1) It takes toooo long for MS to come up with an update (e.g., 2 months vs 24 hours for Google and Mozilla after the last pwn2own).
      2) Users deserve to know the full info and be able to decide how to mitigate against the threat and might switch to another competing product until MS releases a patch.
      3) Microsoft doesn't award people for finding vulns of their products (other than saying "Thank you!"), unlike Google, for example, while they are commercial org., not a non-profit org. like Linux Foundation.
      4) Microsoft has become increasingly aggressive in imposing its products on consumers, using expensive advertising and even propaganda, sometimes (patent) FUD campaigns. They continue abusing their monopolistic muscle to strangle competition using questionable and very likely illegal means. UEFI is one instance, the other is their amended Win 8 EULA where they strip their user of any right to decline it.
      eulampius
      • @ eulampius

        Before you point your index finger at others, you should point it at yourself.

        Wait till end of October 2013 to see how Google's legal perception will change.

        EU will have asked and got all of its antitrust concessions from Google in a compliance decree. Or Fairsearch, Foundem, Nokia/Oracle/Microsoft, German book publishers, French newspapers, German privacy orgs etc etc will have all have their act together to help EU sue Google for antitrust business practices using a monopolistic marketshare.

        Save your words till then. Microsoft was indeed a monopoly in the x86 platform OS market. And it did use antitrust or anticompetitive business practices between 1993 and 1997. But that was it. It ended there. It got sued for bundling IE and WMP and it got indicted and then paid its penalties and fines. Game over. They in fact changed their business practices to be more collaborative with the rest of the industry and have helped Novell, Apple, Sun etc will large cash doles to survive. That change should be apparent to anyone who watched them over the last two decades.

        Google's troubles are just beginning. And this is just continued evidence of an anticompetitive business practice at their top management level. They better be careful since people are watching them.
        calahan
        • I think

          you got too much of the "don't get scroogled" and droidrage campaign. It's Microsoft we're talking about, not Google.
          Google, nor anyone else is responsible for the sh%#$t that Microsoft creates and doesn't clean up after itself. Blame the monopoly and you use it.
          eulampius
  • Confused. Is there an in-the-wild exploit for this kernel vulnerability?

    Microsoft says no. And on Full Disclosure, Tavis Ormandy requested help with finding a reliable exploit for the vulnerability.

    I don't see how this episode relates to Google's new disclosure timeline of seven days for bugs that are being actively exploited. It appears that Mr. Ormandy is continuing with his one man band.
    Rabid Howler Monkey
  • Google researcher publishes Windows zero-day exploit

    "Google Researcher" now that is an oxymoron if I ever heard one. Google copies everything. This is irresponsible for this Google employee to publish such a thing and looks bad for both him and his employer. I hope Microsoft takes legal action against him and sues for potential damages. After that Google nor its employees will ever publish another exploit.
    Loverock-Davidson