Google researcher publishes Windows zero-day exploit
A Google researcher who recently released details about a new flaw affecting Windows has now published a working exploit for it.
Google researcher Tavis Ormandy has had run-ins with Microsoft over vulnerability disclosure before and appears to be on course for a new one after publishing an exploit ahead of Microsoft releasing a patch for the flaw. The exploit is for a vulnerability that affects a Windows kernel function in Windows 2000, XP, Vista and 7 and 8 as well as Server 2003 and 2008.
Ormandy released the exploit on Full Disclosure on Sunday, three weeks after publishing details about the flaw along with a request for help to find a more reliable way to exploit it.
Microsoft has previously said it was investigating claims there was a flaw in Windows. However, it said it had not detected any attacks using it and nor had it issued an advisory confirming the vulnerability. Consequently there was no fix either.
Following Ormandy's latest release, Microsoft today acknowledged "an issue" was affecting Windows, but re-iterated it had not detected attacks that used it.
"We are aware of an issue affecting Microsoft Windows and are investigating. We have not detected any attacks against this issue, but will take appropriate actions to protect our customers," Dustin Childs, group manager of Microsoft Trustworthy Computing said in a statement to ZDNet.
Childs did not answer ZDNet's question whether it will release a patch for the flaw.
Ormandy's decision to publish the flaw and the exploit jars with Microsoft's "coordinated vulnerability disclosure" strategy, which it announced in 2010 — a month after Ormandy gave the software company five days to respond to a zero-day he published back then.
Redmond's emphasis is on researchers working with the vendor before disclosure whether or not the flaw is being exploited in the wild. It does not use a hard timeline for disclosure.
Despite Microsoft's approach, Metasploit founder and CTO of security firm Rapid7, HD Moore says Ormandy's release of the exploit in this case was fair enough.
"Personally I think [releasing the exploit] helped. After all, Tavis published a note to the full-disclosure list a few weeks ago, and Microsoft (as well as the media) had an opportunity to respond then. It wasn't until a third-party took his proof-of-concept and released a working exploit that Tavis posted his own."
Moore added that the exploit for the same flaw that was released before Ormandy's was on a Chinese website; and that Ormandy had first released details of the flaw in March.
Google recently cut its recommended disclosure timeline from 60 days to seven days for bugs that are being actively exploited. If the vendor of the product does not have a fix within that time, Google engineers said it should at least publish mitigations, which could include disabling a service or restricting access to it.