Google researcher recently discovered a bug affecting Windows which was disclosed a few days ago, now publicises the working exploit of the new flaw without contacting the software company first.
Just few days ago, Google posted details of a flaw in Microsoft Windows which causes the PC's to crash or gain additional access rights.
Dustin Childs acknowledged unpatched vulnerability in Windows:
Acknowledging the unpatched vulnerability in Windows, Dustin Childs, a spokesman for the company's security response group of Microsoft on late Wednesday reported in an email, "We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating, We have not detected any attacks against this issue, but will take appropriate action to protect our customers."
Further questions related to the release of the patch or whether Microsoft had been aware of the vulnerability before it surfaced on the Full Disclosure security mailing list May 17, were totally avoided by Childs.
Google Researcher-Travis Ormandy:
Google researcher, Travis Ormandy revealed the vulnerability disclosure on Full Disclosure, discussing the flaw in the Windows kernel driver, "Win32k.sys," in Windows 2000, XP, Vista and 7 and 8 as well as Server 2003 and 2008 and also the publishing the working exploit, releasing a patch for the flaw.
He said, "I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation,".
The release of the exploit was made by Ormandy on Sunday, three weeks after the details of the flaw were published and new ways to exploit its working with a help of a patch was released on Full Disclosure.
The claims confirming the existence of a flaw was being investigated by Microsoft Windows. However it was later confirmed that neither any attacks were detected nor an advisory confirming the vulnerability of the attacks had been issued resulting in no fix at all.
From the recent release by the Google researcher, Travis Ormandy, Microsoft acknowledged a bug affecting Windows, however the attacks which caused the bug was not detected as yet.
Ormandy yet again posted to Full Disclosure on Monday stating, "I have a working exploit that grants SYSTEM on all currently supported versions of Windows,Code is available on request to students from reputable schools."
"As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed ;-)," Ormandy said on Full Disclosure.
HD Moore's say to Ormandy's release:
Metasploit founder and CTO of security firm Rapid7, HD Moore says, Ormandy's release of the exploit in this case was fair enough despite Micrsoft's approach.
"Personally I think [releasing the exploit] helped. After all, Tavis published a note to the full-disclosure list a few weeks ago, and Microsoft (as well as the media) had an opportunity to respond then. It wasn't until a third-party took his proof-of-concept and released a working exploit that Tavis posted his own."
Previously the patch or the working exploit for the flaw was released on a Chinese website before Ormandy's. Moore added that it was Travis Ormandy, who first released details of the flaw in the month of March.
In a couple of disclosures released in the year 2010, Ormandy has released information and demonstration code before for Windows vulnerabilities.
Andrew Storms, director of security operations at TripWire's nCircle Security
Andrew Storms, director of security operations at TripWire's nCircle Security said, "While the bug cannot be exploited remotely -- by sneaking attack code onto a compromised website, for example -- it still should be considered serious."
Storm added in an email, "If you consider that it takes a number of different vulnerabilities to successfully exploit Windows or a Microsoft application, a local EoP is an important step in that chain of breaking into a Windows system,".
"Note that one person responded to his [Full Disclosure message] requesting some code in hopes of adding it to Metasploit, So it might not be a big remote code bug, but it could be useful for attackers nonetheless.", Storms continued, referring to the popular open-source penetration testing framework used by security professionals as well as by cyber criminals.
The disclosure timeline was set from 60 days to 7 days by Google for actively exploiting the bugs. If within this time the vendor does not have a fix, Google researchers suggested publishing mitigations which could help in disabling a service of restrict complete access to it.