Hackers exploit flaw in 'silly Microsoft code' publicised by Google engineer
Latest updates to Windows 7 & 8 fixes vulnerability first identified by Tavis Ormandy
In the latest patch update for their Windows operating system, Microsoft have warned that hackers may have been actively exploiting a vulnerability made public by a Google engineer. It claimed that “targeted attacks” had been launched, taking advantage of the flaw.
The engineer in question, Tavis Ormandy, made the flaw public in a blog post back in May. Ormandy said that he didn’t have much time “to work on silly Microsoft code” but that “the bug is really nice”. The bug in question applies only to Windows 7 and Windows 8, allowing local users to increase their security privileges.
Many security experts criticized Ormandy for publishing the vulnerability rather than directly contacting Microsoft so that they could fix the software. In a previous blog post Ormandy said that Microsoft “treat vulnerability researchers with great hostility” and are “often very difficult to work with”.
Ormandy was so wary about speaking with Microsoft’s team that he advises those researchers that do contact them to do so “under a pseudonym, using tor [an anonymous browser] and anonymous email to protect yourself”.
The reporting of software vulnerabilities by non-affiliated software engineers is a common practice and Google employees especially seem to take a keen interest in this sport. In February of this year, it was revealed that more than half of the vulnerabilities addressed in Microsoft’s monthly software update (‘Patch Tuesday’) had been identified by engineers working for the search giant.
However, normal practice is to identify faults quietly and discretely, even if it's found in your competitors' code. Independent security specialist Graham Cluley has challenged Ormandy's actions, saying: "You have to ask yourself if the public disclosure of this vulnerability before Microsoft was ready to protect against it was really to the benefit of internet users."
"I’m not questioning Tavis Ormandy’s expertise at finding security holes, or his skills as a vulnerability researcher. There’s no doubt that he is extremely skilled in these departments. I just wish that Microsoft and Ormandy could find a way of working more reasonably with each other so that vulnerabilities can only be disclosed in a responsible fashion, once a patch is available."
Neither Ormandy nor Microsoft have offered any comment, but a Google spokesman made it clear that Ormandy’s time spent identifying Windows vulnerabilities was personal and not related to his work for the company.
Life & Style blogs
Versace haute couture review: Beautiful evening dresses are some of the loveliest Donatella has ever created
Why you should never make assumptions about people with autism
People all over the world are getting semicolon tattoos to draw attention to mental health
What supermodels really think about posing in the nude
The biggest first date turnoff has been revealed
More Britons believe that multiculturalism makes the country worse - not better, says poll
Nathan Collier: Montana man inspired by same-sex marriage ruling requests right to wed two wives
Greece crisis: IMF was pushed around by Angela Merkel and Nicholas Sarkozy – and now it is being humiliated
Forget little green men – aliens will look like humans, says Cambridge University evolution expert
Osborne to cap family benefits at £23,000 – announced ahead of his post-election Budget
Girl, 7, stares down hate preacher at Ohio festival with pro-LGBT rainbow flag gesture
- 1 Humans of New York image of crying gay teen receives best response yet from Ellen DeGeneres
- 2 What supermodels really think about posing in the nude
- 3 North Korean defector flees to Finland 'with evidence of chemical testing on humans'
- 4 Black teen in critical condition after store employee 'shoots him for stealing 79-cent pack of cookies'
- 5 Swedish minister gives strongest case yet on why EU should stop turning away asylum seekers
iJobs Gadgets & Tech
£30000 - £35000 per annum: Recruitment Genius: One of the UK's leading web des...
£20000 per annum: Recruitment Genius: The leading provider of Employee Managem...
£15000 - £25000 per annum: Recruitment Genius: This Kent based design consulta...
£25000 - £34000 per annum: Recruitment Genius: Are you looking to work for an ...