Hackers exploit flaw in 'silly Microsoft code' publicised by Google engineer
Latest updates to Windows 7 & 8 fixes vulnerability first identified by Tavis Ormandy
Wednesday 10 July 2013
In the latest patch update for their Windows operating system, Microsoft have warned that hackers may have been actively exploiting a vulnerability made public by a Google engineer. It claimed that “targeted attacks” had been launched, taking advantage of the flaw.
The engineer in question, Tavis Ormandy, made the flaw public in a blog post back in May. Ormandy said that he didn’t have much time “to work on silly Microsoft code” but that “the bug is really nice”. The bug in question applies only to Windows 7 and Windows 8, allowing local users to increase their security privileges.
Many security experts criticized Ormandy for publishing the vulnerability rather than directly contacting Microsoft so that they could fix the software. In a previous blog post Ormandy said that Microsoft “treat vulnerability researchers with great hostility” and are “often very difficult to work with”.
Ormandy was so wary about speaking with Microsoft’s team that he advises those researchers that do contact them to do so “under a pseudonym, using tor [an anonymous browser] and anonymous email to protect yourself”.
The reporting of software vulnerabilities by non-affiliated software engineers is a common practice and Google employees especially seem to take a keen interest in this sport. In February of this year, it was revealed that more than half of the vulnerabilities addressed in Microsoft’s monthly software update (‘Patch Tuesday’) had been identified by engineers working for the search giant.
However, normal practice is to identify faults quietly and discretely, even if it's found in your competitors' code. Independent security specialist Graham Cluley has challenged Ormandy's actions, saying: "You have to ask yourself if the public disclosure of this vulnerability before Microsoft was ready to protect against it was really to the benefit of internet users."
"I’m not questioning Tavis Ormandy’s expertise at finding security holes, or his skills as a vulnerability researcher. There’s no doubt that he is extremely skilled in these departments. I just wish that Microsoft and Ormandy could find a way of working more reasonably with each other so that vulnerabilities can only be disclosed in a responsible fashion, once a patch is available."
Neither Ormandy nor Microsoft have offered any comment, but a Google spokesman made it clear that Ormandy’s time spent identifying Windows vulnerabilities was personal and not related to his work for the company.
Threat of 'catastrophic cascade of collisions' must be averted, warn scientists
Life & Style blogs
American Apparel reveals 62-year-old Jacky O’Shaughnessy as underwear model
Pakistan vs Paul Smith: Sandal-wearers bemused by famed British designer's attempts to sell traditional Peshawari chappal-style shoes for the distinctly untraditional sum of £300
Blood test that predicts Alzheimer's disease
Lego told off by 7-year-old girl for promoting gender stereotypes
Titanfall: Release date, gameplay basics, DLC and everything else you need to know
Britain's top vet sparks controversy with call for ban on slashing animals' throats in 'ritual' slaughters for halal and kosher meat products
Poor 'live like animals' says Boris's privately educated sister after going on 'poverty safari'
Exclusive: Impact of immigrants on British workers ‘negligible’
Vince Cable: Teachers 'know absolutely nothing' about the world of work
Ukraine crisis: Russia pledges to 'retaliate against sanctions' as Ukrainian president says Crimea vote will not be recognised
The quiet diplomat: Catherine Ashton - recognised and admired in all the world’s troubled countries, yet ridiculed at home
- 1 Australian man Rod Sommerville reacts to bite from deadly snake by reaching for cold beer
- 2 Pakistan vs Paul Smith: Sandal-wearers bemused by famed British designer's attempts to sell traditional Peshawari chappal-style shoes for the distinctly untraditional sum of £300
- 3 North Korea elections: Kim Jong-un wins 100% of the vote
- 4 Grace Dent: Who cares if she spells it Barraco Barner? Gemma Worrall is more employable than some bookish arts graduate
- 5 Sharknado 2: Former WWE wrestler Kurt Angle to fight second wave of flying sharks
iJobs Gadgets & Tech
£50000 - £55000 per annum + Bonus + excellent company benefits: Pro-Recruitmen...
£35000 - £45000 per annum + excellent benefits + generous bonus: Pro-Recruitme...
£250 - £280 per day: Pro-Recruitment Group: ***Navision Management Accountant ...
£50000 - £70000 per annum + benefits+bonus+package: Harrington Starr: Developm...