Hackers exploit flaw in 'silly Microsoft code' publicised by Google engineer
Latest updates to Windows 7 & 8 fixes vulnerability first identified by Tavis Ormandy
In the latest patch update for their Windows operating system, Microsoft have warned that hackers may have been actively exploiting a vulnerability made public by a Google engineer. It claimed that “targeted attacks” had been launched, taking advantage of the flaw.
The engineer in question, Tavis Ormandy, made the flaw public in a blog post back in May. Ormandy said that he didn’t have much time “to work on silly Microsoft code” but that “the bug is really nice”. The bug in question applies only to Windows 7 and Windows 8, allowing local users to increase their security privileges.
Many security experts criticized Ormandy for publishing the vulnerability rather than directly contacting Microsoft so that they could fix the software. In a previous blog post Ormandy said that Microsoft “treat vulnerability researchers with great hostility” and are “often very difficult to work with”.
Ormandy was so wary about speaking with Microsoft’s team that he advises those researchers that do contact them to do so “under a pseudonym, using tor [an anonymous browser] and anonymous email to protect yourself”.
The reporting of software vulnerabilities by non-affiliated software engineers is a common practice and Google employees especially seem to take a keen interest in this sport. In February of this year, it was revealed that more than half of the vulnerabilities addressed in Microsoft’s monthly software update (‘Patch Tuesday’) had been identified by engineers working for the search giant.
However, normal practice is to identify faults quietly and discretely, even if it's found in your competitors' code. Independent security specialist Graham Cluley has challenged Ormandy's actions, saying: "You have to ask yourself if the public disclosure of this vulnerability before Microsoft was ready to protect against it was really to the benefit of internet users."
"I’m not questioning Tavis Ormandy’s expertise at finding security holes, or his skills as a vulnerability researcher. There’s no doubt that he is extremely skilled in these departments. I just wish that Microsoft and Ormandy could find a way of working more reasonably with each other so that vulnerabilities can only be disclosed in a responsible fashion, once a patch is available."
Neither Ormandy nor Microsoft have offered any comment, but a Google spokesman made it clear that Ormandy’s time spent identifying Windows vulnerabilities was personal and not related to his work for the company.
Life & Style blogs
The best Oscar dresses of all time
The remarkable archaeological underwater discovery that could open up a new chapter in the study of European and British prehistory
Google Plus might be dead, as ‘Streams’ and ‘Photos’ take its place
Mother's Day 2015: When is it – and how did it first come about?
Samsung Galaxy S6 and Galaxy S6 edge launch and review: wireless charging and new case see Samsung ready to take on Apple's iPhone
New theory could prove how life began and disprove God
This is what it's like to be dead, according to a guy who died for a bit
'Jihadi John': CAGE representative storms off Sky News accusing Kay Burley of Islamophobia
Ukip would cut billions from Scottish budget to fund English tax cuts
End of the licence fee: BBC to back radical overhaul of how it is funded
Russia's roadmap for annexing eastern Ukraine 'leaked from Vladimir Putin's office'
- 1 End of the licence fee: BBC to back radical overhaul of how it is funded
- 2 Raif Badawi, the Saudi Arabian blogger sentenced to 1,000 lashes, may now face death penalty
- 3 PornHub turns masturbation into energy in bid to save the planet
- 4 Dakota Johnson's 'It's only Isis' Saturday Night Live sketch sparks controversy
- 5 The remarkable archaeological underwater discovery that could open up a new chapter in the study of European and British prehistory
iJobs Gadgets & Tech
Negotiable: Recruitment Genius: One of the North West's leading web hosting pr...
Negotiable: Recruitment Genius: This accelerated growth ISP company is current...
£40000 - £50000 per annum + benefits: Ashdown Group: Senior Systems Administra...
£35000 - £45000 per annum: Recruitment Genius: A fantastic opportunity for a t...