Vulnerabilities / Threats
5/24/2013
11:22 AM
50%
50%

Google Researcher Reveals Zero-Day Windows Bug

Bug hunter criticizes Microsoft's "great hostility" to outside security researchers, releases proof-of-concept exploit for unpatched zero-day Windows vulnerability,

Google Apps To Microsoft Office 365: 10 Lessons
Google Apps To Microsoft Office 365: 10 Lessons
(click image for larger view and for slideshow)
Google security researcher Tavis Ormandy this week published full details for a zero-day Windows vulnerability, including proof-of-concept (PoC) exploit code.

Vulnerability information provider Secunia said the exploit involves a "less critical" flaw in the Windows kernel driver (win32k) that could allow an attacker to create a denial of service or gain privilege escalation. "The vulnerability is caused due to an error within 'win32k.sys' when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege," according to Secunia's vulnerability report. The bug reportedly exists in Windows 7 and Windows 8, and possibly other versions of Windows.

Microsoft didn't immediately respond to an emailed request for comment about the reported flaw, but according to news reports, the company has confirmed the vulnerability. "We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating," Dustin Childs, a spokesman for Microsoft's security response group, told Computerworld. "We have not detected any attacks against this issue, but will take appropriate action to protect our customers."

[ Experts worry public-private security information sharing would do as much to help vs. fight potential attackers. Read DHS Eyes Sharing Zero-Day Intelligence With Businesses. ]

Ormandy's full disclosure of a zero-day Windows vulnerability -- without any prior notification to Microsoft to give it time to release a fix -- drew criticism from fellow security researchers. "Dropping write-what-where PoC is almost the same as dropping 100% reliable exploit," said "vulnerability assassin" Nikita Taraanov via Twitter. A write-what-where vulnerability, according to a vulnerability remediation website, refers to "any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow."

Some have questioned why Ormandy couldn't have restricted himself to a less detailed vulnerability announcement, which could have enabled researchers with similar knowledge to validate the flaw, without serving up a fully made exploit to would-be attackers. "Can't get what's the problem: text description is enough to make and test your own attack idea implementation," said security researcher Oleksiuk Dmytro via Twitter.

Ormandy, a Switzerland-based British information security researcher who works at Google -- charged with keeping the company's products secure -- appears to have a beef with Microsoft. "Note that Microsoft treat vulnerability researchers with great hostility, and are often very difficult to work with," Ormandy said in a post to his personal blog this month. "I would advise only speaking to them under a pseudonym, using tor and anonymous email to protect yourself."

According to Ormandy, he first spotted spotted the bug earlier this year in a component of the Windows kernel driver. "Testing win32k under memory pressure, this causes an EPATHOBJ to end up in userspace. Anyone want to investigate?" tweeted Ormandy in March.

On May 15, Ormandy posted additional details about the apparent vulnerability on his personal blog, offering pointers on where "to start looking to look for exploitation opportunities, possibly turning this into code execution."

On May 17, Ormandy disclosed further details. "The bug is really nice, but exploitation when allocations start failing is tricky," he said in an email to the Full Disclosure mailing list. "As vuln-dev is dead, I thought I'd post here, I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation," he said.

He said the flaw seemed to be present at least in Windows 7 and 8, although it might affect all versions of Windows. "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed," he said, referring to Microsoft's Security Development Lifecycle.

By May 20, Ormandy reported that he'd discovered "a really cute trick" that could be used to exploit the vulnerability. "Anyone want to volunteer to write it up over the weekend?" he said. Nine hours later, with no replies, he continued: "I guess I'm talking to myself, maybe this list is all about XSS now."

The isn't the first time that Ormandy, a veteran bug hunter, has released a zero-day vulnerability with little, if any, warning. In 2010, for example, Ormandy published details of an unpatched, zero-day Java vulnerability. The same year, he released details for a newly discovered, 17-year-old Windows vulnerability, and also filed a vulnerability alert directly with Microsoft about a Help Center bug that could be used to execute a near-silent exploit of a targeted Windows XP and Windows Server 2003 system. Just five days after privately alerting Microsoft to the latter flaw, Ormandy publicly released full vulnerability details and proof-of-concept exploit code.

Partially as a response to those unannounced disclosures, Microsoft in 2010 released, and then updated in 2011, its coordinated vulnerability disclosure policies, pointedly dropping its previous "responsible disclosure" nomenclature. According to Microsoft, some security researchers had a strong emotional response to tying vulnerability disclosure to notions of responsibility.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DonDK
50%
50%
DonDK,
User Rank: Apprentice
6/21/2013 | 3:18:48 AM
re: Google Researcher Reveals Zero-Day Windows Bug
Utterly irresponsible fella. Aiding and abetting should be a crime too... If anyone uses this exploit to steal data, this person should be made criminally responsible.
Terabyte Net
50%
50%
Terabyte Net,
User Rank: Apprentice
5/24/2013 | 9:42:19 PM
re: Google Researcher Reveals Zero-Day Windows Bug
It's totally irresponsible for an employee of a major company like Google to refuse to go to another vendor, even if they have a beef with that vendor, before releasing a PoC to the public. This is negligent and unprofessional. Google should fire him over this lest Google will become the target of other vendors if they continue to allow this.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0547
Published: 2015-07-04
The D2CenterstageService.getComments service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVE-2015-0548
Published: 2015-07-04
The D2DownloadService.getDownloadUrls service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVE-2015-0551
Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before P18, 7.1 before P15, and 7.2 before P01; Documentum Digital Assets Manager 6.5SP6 before P2...

CVE-2015-1966
Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before FP17, 6.2.1 before FP9, and 6.2.2 before FP15, as used in Security Access Manager for Mobile and other products, allow remote attackers to inject arbitrary web script or HTML via a crafte...

CVE-2015-4196
Published: 2015-07-04
Platform Software before 4.4.5 in Cisco Unified Communications Domain Manager (CDM) 8.x has a hardcoded password for a privileged account, which allows remote attackers to obtain root access by leveraging knowledge of this password and entering it in an SSH session, aka Bug ID CSCuq45546.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report