Vulnerabilities / Threats
5/24/2013
11:22 AM
50%
50%

Google Researcher Reveals Zero-Day Windows Bug

Bug hunter criticizes Microsoft's "great hostility" to outside security researchers, releases proof-of-concept exploit for unpatched zero-day Windows vulnerability,

Google Apps To Microsoft Office 365: 10 Lessons
Google Apps To Microsoft Office 365: 10 Lessons
(click image for larger view and for slideshow)
Google security researcher Tavis Ormandy this week published full details for a zero-day Windows vulnerability, including proof-of-concept (PoC) exploit code.

Vulnerability information provider Secunia said the exploit involves a "less critical" flaw in the Windows kernel driver (win32k) that could allow an attacker to create a denial of service or gain privilege escalation. "The vulnerability is caused due to an error within 'win32k.sys' when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege," according to Secunia's vulnerability report. The bug reportedly exists in Windows 7 and Windows 8, and possibly other versions of Windows.

Microsoft didn't immediately respond to an emailed request for comment about the reported flaw, but according to news reports, the company has confirmed the vulnerability. "We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating," Dustin Childs, a spokesman for Microsoft's security response group, told Computerworld. "We have not detected any attacks against this issue, but will take appropriate action to protect our customers."

[ Experts worry public-private security information sharing would do as much to help vs. fight potential attackers. Read DHS Eyes Sharing Zero-Day Intelligence With Businesses. ]

Ormandy's full disclosure of a zero-day Windows vulnerability -- without any prior notification to Microsoft to give it time to release a fix -- drew criticism from fellow security researchers. "Dropping write-what-where PoC is almost the same as dropping 100% reliable exploit," said "vulnerability assassin" Nikita Taraanov via Twitter. A write-what-where vulnerability, according to a vulnerability remediation website, refers to "any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow."

Some have questioned why Ormandy couldn't have restricted himself to a less detailed vulnerability announcement, which could have enabled researchers with similar knowledge to validate the flaw, without serving up a fully made exploit to would-be attackers. "Can't get what's the problem: text description is enough to make and test your own attack idea implementation," said security researcher Oleksiuk Dmytro via Twitter.

Ormandy, a Switzerland-based British information security researcher who works at Google -- charged with keeping the company's products secure -- appears to have a beef with Microsoft. "Note that Microsoft treat vulnerability researchers with great hostility, and are often very difficult to work with," Ormandy said in a post to his personal blog this month. "I would advise only speaking to them under a pseudonym, using tor and anonymous email to protect yourself."

According to Ormandy, he first spotted spotted the bug earlier this year in a component of the Windows kernel driver. "Testing win32k under memory pressure, this causes an EPATHOBJ to end up in userspace. Anyone want to investigate?" tweeted Ormandy in March.

On May 15, Ormandy posted additional details about the apparent vulnerability on his personal blog, offering pointers on where "to start looking to look for exploitation opportunities, possibly turning this into code execution."

On May 17, Ormandy disclosed further details. "The bug is really nice, but exploitation when allocations start failing is tricky," he said in an email to the Full Disclosure mailing list. "As vuln-dev is dead, I thought I'd post here, I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation," he said.

He said the flaw seemed to be present at least in Windows 7 and 8, although it might affect all versions of Windows. "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed," he said, referring to Microsoft's Security Development Lifecycle.

By May 20, Ormandy reported that he'd discovered "a really cute trick" that could be used to exploit the vulnerability. "Anyone want to volunteer to write it up over the weekend?" he said. Nine hours later, with no replies, he continued: "I guess I'm talking to myself, maybe this list is all about XSS now."

The isn't the first time that Ormandy, a veteran bug hunter, has released a zero-day vulnerability with little, if any, warning. In 2010, for example, Ormandy published details of an unpatched, zero-day Java vulnerability. The same year, he released details for a newly discovered, 17-year-old Windows vulnerability, and also filed a vulnerability alert directly with Microsoft about a Help Center bug that could be used to execute a near-silent exploit of a targeted Windows XP and Windows Server 2003 system. Just five days after privately alerting Microsoft to the latter flaw, Ormandy publicly released full vulnerability details and proof-of-concept exploit code.

Partially as a response to those unannounced disclosures, Microsoft in 2010 released, and then updated in 2011, its coordinated vulnerability disclosure policies, pointedly dropping its previous "responsible disclosure" nomenclature. According to Microsoft, some security researchers had a strong emotional response to tying vulnerability disclosure to notions of responsibility.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Terabyte Net
50%
50%
Terabyte Net,
User Rank: Apprentice
5/24/2013 | 9:42:19 PM
re: Google Researcher Reveals Zero-Day Windows Bug
It's totally irresponsible for an employee of a major company like Google to refuse to go to another vendor, even if they have a beef with that vendor, before releasing a PoC to the public. This is negligent and unprofessional. Google should fire him over this lest Google will become the target of other vendors if they continue to allow this.
DonDK
50%
50%
DonDK,
User Rank: Apprentice
6/21/2013 | 3:18:48 AM
re: Google Researcher Reveals Zero-Day Windows Bug
Utterly irresponsible fella. Aiding and abetting should be a crime too... If anyone uses this exploit to steal data, this person should be made criminally responsible.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?