Vulnerabilities / Threats
5/24/2013
11:22 AM
50%
50%

Google Researcher Reveals Zero-Day Windows Bug

Bug hunter criticizes Microsoft's "great hostility" to outside security researchers, releases proof-of-concept exploit for unpatched zero-day Windows vulnerability,

Google Apps To Microsoft Office 365: 10 Lessons
Google Apps To Microsoft Office 365: 10 Lessons
(click image for larger view and for slideshow)
Google security researcher Tavis Ormandy this week published full details for a zero-day Windows vulnerability, including proof-of-concept (PoC) exploit code.

Vulnerability information provider Secunia said the exploit involves a "less critical" flaw in the Windows kernel driver (win32k) that could allow an attacker to create a denial of service or gain privilege escalation. "The vulnerability is caused due to an error within 'win32k.sys' when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege," according to Secunia's vulnerability report. The bug reportedly exists in Windows 7 and Windows 8, and possibly other versions of Windows.

Microsoft didn't immediately respond to an emailed request for comment about the reported flaw, but according to news reports, the company has confirmed the vulnerability. "We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating," Dustin Childs, a spokesman for Microsoft's security response group, told Computerworld. "We have not detected any attacks against this issue, but will take appropriate action to protect our customers."

[ Experts worry public-private security information sharing would do as much to help vs. fight potential attackers. Read DHS Eyes Sharing Zero-Day Intelligence With Businesses. ]

Ormandy's full disclosure of a zero-day Windows vulnerability -- without any prior notification to Microsoft to give it time to release a fix -- drew criticism from fellow security researchers. "Dropping write-what-where PoC is almost the same as dropping 100% reliable exploit," said "vulnerability assassin" Nikita Taraanov via Twitter. A write-what-where vulnerability, according to a vulnerability remediation website, refers to "any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow."

Some have questioned why Ormandy couldn't have restricted himself to a less detailed vulnerability announcement, which could have enabled researchers with similar knowledge to validate the flaw, without serving up a fully made exploit to would-be attackers. "Can't get what's the problem: text description is enough to make and test your own attack idea implementation," said security researcher Oleksiuk Dmytro via Twitter.

Ormandy, a Switzerland-based British information security researcher who works at Google -- charged with keeping the company's products secure -- appears to have a beef with Microsoft. "Note that Microsoft treat vulnerability researchers with great hostility, and are often very difficult to work with," Ormandy said in a post to his personal blog this month. "I would advise only speaking to them under a pseudonym, using tor and anonymous email to protect yourself."

According to Ormandy, he first spotted spotted the bug earlier this year in a component of the Windows kernel driver. "Testing win32k under memory pressure, this causes an EPATHOBJ to end up in userspace. Anyone want to investigate?" tweeted Ormandy in March.

On May 15, Ormandy posted additional details about the apparent vulnerability on his personal blog, offering pointers on where "to start looking to look for exploitation opportunities, possibly turning this into code execution."

On May 17, Ormandy disclosed further details. "The bug is really nice, but exploitation when allocations start failing is tricky," he said in an email to the Full Disclosure mailing list. "As vuln-dev is dead, I thought I'd post here, I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation," he said.

He said the flaw seemed to be present at least in Windows 7 and 8, although it might affect all versions of Windows. "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed," he said, referring to Microsoft's Security Development Lifecycle.

By May 20, Ormandy reported that he'd discovered "a really cute trick" that could be used to exploit the vulnerability. "Anyone want to volunteer to write it up over the weekend?" he said. Nine hours later, with no replies, he continued: "I guess I'm talking to myself, maybe this list is all about XSS now."

The isn't the first time that Ormandy, a veteran bug hunter, has released a zero-day vulnerability with little, if any, warning. In 2010, for example, Ormandy published details of an unpatched, zero-day Java vulnerability. The same year, he released details for a newly discovered, 17-year-old Windows vulnerability, and also filed a vulnerability alert directly with Microsoft about a Help Center bug that could be used to execute a near-silent exploit of a targeted Windows XP and Windows Server 2003 system. Just five days after privately alerting Microsoft to the latter flaw, Ormandy publicly released full vulnerability details and proof-of-concept exploit code.

Partially as a response to those unannounced disclosures, Microsoft in 2010 released, and then updated in 2011, its coordinated vulnerability disclosure policies, pointedly dropping its previous "responsible disclosure" nomenclature. According to Microsoft, some security researchers had a strong emotional response to tying vulnerability disclosure to notions of responsibility.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Terabyte Net
50%
50%
Terabyte Net,
User Rank: Apprentice
5/24/2013 | 9:42:19 PM
re: Google Researcher Reveals Zero-Day Windows Bug
It's totally irresponsible for an employee of a major company like Google to refuse to go to another vendor, even if they have a beef with that vendor, before releasing a PoC to the public. This is negligent and unprofessional. Google should fire him over this lest Google will become the target of other vendors if they continue to allow this.
DonDK
50%
50%
DonDK,
User Rank: Apprentice
6/21/2013 | 3:18:48 AM
re: Google Researcher Reveals Zero-Day Windows Bug
Utterly irresponsible fella. Aiding and abetting should be a crime too... If anyone uses this exploit to steal data, this person should be made criminally responsible.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7444
Published: 2015-09-01
The Special:Contributions page in MediaWiki before 1.22.0 allows remote attackers to determine if an IP is autoblocked via the "Change block" text.

CVE-2015-2807
Published: 2015-09-01
Cross-site scripting (XSS) vulnerability in js/window.php in the Navis DocumentCloud plugin before 0.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter.

CVE-2015-6520
Published: 2015-09-01
IPPUSBXD before 1.22 listens on all interfaces, which allows remote attackers to obtain access to USB connected printers via a direct request.

CVE-2015-6727
Published: 2015-09-01
The Special:DeletedContributions page in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 allows remote attackers to determine if an IP is autoblocked via the "Change block" text.

CVE-2015-6728
Published: 2015-09-01
The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 does not perform token comparison in constant time, which allows remote attackers to guess the watchlist token and bypass CSRF protection via a timing attack.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.