Bug hunter criticizes Microsoft's "great hostility" to outside security researchers, releases proof-of-concept exploit for unpatched zero-day Windows vulnerability,

Mathew J. Schwartz, Contributor

May 24, 2013

5 Min Read

Google Apps To Microsoft Office 365: 10 Lessons

Google Apps To Microsoft Office 365: 10 Lessons


Google Apps To Microsoft Office 365: 10 Lessons (click image for larger view and for slideshow)

Google security researcher Tavis Ormandy this week published full details for a zero-day Windows vulnerability, including proof-of-concept (PoC) exploit code.

Vulnerability information provider Secunia said the exploit involves a "less critical" flaw in the Windows kernel driver (win32k) that could allow an attacker to create a denial of service or gain privilege escalation. "The vulnerability is caused due to an error within 'win32k.sys' when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege," according to Secunia's vulnerability report. The bug reportedly exists in Windows 7 and Windows 8, and possibly other versions of Windows.

Microsoft didn't immediately respond to an emailed request for comment about the reported flaw, but according to news reports, the company has confirmed the vulnerability. "We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating," Dustin Childs, a spokesman for Microsoft's security response group, told Computerworld. "We have not detected any attacks against this issue, but will take appropriate action to protect our customers."

[ Experts worry public-private security information sharing would do as much to help vs. fight potential attackers. Read DHS Eyes Sharing Zero-Day Intelligence With Businesses. ]

Ormandy's full disclosure of a zero-day Windows vulnerability -- without any prior notification to Microsoft to give it time to release a fix -- drew criticism from fellow security researchers. "Dropping write-what-where PoC is almost the same as dropping 100% reliable exploit," said "vulnerability assassin" Nikita Taraanov via Twitter. A write-what-where vulnerability, according to a vulnerability remediation website, refers to "any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow."

Some have questioned why Ormandy couldn't have restricted himself to a less detailed vulnerability announcement, which could have enabled researchers with similar knowledge to validate the flaw, without serving up a fully made exploit to would-be attackers. "Can't get what's the problem: text description is enough to make and test your own attack idea implementation," said security researcher Oleksiuk Dmytro via Twitter.

Ormandy, a Switzerland-based British information security researcher who works at Google -- charged with keeping the company's products secure -- appears to have a beef with Microsoft. "Note that Microsoft treat vulnerability researchers with great hostility, and are often very difficult to work with," Ormandy said in a post to his personal blog this month. "I would advise only speaking to them under a pseudonym, using tor and anonymous email to protect yourself."

According to Ormandy, he first spotted spotted the bug earlier this year in a component of the Windows kernel driver. "Testing win32k under memory pressure, this causes an EPATHOBJ to end up in userspace. Anyone want to investigate?" tweeted Ormandy in March.

On May 15, Ormandy posted additional details about the apparent vulnerability on his personal blog, offering pointers on where "to start looking to look for exploitation opportunities, possibly turning this into code execution."

On May 17, Ormandy disclosed further details. "The bug is really nice, but exploitation when allocations start failing is tricky," he said in an email to the Full Disclosure mailing list. "As vuln-dev is dead, I thought I'd post here, I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation," he said.

He said the flaw seemed to be present at least in Windows 7 and 8, although it might affect all versions of Windows. "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed," he said, referring to Microsoft's Security Development Lifecycle.

By May 20, Ormandy reported that he'd discovered "a really cute trick" that could be used to exploit the vulnerability. "Anyone want to volunteer to write it up over the weekend?" he said. Nine hours later, with no replies, he continued: "I guess I'm talking to myself, maybe this list is all about XSS now."

The isn't the first time that Ormandy, a veteran bug hunter, has released a zero-day vulnerability with little, if any, warning. In 2010, for example, Ormandy published details of an unpatched, zero-day Java vulnerability. The same year, he released details for a newly discovered, 17-year-old Windows vulnerability, and also filed a vulnerability alert directly with Microsoft about a Help Center bug that could be used to execute a near-silent exploit of a targeted Windows XP and Windows Server 2003 system. Just five days after privately alerting Microsoft to the latter flaw, Ormandy publicly released full vulnerability details and proof-of-concept exploit code.

Partially as a response to those unannounced disclosures, Microsoft in 2010 released, and then updated in 2011, its coordinated vulnerability disclosure policies, pointedly dropping its previous "responsible disclosure" nomenclature. According to Microsoft, some security researchers had a strong emotional response to tying vulnerability disclosure to notions of responsibility.

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights