Google engineer posts exploit for Windows kernel bug

Share this article:

A Google security engineer on Sunday posted a working exploit for a Windows kernel privilege escalation vulnerability that he publicly disclosed last month.

Tavis Ormandy, who butted heads with Microsoft three years ago after he published details about a Windows Help and Support Center flaw before the software giant had a fix in place, initially posted the latest bug to the Full Disclosure mailing list back in mid-May.

According to vulnerability management firm Secunia, the weakness could be exploited to escalate privileges or cause a denial-of-service.

"The vulnerability is caused due to an error within 'win32k.sys' when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege," according to a Secunia advisory. "The vulnerability is confirmed on a fully patched Windows 7 x86 Professional...and reported on Windows 8. Other versions may also be affected."

In the case three years ago, Ormandy said he publicly disclosed the vulnerability after he and Microsoft failed to negotiate a timeline for a fix. With the current vulnerability, he appears to never have contacted Redmond.

"Note that Microsoft [treats] vulnerability researchers with great hostility, and are often very difficult to work with," Ormandy wrote May 15 on his personal blog. "I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."

Dustin Childs, group manager of Microsoft Trustworthy Computing, told in a statement that the firm is investigating the issue and is not aware of any active attacks.

Ormandy is a Swiss-based researcher at Google, which last week unveiled a strict new policy that asks software vendors to respond within seven days to vulnerabilities being exploited in the wild. In 2010, after its dispute with Ormandy, Microsoft launched a new initiative that attempted to reframe the debate around vulnerability disclosure.

The company has faced criticism for being slow to respond to vulnerability reports and for refusing to pay researchers, similar to Adobe and Apple. Other software companies, though, have created so-called bug bounty programs to compensate researchers for their finds, including Google and Mozilla.

Ormandy could not be reached for comment by

Share this article:

Next Article in News

Sign up to our newsletters

More in News

Carbon Grabber crimeware kit being distributed in spam campaign

A spam campaign involving the Carbon Grabber crimeware kit is ongoing against the automotive industry in Europe, according to Symantec.

Errors in ZeroLocker means paying ransom may not decrypt files

A piece of ransomware known as ZeroLocker contains various errors that may prevent files from being decrypted even if the ransom is paid.

Rogue AV scammers find success with new tatics

Although the number of rogue anti-virus malware campaigns have decreased overall, the threat isn't totally gone, according to researchers at Microsoft.