Vulnerability Management

Google engineer posts exploit for Windows kernel bug

A Google security engineer on Sunday posted a working exploit for a Windows kernel privilege escalation vulnerability that he publicly disclosed last month.

Tavis Ormandy, who butted heads with Microsoft three years ago after he published details about a Windows Help and Support Center flaw before the software giant had a fix in place, initially posted the latest bug to the Full Disclosure mailing list back in mid-May.

According to vulnerability management firm Secunia, the weakness could be exploited to escalate privileges or cause a denial-of-service.

"The vulnerability is caused due to an error within 'win32k.sys' when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege," according to a Secunia advisory. "The vulnerability is confirmed on a fully patched Windows 7 x86 Professional...and reported on Windows 8. Other versions may also be affected."

In the case three years ago, Ormandy said he publicly disclosed the vulnerability after he and Microsoft failed to negotiate a timeline for a fix. With the current vulnerability, he appears to never have contacted Redmond.

"Note that Microsoft [treats] vulnerability researchers with great hostility, and are often very difficult to work with," Ormandy wrote May 15 on his personal blog. "I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."

Dustin Childs, group manager of Microsoft Trustworthy Computing, told SCMagazine.com in a statement that the firm is investigating the issue and is not aware of any active attacks.

Ormandy is a Swiss-based researcher at Google, which last week unveiled a strict new policy that asks software vendors to respond within seven days to vulnerabilities being exploited in the wild. In 2010, after its dispute with Ormandy, Microsoft launched a new initiative that attempted to reframe the debate around vulnerability disclosure.

The company has faced criticism for being slow to respond to vulnerability reports and for refusing to pay researchers, similar to Adobe and Apple. Other software companies, though, have created so-called bug bounty programs to compensate researchers for their finds, including Google and Mozilla.

Ormandy could not be reached for comment by SCMagazine.com.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.