Google researcher's outing of Windows vulnerability may have led to cyber forays

Following the outing of a vulnerability in Windows by a security researcher who works for Google, Microsoft said Tuesday that it detected a number of targeted attacks exploiting the flaw.

The revelation was made in a Security alert issued by Microsoft on the same day it addressed the vulnerability in its monthly "Patch Tuesday" package of fixes for July.

"Microsoft detected targeted elevation of privilege attacks after the issue became publicly known," Microsoft Trustworthy Computing spokesperson Dustin Childs said in an email.

Microsoft would not elaborate on its findings.

The vulnerability was aired in May by Tavis Ormandy, who is employed by Google but claimed to be acting independently when he revealed the flaw in a security blog. The vulnerability in Windows 7 and 8 allows local users to obtain escalated privileges, making it easier for a hacker to compromise a system.

Ormandy did not respond to a request for an interview for this story.

Google also declined to comment, although it's believed the company is working with Ormandy to improve communications between the researcher and Microsoft.

Ormandy has been criticized by some in the security community who subscribe to the practice that a vulnerability shouldn't be made public until a software maker has an opportunity to fix it.

"In the past Tavis Ormandy has publicized vulnerabilities in Microsoft's code that have then been exploited by malicious hackers to infect the computers of innocent Internet users," security researcher Graham Cluley said.

"It's hard to argue against the belief that those computer users would not have been hit if Tavis Ormandy had not shared demo code exploiting the vulnerabilities which hackers could build their own attacks upon," he added.

Discovering a previously unknown or "Zero Day" vulnerability carries a lot of responsibility, said Bogdan Botezatu, a senior e-threat analyst with Bitdefender.

[Also see: Microsoft's new app security rules dubbed a paper tiger]

"Most of the times, ethical hackers do not disclose proof-of-concept code for unpatched vulnerabilities, because this would dramatically impact the security of users running the respective software," Botezatu said.

"Although in most of the cases disclosure is highly not recommended, more and more security researchers are doing it as a last resort, if the vendor postpones a fix or does not plan to treat the issue," he said.

"Throwing the exploit code into the wild exposes the machines," he added. "But also minimizes the window of opportunity and forces the vendor to come with a fix to avoid mass exploitation."

Cluley explained that members of the security community aren't monolithic in how they treat the vulnerabilities they find.

"There is a hardcore section of the security researcher community who feel it is better for all information to be free, even if a fix is not yet available," he said. "This is, essentially, a religious debate -- with neither side prepared to bend much to accept the others' point of view."

Cluley said that vulnerability researchers sometimes need to be realistic about the processes a firm needs to go through to evaluate a vulnerability report, replicate the behavior, produce a fix, test that the fix does not cause any other problems and incompatibilities and then roll it out to millions of users.

"Generally, Microsoft's security team does an excellent job," he said. "Vulnerability researchers should work closely with Microsoft to fix problems responsibly, rather than risking assisting malicious hackers."

When vulnerabilities are made public, however, doesn't address an even bigger problem facing software users, said George Tubin, a senior security strategist with Trusteer.

"Vulnerabilities are there whether they're disclosed or not, and there are other vulnerabilities out there right now that we don't know about but somewhere down the road we will find out about them," Tubin said.

"We have to realize that the software we're using has vulnerabilities, and we need to put protections in place to protect us from them," he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationslegalsoftwareExploits / vulnerabilitiesapp vulnerabilitiesdata protectioncybercrimeMicrosoft WindowsData Protection | MalwareGoogleMicrosoftsecurity

More about GoogleMicrosoftTrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place