A Google security engineer accused Microsoft of treating outside researchers with "great hostility" just days before posting details of an unpatched vulnerability in Windows that could be used to crash PCs or gain additional access rights.
Microsoft acknowledged the vulnerability late Wednesday. "We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating," said Dustin Childs, a spokesman for the company's security response group, in an email. "We have not detected any attacks against this issue, but will take appropriate action to protect our customers."
Childs declined to answer additional questions, including whether Microsoft had been aware of the vulnerability before it surfaced on the Full Disclosure security mailing list May 17, or when it would release a patch.
Tavis Ormandy, a Google security engineer, revealed the bug on Full Disclosure, where he discussed the flaw in the Windows kernel driver, "Win32k.sys," and asked for help in overcoming a roadblock. "I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation," he wrote.
Ormandy had first published information about the vulnerability in March to GitHub in an effort to solicit help or entice other researchers to investigate. That information no longer appears on GitHub, however.
On Monday, Ormandy again posted to Full Disclosure, going into more detail and providing demonstration code. "I have a working exploit that grants SYSTEM on all currently supported versions of Windows," claimed Ormandy. "Code is available on request to students from reputable schools."
Tuesday, Danish vulnerability research firm Secunia published a skeletal advisory, claiming it had confirmed the bug in a fully-patched copy of Windows 7 Professional and that Windows 8 and other editions might also be affected.
Secunia said that the vulnerability could be exploited to generate a denial-of-service (DoS) attack or to give an attacker elevated privileges.
Microsoft dubs the latter an "elevation of privilege," or EoP, vulnerability.
While the bug cannot be exploited remotely -- by sneaking attack code onto a compromised website, for example -- it still should be considered serious, said Andrew Storms, director of security operations at TripWire's nCircle Security.
"If you consider that it takes a number of different vulnerabilities to successfully exploit Windows or a Microsoft application, a local EoP is an important step in that chain of breaking into a Windows system," Storms said in an email.
"Note that one person responded to his [Full Disclosure message] requesting some code in hopes of adding it to Metasploit," Storms continued, referring to the popular open-source penetration testing framework used by security professionals as well as by cyber criminals. "So it might not be a big remote code bug, but it could be useful for attackers nonetheless."
Ormandy has released information and demonstration code before for Windows vulnerabilities, notably in a pair of disclosures in 2010. In one such unveiling, Ormandy acknowledged that he reported a critical bug to Microsoft only five days before going public, saying he decided to take that tack -- rather than report it privately, and give Microsoft time to patch it -- because of its severity, and because he believed Microsoft would have otherwise dismissed his analysis.
Microsoft and some other security researchers criticized Ormandy for publicly discussing the vulnerability before it was patched, a practice known as "full disclosure" and one at odds with Microsoft's preference, called "responsible disclosure," that asks experts to report bugs privately.
Earlier in 2010, Ormandy had published information about a different Windows kernel vulnerability, pointing out that the bug had been tucked inside the operating system for at least 17 years.
Last week, Ormandy took a similar jab at Microsoft over the newest vulnerability.
"As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed ;-)," Ormandy said on Full Disclosure.
SDL, for Security Development Lifecycle, is a process and practice that Microsoft adopted to reduce the number of bugs in its software. Other vendors, including Adobe, also rely on SDL-like processes.
In a May 15 entry to his personal blog, where he also laid out some of his research, Ormandy was even more blunt in his criticism of Microsoft.
"If you solve the mystery and determine this is a security issue, send me an email and I'll update this post," Ormandy said. "If you confirm it is exploitable, feel free to send your work to Microsoft if you feel so compelled. [I]f this is your first time researching a potential vulnerability it might be an interesting experience.
"Note that Microsoft treat[s] vulnerability researchers with great hostility, and are often very difficult to work with," he said. "I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."
Ormandy also accused journalists of abusing his disclosures. In a Monday tweet, he said, "You can't distribute exploit code to everyone, because journalists will abuse it."
When another researcher pointed out that, "But dropping write-what-where PoC [proof-of-concept] is almost the same as dropping 100% reliable exploit," Ormandy replied: "No journalist knows what that means, but the people who need this information do."
According to Vulnerapedia, a "write-what-where" condition is "Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow." Such conditions "almost invariably can be used to execute arbitrary code," the entry continued.
In other words, a write-what-where condition can be exploited to run attack, or exploit, code.
Ormandy has had dust-ups with other vendors over vulnerabilities. In mid-2011, he accused Adobe of "trying to bury" an "embarrassing number" -- he said more than 400 -- of bugs in Flash Player.
Microsoft will probably not rush to patch the vulnerability Ormandy disclosed, said Storms, even though it might be usable by astute hackers. "At this point, it's difficult to imagine that Microsoft will do much of anything outside of their usual incident response that begins with confirming the bug and possibly issuing an advisory," Storms said.
Microsoft's next regularly-scheduled Patch Tuesday is June 11, or just under three weeks from today.
