Google engineer bashes Microsoft's handling of security researchers, discloses Windows zero-day

Microsoft confirms probe of vulnerability hackers could use to gain additional privileges on targeted PCs

By , Computerworld |  Windows

Ormandy also accused journalists of abusing his disclosures. In a Monday tweet, he said, "You can't distribute exploit code to everyone, because journalists will abuse it."

When another researcher pointed out that, "But dropping write-what-where PoC [proof-of-concept] is almost the same as dropping 100% reliable exploit," Ormandy replied: "No journalist knows what that means, but the people who need this information do."

According to Vulnerapedia, a "write-what-where" condition is "Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow." Such conditions "almost invariably can be used to execute arbitrary code," the entry continued.

In other words, a write-what-where condition can be exploited to run attack, or exploit, code.

Ormandy has had dust-ups with other vendors over vulnerabilities. In mid-2011, he accused Adobe of "trying to bury" an "embarrassing number" -- he said more than 400 -- of bugs in Flash Player.

Microsoft will probably not rush to patch the vulnerability Ormandy disclosed, said Storms, even though it might be usable by astute hackers. "At this point, it's difficult to imagine that Microsoft will do much of anything outside of their usual incident response that begins with confirming the bug and possibly issuing an advisory," Storms said.

Microsoft's next regularly-scheduled Patch Tuesday is June 11, or just under three weeks from today.

This article, Google engineer bashes Microsoft's handling of security researchers, discloses Windows zero-day, was originally published at Computerworld.com.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness