Google Researcher Slams Microsoft As He Reveals Windows Security Flaw

Thomas Brewster,

Tavis Ormandy says Microsoft treats vulnerability researchers with “great hostility”

Google’s Tavis Ormandy has criticised Microsoft for treating vulnerability researchers with “great hostility”, as he released information regarding a security flaw in Windows.

Ormandy said, posting on the Full Disclosure section of Seclists.org, there was a “pretty obvious bug” in Windows, which he first detailed in March.

Windows 8 Logo InstallHe had initially found exploitation hard to achieve, but a later post on Full Disclosure indicated he had a working exploit affecting all currently supported versions of Windows, which Ormandy offered to share with “students from reputable schools”.

Windows flaw

In a separate post on his personal blog, Ormandy claimed Microsoft “are often very difficult to work with”. “I would advise only speaking to them under a pseudonym, using tor and anonymous email to protect yourself,” he added.

Microsoft did not respond to Ormandy’s criticisms, but did note the vulnerability. “We are aware of an issue affecting Microsoft Windows and are investigating. We have not detected any attacks against this issue, but will take appropriate action to protect our customers,” said Dustin Childs, group manager at Microsoft Trustworthy Computing.

Security company Secunia has also picked up on the flaw, saying it could be used in a privilege escalation attack, or a denial of service hit.

“The vulnerability is caused due to an error within “win32k.sys” when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege,” Secunia said in its advisory.

“The vulnerability is confirmed on a fully patched Windows 7 x86 Professional (win32k.sys version 6.1.7601.18126) and reported on Windows 8. Other versions may also be affected.”

Ormandy has previous when it comes to pouring scorn on companies for software vulnerabilities. Last year, he accused Sophos of “poor development practices and coding standards” after he found problems with the security company’s software.

Are you a security pro? Try our quiz!