Bug controversially disclosed by Tavis Ormandy was used in “limited” attacks, Microsoft confirms
Microsoft says attackers have been using a vulnerability that was controversially publicly disclosed by a Google researcher.
In May, security expert Tavis Ormandy caused a storm by exposing the flaw, which was patched yesterday, instead of privately notifying Microsoft. Ormandy later went on a rant criticising Microsoft for treating security researchers with “great hostility”.
In its critical MS13-053 bulletin from yesterday’s Patch Tuesday release, Microsoft said it had resolved two publicly disclosed flaws and six privately reported vulnerabilities in Windows.
In a separate post, it said the flaw uncovered by Ormandy had been used “to achieve elevation of privilege in limited, targeted attacks”. Little more detail was revealed, but targeted attacks often hit high-profile targets such as governments and financial institutions.
Ormandy had shown how to exploit a memory management problem in win32k.sys. Windows 7 and 8 were both affected.
But the Google researcher came under fire for disclosing the flaw so publicly. The exploit code eventually made its way into the Metasploit framework, so it has not surprised many attacks were seen in the wild.
Ormandy has previous when it comes to upsetting tech companies. In 2012, he accused Sophos of “poor development practices and coding standards” after he uncovered some nasty flaws.
Busy Patch Tuesday
Yesterday also saw Microsoft cover off 17 issues in Internet Explorer in another critical update, affecting all versions of Internet Explorer on all supported releases of Windows.
“An attacker who successfully exploited these vulnerabilities could gain the same rights as the logged-on user,” the firm said in a blog post.
“These issues were privately disclosed and we have not detected any attacks or customer impact.”
Seven bulletins were released by Microsoft yesterday, six of which were critical.
Microsoft also announced developers will be required to submit an updated app sitting on the Windows Store within 180 days of being notified of a critical or important vulnerability.
“This assumes the app is not currently being exploited in the wild. In those cases, we’ll work with the developer to have an update available as soon as possible and may remove the app from the store earlier.”
Are you a security pro? Try our quiz!