Microsoft Bug Exposed By Google Researcher Used In Targeted Attacks

Microsoft says attackers have been using a vulnerability that was controversially publicly disclosed by a Google researcher.

In May, security expert Tavis Ormandy caused a storm by exposing the flaw, which was patched yesterday, instead of privately notifying Microsoft.  Ormandy later went on a rant criticising Microsoft for treating security researchers with “great hostility”.

Targeted attacks

In its critical MS13-053 bulletin from yesterday’s Patch Tuesday release, Microsoft said it had resolved two publicly disclosed flaws and six privately reported vulnerabilities in Windows.

In a separate post, it said the flaw uncovered by Ormandy had been used “to achieve elevation of privilege in limited, targeted attacks”. Little more detail was revealed, but targeted attacks often hit high-profile targets such as governments and financial institutions.

Ormandy had shown how to exploit a memory management problem in win32k.sys. Windows 7 and 8 were both affected.

But the Google researcher came under fire for disclosing the flaw so publicly. The exploit code eventually made its way into the Metasploit framework, so it has not surprised many attacks were seen in the wild.

Ormandy has previous when it comes to upsetting tech companies. In 2012, he accused Sophos of “poor development practices and coding standards” after he uncovered some nasty flaws.

Busy Patch Tuesday

Yesterday also saw Microsoft cover off  17 issues in Internet Explorer in another critical update,  affecting all versions of Internet Explorer on all supported releases of Windows.

“An attacker who successfully exploited these vulnerabilities could gain the same rights as the logged-on user,” the firm said in a blog post.

“These issues were privately disclosed and we have not detected any attacks or customer impact.”

Seven bulletins were released by Microsoft yesterday, six of which were critical.

Microsoft also announced developers will be required to submit an updated app sitting on the Windows Store within 180 days of being notified of a critical or important vulnerability.

“This assumes the app is not currently being exploited in the wild. In those cases, we’ll work with the developer to have an update available as soon as possible and may remove the app from the store earlier.”

Are you a security pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Indian Tribunal Suspends Meta’s Data Sharing Ban

After Meta had warned that India's data sharing ban could collapse WhatsApp's business model, tribunal…

3 mins ago

UK’s CMA Begins Probe Into Apple, Google Mobile Ecosystems

British regulator confirms investigation of Apple and Google's domination of app stores, operating systems, and…

1 hour ago

Samsung Touts AI Features With Galaxy S25 Smartphones

Launch of Samsung's Galaxy S25 Ultra, Galaxy S25+ and Galaxy S25 sees the handsets described…

4 hours ago

LinkedIn Sued Over Alleged Use Of Private Messages To Train AI

Microsoft's LinkedIn sued for allegedly using customer data, including private messages, to train AI models…

5 hours ago

Amazon To Shutter Sites In Unionised Province In Canada

1,700 jobs to be lost in Quebec, as Amazon says it will close seven sites…

20 hours ago

Google Wins UK Injunction To Halt Russian Enforcement Of Judgements

Google wins permanent injunction from London's High Court to prevent enforcement of Russian YouTube judgements

22 hours ago