Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Security Expert Finds, Publicly Discloses Windows Kernel Bug

Posted by Soulskill on from the second-verse-same-as-the-first dept.

hypnosec writes "Security expert Tavis Ormandy has discovered a vulnerability in the Windows kernel which, when exploited, would allow an ordinary user to obtain administrative privileges of the system. Google's security pro posted the details of the vulnerability back in May through the Full Disclosure mailing list rather than reporting it to Microsoft first. He has now gone ahead and published a working exploit. This is not the first instance where Ormandy has opted for full disclosure without first informing the vendor of the affected software."

8 of 404 comments (clear)

  1. Target Microsoft by mrbluejello · · Score: 5, Interesting

    If it hadn't been Microsoft, Google may have been a bit more responsible about this, but since it makes their competitor look bad, time to forget about "do no evil".

  2. Full disclosure and open/closed source by intermodal · · Score: 5, Interesting

    The irony of the difference between closed source and open source is that while Ormandy has posted an exploit to this Windows bug, in the open-source world he potentially could have posted a fix too, considering he's the one who seems to understand the bug itself the best...

    --
    In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
  3. Re:huge conflict of interest by Hatta · · Score: 4, Interesting

    Why does it matter? Full disclosure is the only responsible choice. That doesn't change no matter who your employer is.

    --
    Give me Classic Slashdot or give me death!
  4. aiding and abetting 8 computer fraud and abuse act by anthony_greer · · Score: 5, Interesting

    Can google and/or this guy be prosecuted for this because releasing the working demo is basically aiding and abetting a criminal

  5. Win 32bit only? Meh by snikulin · · Score: 3, Interesting

    The code is clearly targeted for x86 only, not for x64 (__declspec(naked)).
    I don't have x86 PC.
    On Win7x64 the code plainly crashes.

    Unimpressed.

  6. Re:Seriously, by seebs · · Score: 4, Interesting

    It's news that a Google employee is being a dick, since they do have a "do no evil" policy.

    No, they don't. They have a "do no evil" slogan. They have been just as actively evil as everyone else for years.

    --
    My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
  7. Re:But not to give them a chance to correct it fir by wierd_w · · Score: 3, Interesting

    I never said I believed in "unbeatable protection". That's a strawman. I basically said that "out of sight, out of mind!" Is not a proper risk mitigation practice. Most certainly NOT the same thing as professing a belief in perfect security.

    Proper keypair generation attempts to make it more costly for the attacker to profit from the action of hacking, and actually demonstrates this fact for them, should they try anyway.

    Shitty obscurity based half-assery fakes being strong, to detur attempts, but fails easily on inspection. Something like using a password to XOR a file, and calling it "encrypted.", or doing what sony did and reusing the sae salt over and over again, completly defeating the purpose of the salt in the process.

    Relying on "don't tell anybody! We'l get to it eventually, and if you don't tell, nobody will find out!" Is bullshit, which is what typically happens with so called "responsible disclosure." I have heard of serious exploits hanging around for YEARS after being "responsibly disclosed."

    I understand that you can't fix the hole instantly, and that the patch needs to be tested to make sure it doesn't poke another hole elsewhere. However, informing the people at the most risk, (customers), that they need to take some mitigating actions to reduce the threat, and to watch for signs of exploit until the patch is ready is what is the responsible thing for the software vendor to do. NOT hide the exploit and try to forget about it, while less scrupulous crackers silently use it in combination with other exploits to commit fraud, steal company prividleged information, steal user persona data, build botnets, and worse, while pretending that "it won't happen, because nobody squealed!"

  8. Re: But not to give them a chance to correct it fi by wierd_w · · Score: 5, Interesting

    The nonsequitor there, is in asserting that because the whitehat hasn't disclosed his findings, that others haven't also independently found the hole, and been more mum about it.

    Which is more profitable for a person who makes their living by stealing company secrets, laundering money through wire fraud, or selling stolen identity information?

    Using an exploit that has been publicly discosed, and thus, everyone is super paranoid about it, and actively trying to plug it-- OR-- a nice little treasure trove of privately discovered exploits that aren't public knowledge that you can quiety switch to once the hole you are currently using gets discovered?

    "Saving face" for the company fascilitates the real blackhats by keeping admins and users ignorant of the threat.

    All public disclosure does is make real blackhat attackers silently move to their next vector, and cause a spike in script kid activities. (And of course, make the software vendor look bad.)