Google Security Expert Finds, Publicly Discloses Windows Kernel Bug

hypnosec writes "Security expert Tavis Ormandy has discovered a vulnerability in the Windows kernel which, when exploited, would allow an ordinary user to obtain administrative privileges of the system. Google's security pro posted the details of the vulnerability back in May through the Full Disclosure mailing list rather than reporting it to Microsoft first. He has now gone ahead and published a working exploit. This is not the first instance where Ormandy has opted for full disclosure without first informing the vendor of the affected software."

Re:But not to give them a chance to correct it fir

[K.+S.+Kyosuke]

History tells us that telling Microsoft privately puts it on their radar for three to five years out. Disclosing publicly actually gets a patch to users.

No, what actually gets a patch to users is when you find a vulnerability, use it to hack into Microsoft servers, download their repository, fix the bug, rebuild the kernel, generate the patch, steal Microsoft signing certificates, sign the patch, upload it to Windows Update servers, and pray that all users download it before someone notices you.