Google Engineer Finds Microsoft Security Flaw, Says Company is Hostile About It
May 23, 2013 10:51 AM
comment(s) - last by
Tavis Ormandy said Microsoft is difficult to work with regarding these issues
A Google engineer has called Microsoft out on a recent security flaw in the Windows operating system, and even said that the Windows creator is hostile toward third-party vulnerability researchers.
Tavis Ormandy, a Google security engineer, exposed the flaw on Full Disclosure. The Microsoft vulnerability, which was in the Windows kernel driver "Win32k.sys," was featured in a Full Disclosure mailing list on May 17.
Before that, Ormandy revealed the flaw on GitHub back in March in hopes of bringing other security researchers on board to investigate.
Ormandy said on Full Disclosure, "I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation."
Ormandy posted on Full Disclosure yet again on Monday, saying "I have a working exploit that grants SYSTEM on all currently supported versions of Windows. Code is available on request to students from reputable schools."
Ormandy also insulted Microsoft on Full Disclosure, saying "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed ;-)."
Microsoft has been annoyed with Ormandy for publicly discussing vulnerabilities before they could be patched. Microsoft prefers "responsible disclosure," where security experts are asked to report flaws privately to the company.
"Note that Microsoft treat[s] vulnerability researchers with great hostility, and are often very difficult to work with," said Ormandy. "I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."
This article is over a month old, voting and posting comments is disabled
Microsoft is a lazy SOB!!!
5/24/2013 12:27:54 AM
Tavis Ormandy should not have posted his program that exploits the Windows Kernel driver on GitHub. Posting on GitHub gives everybody to access the program.
Microsoft should not always use its PR speak to third-party security researchers. Microsoft should acknowledge third-party security researcher skills and figure out how severe the security threat is. An exploit that makes the kernel vulnerable is a huge major security risk. The kernel in an operating system is the main engine. This means Microsoft is not taking the exploit serious enough. Microsoft should stop what they are doing with other projects and fix it ASAP. Who cares Microsoft programmers have to work 24 hours to fix the issue. The issue is an absolute severity.
"This week I got an iPhone. This weekend I got four chargers so I can keep it charged everywhere I go and a land line so I can actually make phone calls." -- Facebook CEO Mark Zuckerberg
Microsoft Expands Free Office 365 to All College Students
September 22, 2014, 3:21 PM
Apple Adds New Password Protection for Third Party iCloud Apps
September 17, 2014, 8:50 PM
Facebook Tests Moments App, Aims to Keep Your Private Memories Private
September 17, 2014, 5:46 PM
Russian Hackers Compile List of 10+ Million Stolen Gmail, Yandex, Mailru
September 11, 2014, 11:41 AM
House Minority Leader Pelosi Criticizes FCC's "Fast-Lane" Net Neutrality Plan
September 9, 2014, 4:15 PM
Smarter Than Siri? Cortana Adds Game NFL Game Winner Prediction
September 3, 2014, 4:12 PM
Most Popular Articles
HTC Preps Nexus 9 With Nvidia K1 64-Bit "Denver" SoC, Android L Onboard
September 10, 2014, 10:21 PM
Apple iPhone 6, iPhone 6 Plus Reviews Roll In
September 16, 2014, 9:13 PM
Big Media: If You Want Privacy, You're Probably a Pirate
September 18, 2014, 2:57 PM
Apple Cripples NFC in iPhone 6, 6+ With Developer Ban
September 17, 2014, 1:00 PM
Home Depot Credit Card Theft is the Biggest in History, 55 Million Cards Stolen
September 18, 2014, 7:53 PM
Latest Blog Posts
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
Space Terrorism is a Looming Threat For the United States
Apr 23, 2014, 7:47 PM
Facebook Aims to Provide Internet to "Every Person in the World" with Drones, Satellites
Apr 1, 2014, 10:20 AM
Retail Mobile Sites Experience Outages in Light of Simplexity's Bankruptcy
Mar 14, 2014, 8:48 AM
Tesla vs. BMW: Who Has the Safer EV?
Feb 1, 2014, 2:56 PM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information