Feeds

Google cyber-knight lances Microsoft for bug-hunter 'hostilities'

While revealing a Windows 0-day security flaw

Beginner's guide to SSL certificates

Top Google engineer Tavis Ormandy has slammed Microsoft for apparently treating security bug hunters with “great hostility”.

He blasted Redmond's behaviour towards those who report vulnerabilities as he publicly revealed a new unpatched security hole in the Windows operating system - a bug that can be exploited to crash systems or gain administrator privileges. The vulnerable driver is present in "all currently supported versions" of Windows, according to the Googler.

Ormandy discovered the flaw in the bezier curve-handling bit of the Win32k.sys kernel-level driver in March. However, triggering Microsoft's programming cock-up was difficult and at first the results were unpredictable.

In short, the "next" pointer in a double-linked list of graphical objects is not initialised by the kernel. By putting the Windows memory allocator under pressure, so that it reuses memory previously edited by the user, it is possible to prime this vulnerable "next" pointer so that the kernel follows it into a block of user-controlled memory. Exploiting this to write arbitrary data to sensitive areas of the system, to elevate privileges for example, is left as an exercise for the reader.

After documenting the bug, he posted his initial findings to the Full Disclosure mailing list, and published a complete dossier last week.

In a related post on his personal blog, Ormandy invited others to look into the flaw, before finishing the essay with trenchant criticism of Redmond's attitude towards computer security professionals.

“Note that Microsoft treat vulnerability researchers with great hostility, and are often very difficult to work with. I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself,” he warned.

The Windows software giant is understood to be investigating the Win32k.sys issue highlighted by Ormandy. It's unclear if or when a possible patch may arrive. The corporation declined to respond to Ormandy's criticism, which although sincere is out of step with the opinion of many bug hunters we've spoken to over recent years: while Microsoft is praised for eventually engaging the computer security community, it's usually Oracle and Apple that are spoken about through gritted teeth.

Vulnerability management specialists Secunia warned that the flaw discovered by Ormandy can be used to launch denial-of-service assaults or elevate a local user's privilege. The danger is that the bug could be combined with other security flaws to carry out attacks remotely. Secunia classified the flaw as "less critical", which is towards the bottom end of its scale of severity.

“The vulnerability is caused due to an error within 'win32k.sys' when processing certain objects and can be exploited to cause a crash or execute arbitrary code with the kernel privilege,” Secunia noted in its advisory.

“The vulnerability is confirmed on a fully patched Windows 7 x86 Professional (win32k.sys version 6.1.7601.18126) and reported on Windows 8. Other versions may also be affected,” it added.

Ormandy has had dust-ups with other vendors over security bugs in the past. Three years ago he publicly disclosed a zero-day Windows XP Help Center security bug that he had notified Microsoft about only five days before. The flaw was far more serious than this latest coding blunder. In any case, Ormandy's antipathy towards Redmond's security gnomes is not a recent development.

Last year Ormandy went out of his way to criticise Sophos for “poor development practices and coding standards” after he found a number of vulnerabilities in its security software. Two years ago he accused Adobe of "trying to bury" scores of bugs in its Flash Player software. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.