A Google security engineer has not only discovered a Windows zero-day flaw, but has also stated that Microsoft has a knack of treating outside researchers with great hostility.
Tavis Ormandy, a Google security engineer, exposed the flaw on Full Disclosure, that could be used to crash PCs or gain additional access rights. The issue is less critical than other flaws as it's not a remotely exploitable one.
Ormandy said on Full Disclosure, "I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation.".
He's been working on it for months, and according to a later post, he has now a working exploit that "grants SYSTEM on all currently supported versions of Windows."
Learn Insider Threat Detection with Application Response Strategies
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
"I have a working exploit that grants SYSTEM on all currently supported versions of Windows. Code is available on request to students from reputable schools," Ormandy adds.
Microsoft acknowledged the vulnerability late Tuesday. "We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating"
Ormandy also insulted Microsoft on Full Disclosure, saying "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed ;-)."
Security company Secunia has also picked up on the flaw, saying it could be used in a privilege escalation attack, or a denial of service hit. "The vulnerability is confirmed on a fully patched Windows 7 x86 Professional (win32k.sys version 6.1.7601.18126) and reported on Windows 8. Other versions may also be affected."
Ormandy had first published information about the vulnerability in March to GitHub in an effort to solicit help or entice other researchers to investigate.