Google researcher publishes zero-day flaw in Windows without prior notification


Google (NASDAQ: GOOG) researcher Tavis Ormandy has discovered a new zero-day Windows vulnerability, and has published full details of the security issue, including a proof-of-concept exploit code.

The problem affects Windows 7 and Windows 8, though the pre-NT nature (20 plus years old) of the code could mean many other versions are vulnerable.

Microsoft (NASDAQ: MSFT) has reportedly confirmed the vulnerability, and is looking into it. While Microsoft says it has "detected" no attacks against this issue at the moment, things may change given that the POC shows how an attacker can write an arbitrary value to an arbitrary memory location.

Ormandy faces criticism by other security researchers, who expressed unhappiness at the level of detail in his vulnerability announcement. As reported by InformationWeek, security researcher Oleksiuk Dmytro tweeted: "Can't get what's the problem: text description is enough to make and test your own attack idea implementation."

Ormandy also didn't give Microsoft prior notification so that it could prepare a patch, as is typically done by security researchers.

For more:
- check out this article at InformationWeek

Related Articles:
Upcoming Patch Tuesday to resolve zero-day flaw in IE 8
Adobe to patch zero-day bugs in Reader by this week