Google researcher publishes zero-day flaw in Windows without prior notification
Google (NASDAQ: GOOG) researcher Tavis Ormandy has discovered a new zero-day Windows vulnerability, and has published full details of the security issue, including a proof-of-concept exploit code.
The problem affects Windows 7 and Windows 8, though the pre-NT nature (20 plus years old) of the code could mean many other versions are vulnerable.
Microsoft (NASDAQ: MSFT) has reportedly confirmed the vulnerability, and is looking into it. While Microsoft says it has "detected" no attacks against this issue at the moment, things may change given that the POC shows how an attacker can write an arbitrary value to an arbitrary memory location.
Ormandy faces criticism by other security researchers, who expressed unhappiness at the level of detail in his vulnerability announcement. As reported by InformationWeek, security researcher Oleksiuk Dmytro tweeted: "Can't get what's the problem: text description is enough to make and test your own attack idea implementation."
Ormandy also didn't give Microsoft prior notification so that it could prepare a patch, as is typically done by security researchers.
- check out this article at InformationWeek