PCs attacked after Google worker revealed Microsoft bug

  • Published
Microsoft Windows 8 interface
Image caption,

This was not the first time Tavis Ormandy had revealed security flaws in Windows

A Windows bug publicised by a Google engineer has been exploited by hackers, according to Microsoft.

The firm flagged "targeted attacks" in its latest security bulletin.

It did not, however, draw a direct link to researcher Tavis Ormandy, who revealed the flaw in May without discussing it first with Microsoft.

Microsoft released a fix several days after the revelation. It was not the first time Mr Ormandy had gone public with Microsoft bugs.

The engineer's most recent post on the Full Disclosure site was criticised by a security expert, because he not only mentioned the existence of the bug but actually provided technical details of the vulnerability in Windows 7 and Windows 8, among other versions of the system, that could be exploited by hackers.

"This security update resolves two publicly disclosed and six privately reported vulnerabilities in Microsoft Windows. The most severe vulnerability could allow remote code execution if a user views shared content that embeds TrueType font files," the software maker posted on, external its Security Bulletin page.

Microsoft explained that the vulnerability could allow an attacker to "take complete control of an affected system".

Acting in his own personal capacity and not as a Google employee, Mr Ormandy initially revealed the flaw on 17 May.

He then asked for help, external in dealing with the issue. "I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation," he wrote on the site.

Three days later, the engineer posted on Full Disclosure again, this time offering the full demonstration code.

"I have a working exploit that grants system on all currently supported versions of Windows," he wrote. "Code is available on request to students from reputable schools."

Irresponsible behaviour?

In a blog post, external shortly before the disclosure, Mr Ormandy wrote that Microsoft was "often very difficult to work with".

He also advised researchers to use pseudonyms when dealing with the software giant, adding that Microsoft treated "vulnerability researchers with great hostility".

In 2010, Mr Ormandy also posted publicly about a flaw in Windows XP - just five days after informing Microsoft about it.

Graham Cluley, an independent analyst who previously worked for security firm Sophos, said back then that the revelation had left people "wondering whether this was a responsible way for a Google employee to behave".

"I'm sure, however, that they would rather have fixed this vulnerability behind closed doors, without exploit code circulating in the wild, and would have preferred if this Google engineer had acted responsibly," he added.

Related internet links

The BBC is not responsible for the content of external sites.