A Google engineer has once again disclosed a Windows flaw. In a Full Disclosure posting to the SecLists mailing list, Tavis Ormandy — an Information Security Engineer at Google — details a vulnerability in Windows 7 and Windows 8 that can be exploited by local users to gain escalated privileges. Security firm Secunia notes that the issue is "less critical" than other flaws as it's not a remotely exploitable one. Nevertheless, it appears that Ormandy has taken the full disclosure approach, stating he doesn't have "time to work on silly Microsoft code," rather than Microsoft's preferred responsible disclosure route that calls for vulnerabilities to be reported privately.
Ormandy previously revealed a serious vulnerability in Windows XP's Help and Support Center that allowed attackers to compromise machines using specially crafted websites before Microsoft had patched the bug. Google engineers regularly report flaws in Microsoft software, recently discovering over 50 percent of bugs in one of its biggest "Patch Tuesday" monthly security updates ever. Some security researchers have previously branded Ormandy "irresponsible," but his motives may be related to Microsoft's "interesting experience" of dealing with vulnerabilities. In a blog post days before his most recent disclosure, Ormandy claims Microsoft is "often very difficult to work with," advising researchers to speak to the software maker anonymously. "Microsoft treat vulnerability researchers with great hostility," he says.
"Vulnerability researchers should work closely with Microsoft..."
Graham Cluley, a senior technology consultant at Sophos, disputes Ormandy's claims. "Generally, Microsoft's security team does an excellent job," says Cluley in an email to The Verge. "Vulnerability researchers should work closely with Microsoft to fix problems responsibly, rather than risking assisting malicious hackers." Whether or not Ormandys approach is reasonable is debatable, but Microsoft says it's investigating. "We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating," said a spokesperson in a statement issued to Computerworld. "We will take the appropriate action to protect our customers."