Google Information Security Engineer Tavis Ormandy publicly disclosed a bug in the Windows operating system in May, and Microsoft now claims there have been "targeted attacks" using the vulnerability. In a security bulletin issued on Tuesday, the software maker notes it was made aware of attackers using the bug to elevate security privileges in Windows. "Microsoft detected targeted attacks after the issue described by CVE-2013-3660 became publicly known," says Microsoft's Dustin Childs in a statement issued to The Verge. Targeted attacks is a term usually used to describe malicious malware or threats to specific industry's or organizations.
Ormandy, who claims Microsoft is difficult to work with, revealed the bug publicly in a full disclosure post before a fix was made available. Microsoft doesn't credit Ormandy in its security bulletin acknowledgement section, instead it lists several security researchers and a different Google engineer for disclosing a number of related vulnerabilities privately. It's not unusual for Google engineers to privately report vulnerabilities in Microsoft software, but Ormandy has previously revealed a Windows XP bug publicly and was branded "irresponsible" by some as a result. Like this latest vulnerability, the previous publicly disclosed flaw was exploited before Microsoft issued a patch.
Microsoft's not acknowledging Ormandy directly
Graham Cluley, an independent security researcher who previously worked at Sophos, says "vulnerability researchers should work closely with Microsoft to fix problems responsibly, rather than risking assisting malicious hackers." Microsoft is not commenting further about Ormandy's disclosures.