Skip to main content

Microsoft says PCs were attacked after Google engineer's public Windows bug disclosure

Microsoft says PCs were attacked after Google engineer's public Windows bug disclosure

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Windows logo stock
Windows logo stock

Google Information Security Engineer Tavis Ormandy publicly disclosed a bug in the Windows operating system in May, and Microsoft now claims there have been "targeted attacks" using the vulnerability. In a security bulletin issued on Tuesday, the software maker notes it was made aware of attackers using the bug to elevate security privileges in Windows. "Microsoft detected targeted attacks after the issue described by CVE-2013-3660 became publicly known," says Microsoft's Dustin Childs in a statement issued to The Verge. Targeted attacks is a term usually used to describe malicious malware or threats to specific industry's or organizations.

Ormandy, who claims Microsoft is difficult to work with, revealed the bug publicly in a full disclosure post before a fix was made available. Microsoft doesn't credit Ormandy in its security bulletin acknowledgement section, instead it lists several security researchers and a different Google engineer for disclosing a number of related vulnerabilities privately. It's not unusual for Google engineers to privately report vulnerabilities in Microsoft software, but Ormandy has previously revealed a Windows XP bug publicly and was branded "irresponsible" by some as a result. Like this latest vulnerability, the previous publicly disclosed flaw was exploited before Microsoft issued a patch.

Microsoft's not acknowledging Ormandy directly

Graham Cluley, an independent security researcher who previously worked at Sophos, says "vulnerability researchers should work closely with Microsoft to fix problems responsibly, rather than risking assisting malicious hackers." Microsoft is not commenting further about Ormandy's disclosures.

Today’s Storystream

Feed refreshed 5:33 PM UTC Striking out

A
Youtube
Andrew Webster5:33 PM UTC
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.


A
The Verge
Andrew Webster4:28 PM UTC
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.


J
Twitter
Jay PetersSep 23
Twitch’s creators SVP is leaving the company.

Constance Knight, Twitch’s senior vice president of global creators, is leaving for a new opportunity, according to Bloomberg’s Cecilia D’Anastasio. Knight shared her departure with staff on the same day Twitch announced impending cuts to how much its biggest streamers will earn from subscriptions.


T
Twitter
Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.


A
External Link
If you’re using crash detection on the iPhone 14, invest in a really good phone mount.

Motorcycle owner Douglas Sonders has a cautionary tale in Jalopnik today about the iPhone 14’s new crash detection feature. He was riding his LiveWire One motorcycle down the West Side Highway at about 60 mph when he hit a bump, causing his iPhone 14 Pro Max to fly off its handlebar mount. Soon after, his girlfriend and parents received text messages that he had been in a horrible accident, causing several hours of panic. The phone even called the police, all because it fell off the handlebars. All thanks to crash detection.

Riding a motorcycle is very dangerous, and the last thing anyone needs is to think their loved one was in a horrible crash when they weren’t. This is obviously an edge case, but it makes me wonder what other sort of false positives we see as more phones adopt this technology.


A
External Link
Ford is running out of its own Blue Oval badges.

Running out of semiconductors is one thing, but running out of your own iconic nameplates is just downright brutal. The Wall Street Journal reports badge and nameplate shortages are impacting the automaker's popular F-series pickup lineup, delaying deliveries and causing general chaos.

Some executives are even proposing a 3D printing workaround, but they didn’t feel like the substitutes would clear the bar. All in all, it's been a dreadful summer of supply chain setbacks for Ford, leading the company to reorganize its org chart to bring some sort of relief.


E
TikTok
Spain’s Transports Urbans de Sabadell has La Bussí.

Once again, the US has fallen behind in transportation — call it the Bussí gap. A hole in our infrastructure, if you will.


J
External Link
Jay PetersSep 23
Doing more with less (extravagant holiday parties).

Sundar Pichai addressed employees’ questions about Google’s spending changes at an all-hands this week, according to CNBC.

“Maybe you were planning on hiring six more people but maybe you are going to have to do with four and how are you going to make that happen?” Pichai sent a memo to workers in July about a hiring slowdown.

In the all-hands, Google’s head of finance also asked staff to try not to go “over the top” for holiday parties.


E
External Link
Insiders made the most money off of Helium’s “People’s Network.”

Remember Helium, which was touted by The New York Times in an article entitled “Maybe There’s a Use for Crypto After All?” Not only was the company misleading people about who used it — Salesforce and Lime weren’t using it, despite what Helium said on its site — Helium disproportionately enriched insiders, Forbes reports.