Google researcher publishes Windows 0-day exploit
Posted on 06 June 2013.
Less than two weeks after Google researcher Tavis Ormandy released information about a new Windows zero-day vulnerability on the Full Disclosure mailing list and asked for help in creating an exploit, he has returned with one and added that there is another one already in circulation.


According to The H and their associates at heise Security, the exploit works.

"If the file is opened, it launches a command line which can be used to run arbitrary commands with system privileges, irrespective of the user's own privileges even a guest account can be used," they confirmed.

Microsoft will now have to scramble to push out a patch for the flaw or at least instructions on how the mitigate the risk. Still, the good news is that the exploit code can only be used by attackers that have physical access to the target machine.

Ormandy is known for his quality research work, but also for his preference for "full disclosure" of vulnerabilities. He has been criticized for it in the past, but the criticism obviously didn't change his mind on the matter, and his employer seems not to have a problem with it.

In fact, Google has recently stated that they were supportive of their researchers "setting an aggressive disclosure deadline where there exists evidence that blackhats already have knowledge of a given bug," and that they consider 7 days to be enough for vendors to at least come up with some mitigations, such as temporarily disabling a service or restricting access.









Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //