Google researcher publishes Windows 0-day exploit
Posted on 06 June 2013.
Less than two weeks after Google researcher Tavis Ormandy released information about a new Windows zero-day vulnerability on the Full Disclosure mailing list and asked for help in creating an exploit, he has returned with one and added that there is another one already in circulation.


According to The H and their associates at heise Security, the exploit works.

"If the file is opened, it launches a command line which can be used to run arbitrary commands with system privileges, irrespective of the user's own privileges – even a guest account can be used," they confirmed.

Microsoft will now have to scramble to push out a patch for the flaw or at least instructions on how the mitigate the risk. Still, the good news is that the exploit code can only be used by attackers that have physical access to the target machine.

Ormandy is known for his quality research work, but also for his preference for "full disclosure" of vulnerabilities. He has been criticized for it in the past, but the criticism obviously didn't change his mind on the matter, and his employer seems not to have a problem with it.

In fact, Google has recently stated that they were supportive of their researchers "setting an aggressive disclosure deadline where there exists evidence that blackhats already have knowledge of a given bug," and that they consider 7 days to be enough for vendors to at least come up with some mitigations, such as temporarily disabling a service or restricting access.









Spotlight

Successful strategies to avoid frequent password changes

Posted on 19 August 2014.  |  After a widespread, nonspecific data breach, the conventional wisdom is that people should change all their passwords. But, there’s a better way.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Aug 20th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //