A Google security engineer has not only discovered a Windows zero-day flaw, but has also stated that Microsoft has a knack of treating outside researchers with “great hostility.”
Microsoft, who is well aware of the zero-day flaw that affects the Windows kernel driver Win32k.sys, is investigating the security threat. “We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating. We have not detected any attacks against this issue, but will take appropriate action to protect our customers,” Microsoft stated.
The Google security engineer, Tavis Ormandy, revealed the security flaw on a blog post and asked for help in fixing the final obstacle for exploitation, claiming that he doesn’t have “much free time to work on silly Microsoft code.”
Ormandy has taken the “Full Disclosure” route allowing for certain people to obtain the demonstration code. “I have a working exploit that grants SYSTEM on all currently supported versions of Windows. Code is available on request to students from reputable schools,” Ormandy adds.
“Note that Microsoft treat[s] vulnerability researchers with great hostility, and are often very difficult to work with. I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself,” Ormandy explains.
Ormandy is no stranger to this as he first posted details about this zero-day flaw in March to GitHub. Ormandy wanted to solicit help or entice other researchers to help investigate the flaw. That information is not available at GitHub.