ID: IRCNE2013071902
Date: 2013-07-13
Accordig to “ComputerWorld”, Microsoft this week said a vulnerability that was disclosed by a Google security engineer in May, had been exploited in the wild before they were patched on Tuesday.
"Microsoft was aware of this vulnerability being used to achieve elevation of privilege in targeted attacks," the firm said in a security bulletin Tuesday that covered eight flaws in Windows' kernel-mode drivers -- one of them the vulnerability revealed two months before by Google researcher Tavis Ormandy.
Ormandy, who has had a contentious relationship with Microsoft for years, posted information about a then-unpatched bug in Windows on May 17. At the time, Ormandy called Microsoft's code "silly" and claimed that the Google rival had treated outside researchers with "great hostility" and was "very difficult to work with."
While Ormandy did not publicly reveal a working exploit, attack code was released soon after his disclosure.
On Tuesday, Microsoft said that the vulnerability Ormandy discussed was theoretically a critical flaw that hackers could use to plant malware on Windows PCs without users' knowledge, but asserted that most attacks would fail to meet that bar and instead would only let attackers gain additional access rights to a machine, making it less of a threat.
Microsoft patched the bug with MS13-053, one of six security updates released this week.
Related Posts:
Microsoft Patch Tuesday: Windows 8, Internet Explorer, Office, Visual Studio, Lync are all vulnerable
- 2