An Internet Explorer bug publicised by a Google engineer has been exploited by hackers, according to Microsoft.
The firm flagged "targeted attacks" in its latest security bulletin.
It did not, however, draw a direct link to researcher Tavis Ormandy, who revealed the flaw in May without discussing it first with Microsoft.
Microsoft released a fix several days after the revelation. It was not the first time Mr Ormandy had gone public with Microsoft bugs.
The engineer's most recent post on the Full Disclosure site was criticised by a security expert, because he not only mentioned the existence of the bug but actually provided technical details of the vulnerability in Windows 7 and Windows 8 that could be exploited by hackers.
"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8," the software maker posted on its Security Bulletin page.
Microsoft explained that the vulnerability could allow an attacker to "gain the same user rights as the current user", permitting a hacker to change their target's PC settings.
Acting in his own personal capacity and not as a Google employee, Mr Ormandy initially revealed the flaw on 17 May.
He then asked for help in dealing with the issue. "I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation," he wrote on the site.
Three days later, the engineer posted on Full Disclosure again, this time offering the full demonstration code.
"I have a working exploit that grants system on all currently supported versions of Windows," he wrote. "Code is available on request to students from reputable schools."
Irresponsible behaviour?In a blog post shortly before the disclosure, Mr Ormandy wrote that Microsoft was "often very difficult to work with".
He also advised researchers to use pseudonyms when dealing with the software giant, adding that Microsoft treated "vulnerability researchers with great hostility".
In 2010, Mr Ormandy also posted publicly about a flaw in Windows XP - just five days after informing Microsoft about it.
Graham Cluley, an independent analyst who previously worked for security firm Sophos, said back then that the revelation had left people "wondering whether this was a responsible way for a Google employee to behave".
"I'm sure, however, that they would rather have fixed this vulnerability behind closed doors, without exploit code circulating in the wild, and would have preferred if this Google engineer had acted responsibly," he added.
Anda sedang membaca artikel tentang
Hackers use publicly posted bug info
Dengan url
http://minumandingines.blogspot.com/2013/07/hackers-use-publicly-posted-bug-info.html
Anda boleh menyebar luaskannya atau mengcopy paste-nya
Hackers use publicly posted bug info
namun jangan lupa untuk meletakkan link
Hackers use publicly posted bug info
sebagai sumbernya
0 komentar:
Posting Komentar