SOFTWARE HOUSE Microsoft has admitted that hackers are exploiting a bug in Windows that was discovered by a Google researcher over two months ago.
In what must be a sore subject for Microsoft, the firm issued a warning about the exploit in its latest security bulletin summary for July, confessing that it is aware of targeted attacks that take advantage of the flaw.
"This vulnerability has been publicly disclosed. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability as an elevation of privilege vulnerability," the firm said in the Exploitability Index of a Technet post as part of patch CVE-2013-3660 in Bulletin ID MS13-053.
The vulnerability has now been patched as part of Microsoft's Patch Tuesday for July, but the flaw was initially discovered and posted online by Google security engineer Tavis Ormandy two months ago in a full disclosure blog before notifying Microsoft of the issue.
Ormandy said the bug relates to a "silly" piece of Microsoft code used in Windows 7 and Windows 8. It is unknown whether the flaw was exploited because of Ormandy's public announcement before Microsoft had chance to patch it.
We contacted Microsoft for a comment regarding the matter, but it wasn't available at the time of publication. Ormandy isn't mentioned in the advisory as credited with finding the vulnerability. That's probably because he didn't work within Microsoft's responsible disclosure guidelines.
The firm said its patch for the bug resolves two publicly disclosed and six privately reported vulnerabilities in Windows. "The most severe vulnerability could allow remote code execution if a user views shared content that embeds Truetype font files", Microsoft said.
Ormandy's post has since caused heated debate about the nature of full disclosure in the security community. For example, while some security professionals believe that full disclosure policies help improve the world's security, others believe that the practice is irresponsible as it alerts cyber criminals to the flaw before the company has had time to react.
Security researcher Graham Cluley said that Tavis Ormandy should have acted responsibly and refrained from publishing details about the security vulnerability until Microsoft had a patch available.
"His public disclosure of the flaw long before Microsoft was able to publish a fix has put innocent people and companies at risk," Cluley said. ?
Canelo vs Trout 420 Meteor Showers 2013 Darrelle Revis david ortiz record store day cnn
কোন মন্তব্য নেই:
একটি মন্তব্য পোস্ট করুন