Microsoft issued the warning in its latest security advisory, saying that without the patch fix hackers could theoretically use the flaw to increase their privileges, thus wrestling control of the device from the end user.
The flaw was originally discovered and posted publicly online by Google security engineer Tavis Ormandy on the full disclosure blog in May. Ormandy said the bug relates to a "silly" piece of code from Microsoft, used in Windows 7 and Windows 8.
It was unclear whether the flaw had been actively exploited by criminals prior to Ormandy's post, though Microsoft's has since confirmed detecting numerous targeted attacks aimed at it. The details of the attacks and the potential damage caused remain unknown and at the time of publishing Microsoft had not responded to V3's request for comment.
The post has since caused a heated debate about the nature of full disclosure within the security community. Experts that practice a full disclosure policy believe posting any security flaws they discover online to the public helps improve the world's security, forcing the parties involved to fix the flaws sooner rather than later. Others believe the practice is irresponsible as it alerts cyber criminals and black hats about the flaw before the company has had time to react.
Ormandy is one of many Google engineers to support the full disclosure philosophy. Prior to his release Google security engineers Chris Evans and Drew Hintz threw down a gauntlet to companies saying they will give them just seven days to come clean on any zero day vulnerabilities they discover before making them public.
No comments:
Post a Comment