Less than two weeks after Google researcher Tavis Ormandy released information about a new Windows zero-day vulnerability on the Full Disclosure mailing list and asked for help in creating an exploit, he has returned with one and added that there is another one already in circulation.
According to The H and their associates at heise Security, the exploit works.
“If the file is opened, it launches a command line which can be used to run arbitrary commands with system privileges, irrespective of the user’s own privileges – even a guest account can be used,” they confirmed.
Microsoft will now have to scramble to push out a patch for the flaw or at least instructions on how the mitigate the risk. Still, the good news is that the exploit code can only be used by attackers that have physical access to the target machine.
Ormandy is known for his quality research work, but also for his preference for “full disclosure” of vulnerabilities. He has been criticized for it in the past, but the criticism obviously didn’t change his mind on the matter, and his employer seems not to have a problem with it.
In fact, Google has recently stated that they were supportive of their researchers “setting an aggressive disclosure deadline where there exists evidence that blackhats already have knowledge of a given bug,” and that they consider 7 days to be enough for vendors to at least come up with some mitigations, such as temporarily disabling a service or restricting access.