A Google security expert who has clashed with Microsoft in the past over how it discloses Windows security flaws is at it again.
Tavis Ormandy, an information security engineer at Google, has found what he’s calling “a pretty obvious bug” in Windows 7 and Windows 8.
On Monday, Ormandy posted detailed information about it to Full Disclosure, a mailing list for security experts.
Ormandy said he’s written code that hackers could use to take advantage of the Windows flaw—known in security circles as a “working exploit”.
He isn’t releasing it to the public, but is making it “available on request to students from reputable schools.” This means other security researchers, not college students.
Ormandy first published details about the Windows bug on Github, a site that lets developers collaborate on projects, in March. But he hasn’t said whether he’s reached out to Microsoft, which is standard procedure in these situations.
Microsoft says it’s aware of Ormandy’s latest Windows flaw and is investigating.
“We have not detected any attacks against this issue, but will take appropriate action to protect our customers,” Dustin Childs, a group manager in Microsoft’s Trustworthy Computing unit, told Business Insider in an email.
We’ve reached out to Ormandy to see if he contacted Microsoft before his May 17 post to the Full Disclosure list. We’ve also reached out to Google for comment.
As Windows security flaws go, this isn’t a major one because hackers can’t use it to take control of machines over an Internet connection. Still, because so many people use Windows, Microsoft will probably fix this bug soon.
Security researchers usually contact the vendor first before they talk publicly about a bug they’ve found. But Ormandy and Microsoft have a rocky history.
In 2010, Ormandy discovered a previously unknown bug in Windows XP’s Help and Support centre, and posted a working exploit to the web five days after telling Microsoft about it.
Hackers quickly figured out how to use it, and began attacking Windows XP PCs.
Microsoft, which released an emergency fix for the bug, wasn’t pleased. This sparked a big IT industry debate about how long researchers should wait after informing a vendor about a security flaw before going public with it.
Ormandy, in a post to his personal blog last week, warned security researchers that Microsoft typically reacts to bug reports with “great hostility” and is “very difficult” to work with. They should only submit reports anonymously, he said.