Ormandy criticised for revealing too much in Windows malware bug report

News by Tom Reeve

When security researcher Tavis Ormandy revealed a vulnerability in Microsoft's Malware Protection Engine, he published proof-of-concept code and earned himself a rebuke from Graham Cluley.

Graham Cluley has criticised Google's Project Team Zero for releasing proof of concept code along with details of a freshly discovered vulnerability in the Microsoft Malware Protection Engine.

Microsoft has issued an emergency patch ahead of its usual Patch Tuesday release because of the seriousness of the flaw.

According to Tavis Ormandy, who works for Project Team Zero and discovered the vulnerability along with Natalie Silvanovich, it is “the worst Windows remote code exec in recent memory. This is crazy bad.”

Discussing the vulnerability on Twitter, he said: “Attack works against a default install, don't need to be on the same LAN, and it's wormable.”

There's clearly no love lost between Cluley and Ormandy, with Cluley describing Ormandy's announcement as “curt” and later criticising him for releasing the proof-of-concept code. “Personally I'm unconvinced that Google publishing proof-of-concept code exploiting the flaw in Microsoft's software helps the vast majority of internet users,” he wrote on the Hot For Security blog.

Meanwhile, Ormandy has blocked Cluley on Twitter. 

However, one thing that Cluley and Ormandy could agree on was their admiration for Microsoft's response to the vulnerability.

Cluley pointed out that Microsoft issued a patch just hours before it was due to release its Patch Tuesday updates.

And Ormandy said on Twitter: “Still blown away at how quickly @msftsecurity responded to protect users, can't give enough kudos. Amazing.”

The flaw that Ormandy and Silvanovich discovered is in MsMpEng, the malware protection service that runs on many of the recent Microsoft operating systems including Windows 8, 8.1, 10, Windows Server 2012 and others.

It is also the core behind Microsoft Security Essentials, System Centre Endpoint Protection and other products.

Attackers can trigger the vulnerability by email and instant message, even if the user doesn't open it. Writing on Chromium Bugs, Ormandy said: “On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (eg caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.”

Supporting his warning about the severity of the bug, he said: “Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service.”

MsMpEng is so vast and complex with a multitude of handlers for dozens of esoteric formats that it creates a rich attack surface for attackers, he said.

Steven Malone, director of security product management at email security firm Mimecast, commented: “Although this bug was severe, Microsoft did a good job to patch the weakness so quickly. This is a stark reminder that trusting a single layer of security to defend your email is a flawed strategy.

“Desktop security products often need high privileges in order to see everything and therefore any vulnerabilities can be particularly deadly. As email moves to cloud services such as Microsoft Office 365, incidents like this highlight that advanced security still requires a defence-in-depth strategy.” 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews