This week, a security vulnerability researcher used to Twitter to blurt out information about a zero-day flaw in Windows for some reason. So Microsoft was forced to acknowledge it, and says it will fix the flaw on the next scheduled Path Tuesday.
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” a Microsoft statement explains. “Our standard policy is to provide solutions via our current Update Tuesday schedule.”
That statement is surprisingly uncritical of the idiot who published information about the vulnerability on Twitter with a link to proof-of-concept software code on GitHub.
I am not linking to that tweet on purpose. But as The Register reports, the flaw was quickly confirmed by CERT/CC vulnerability analyst Will Dormann.
“I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system,” he tweeted. “[Local privilege escalation] right to SYSTEM!”
What really sucks here, frankly, is that the security vulnerability researcher not only tweeted information about the vulnerability publicly, and without first warning Microsoft, but they also apparently tried to sell this information about a month earlier.
“A Reddit user with the same name [as the Tweeter] posted a number of times on Reddit asking about ‘selling Windows 0days’,” ZDNet reports. “However, at the time of writing, the posts have been deleted.”
And that researcher has since apologized for their actions, noting that “[they] screwed up, not [Microsoft]. (they are actually a cool company). Depression sucks … Anyway, I’m done with security.”
A bewildered world thanks you for the career change.
Tagged with Security