Microsoft is saying that some PCs have been attacked with hackers taking advantage of a vulnerability that was originally revealed by a Google engineer. The machines affected seem to belong to corporate or government organizations.
The engineer in question, Tavis Ormandy, first made the vulnerability public back in May in a full-disclosure blog post. His actions have been criticized by industry members saying that the proper action would have been to report this privately to Microsoft so they can issue a fix before the vulnerability gets used “in the wild”. Google has distanced itself from Ormandy"s actions, saying that his method of revealing the issue was a personal choice and did not represent the company.
Now Microsoft is saying that they have seen “targeted attacks” using this particular bug, which could allow attackers to elevate their privileges on targeted machines. Microsoft has declined to comment on whether they think Ormandy’s actions have led to these attacks.
If you’re worried about attacks you should ensure that you have Automatic Updates turned on, as this vulnerability has now been patched via a Windows Update.