Microsoft has warned that Windows computers have been targeted by hackers who are accessing the operating systems via an exploit originally made public by a Google employee.
In its latest 'Patch Tuesday' advisory, Microsoft said that among the vulnerabilities it had fixed was one which was being actively exploited and targeting Windows PCs - and which had first been flagged up in May by a Google employee. While Microsoft gave very few details about the attacks, or how many PCs have been infected by malware targeting the vulnerability, it did say PCs had been the subject of "targeted attacks," which are typically launched against corporate or government targets with espionage as the motive.
The cyber-attacks were achieved using an exploit originally discovered by Google engineer Tavis Ormandy in May, who publicised his findings in a blog post. Since Ormandy published the exploit before Microsoft had created a patch to correct it, he may have alerted hackers to its presence, allowing them to attack Windows computers.
"You have to ask yourself if the public disclosure of this vulnerability before Microsoft was ready to protect against it was really to the benefit of internet users," wrote cyber-security expert Graham Cluley. "Of course, Tavis Ormandy doesn't believe he was acting irresponsibly. His argument is that users can better protect themselves if information about vulnerabilities, and how to exploit them, is available for all.
"Others, like me, believe that security researchers should engage responsibly with software firms to get problems fixed before revealing details of how they can be exploited," Cluley continued. "The antics of some researchers always leave me with the impression that they are more interested in showing the world how clever they are - rather than doing what's right for the majority of internet users."
In defence of his publicising the exploit, Ormandy said he had found Microsoft's security team "difficult to work with", claiming that the company treats vulnerability researchers "with great hostility."
"I wish that Microsoft and Ormandy could find a way of working more reasonably with each other so that vulnerabilities can only be disclosed in a responsible fashion, once a patch is available," said Cluley.
Microsoft has since created a patch to fix the exploit and is advising Windows users to download it from the Microsoft Update Services page. The company has not provided details on how many computers may have been affected.