Google researcher discloses zero-day exploit for Windows
Google security expert Tavis Ormandy has discovered a security vulnerability in Windows which can be exploited by any user on the system to obtain administrator privileges. Rather than reporting the vulnerability to Microsoft, he posted details to the Full Disclosure security mailing list in mid-May and has now published an exploit to the same mailing list.
With this latest vulnerability, Ormandy once more opted for full disclosure on the mailing list of the same name. After discovering a bug in the Windows kernel's EPATHOBJ::pprFlattenRec function, he wrote to the list: "I don't have much free time to work on silly Microsoft code" and solicited ideas on how to successfully exploit the bug. With the help of user progmboy, Ormandy then developed a privilege escalation exploit which he shared with the mailing list, noting that another exploit was already in circulation.