Tavis Ormandy, one of the Google developers, published information on a 0-day vulnerability in OS Windows. But he did not inform Microsoft about the exiting flaw.
After discovering the vulnerability in the Windows kernel’s EPATHOBJ::pprFlattenRec function, he wrote to the list: “I don't have much free time to work on silly Microsoft code” and asked other IT-specialists to find a way of using the bug. With the help of user progmboy, Ormandy then developed a privilege escalation exploit, which he shared with the mailing list, noting that another exploit was already in circulation.
Researcher released the exploit on Full Disclosure on Sunday, three weeks after publishing details about the flaw along with a request for help to find a more reliable way to exploit it.
This is not case of the kind. Thus, three years ago Microsoft criticized Ormandy’s publication of the vulnerability 4 days after the company was told about it.
