Tavis Ormandy - are you pleased with yourself? Website exploits Microsoft zero-day

by Graham Cluley on June 15, 2010 | Leave a comment

Filed Under: Malware, Vulnerability

Updated Last week I railed against the irresponsible disclosure by a Google engineer of a zero-day vulnerability in Microsoft's code.

Tavis Ormandy, a security researcher employed by Google, found a vulnerability in Windows XP's Help and Support Center, but only gave the company five days to fix the problem before going public with details of how hackers could write malicious code to exploit it.

Windows XP Help and Support Center

In my opinion publishing exploit code was utterly irresponsible behaviour, and I was worried that having such information floating around the internet would make it easy for cybercriminals to take advantage.

Predictably enough, malicious hackers are now using the zero-day vulnerability according to a blog post by my colleague Donato Ferrante in SophosLabs, as a compromised website has been found that uses the exploit to drop a Trojan horse onto unsuspecting users' computers.

Sophos proactively detects the page as Sus/HcpExpl-A, and the Trojan horse it downloads as Troj/Drop-FS.

So my question to Mr Ormandy is this - do you feel proud of your behaviour? Do you think that you have helped raise security on the internet? Or did you put your vanity ahead of others' safety?

A responsible security researcher would have been happy working with Microsoft on a successful resolution of the issue, and only shared details once a safe patch had been developed. Five days isn't a sensible period of time to expect Microsoft to develop a fix which has to be tested thoroughly to ensure it doesn't cause more problems than it intends to correct.

More details on the zero-day vulnerability can be found in Microsoft's security advisory on the subject.

Update I'm pleased to report that the website we discovered that had been compromised by malicious hackers in order to exploit the Microsoft vulnerability has now been cleaned-up. At the time of writing we haven't seen any other websites affected by the security problem.

Meanwhile, Microsoft has issued a "Fix it" tool that reportedly helps to block known attack vectors until a proper security update is available from the firm.

Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

About the author

Graham Cluley is senior technology consultant at Sophos. The readers of Computer Weekly voted him security blogger of the year in 2009 and 2010, and he pipped Stephen Fry to the title of "Twitter user of the year" too. Which was nice. He was also named "Best Security Blogger" by the readers of SC Magazine in 2011. You can subscribe to Graham's updates on Facebook, follow him on Twitter and circle him on Google Plus for regular updates.