Tavis Ormandy - are you pleased with yourself? Website exploits Microsoft zero-day

by Graham Cluley on June 15, 2010 | 1 Comment

Filed Under: Google, Malware, Microsoft, Vulnerability

Updated Last week I railed against the irresponsible disclosure by a Google engineer of a zero-day vulnerability in Microsoft's code.

Tavis Ormandy, a security researcher employed by Google, found a vulnerability in Windows XP's Help and Support Center, but only gave the company five days to fix the problem before going public with details of how hackers could write malicious code to exploit it.

Windows XP Help and Support Center

In my opinion publishing exploit code was utterly irresponsible behaviour, and I was worried that having such information floating around the internet would make it easy for cybercriminals to take advantage.

Predictably enough, malicious hackers are now using the zero-day vulnerability according to a blog post by my colleague Donato Ferrante in SophosLabs, as a compromised website has been found that uses the exploit to drop a Trojan horse onto unsuspecting users' computers.

Sophos proactively detects the page as Sus/HcpExpl-A, and the Trojan horse it downloads as Troj/Drop-FS.

So my question to Mr Ormandy is this - do you feel proud of your behaviour? Do you think that you have helped raise security on the internet? Or did you put your vanity ahead of others' safety?

A responsible security researcher would have been happy working with Microsoft on a successful resolution of the issue, and only shared details once a safe patch had been developed. Five days isn't a sensible period of time to expect Microsoft to develop a fix which has to be tested thoroughly to ensure it doesn't cause more problems than it intends to correct.

More details on the zero-day vulnerability can be found in Microsoft's security advisory on the subject.

Update I'm pleased to report that the website we discovered that had been compromised by malicious hackers in order to exploit the Microsoft vulnerability has now been cleaned-up. At the time of writing we haven't seen any other websites affected by the security problem.

Meanwhile, Microsoft has issued a "Fix it" tool that reportedly helps to block known attack vectors until a proper security update is available from the firm.

Tags: , ,

One Response to Tavis Ormandy - are you pleased with yourself? Website exploits Microsoft zero-day

  1. Passer by says:
    November 6, 2012 at 1:11 pm

    It looks like this post pissed Travis off enough to found multiple holes in Sophos antivirus...

    Reply Report comment

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <strike> <strong>

About the author

Graham Cluley has worked in the computer security industry for more than 20 years, developing anti-virus software and doing quite a lot of talking about internet threats. He's won awards for his blogging, but is proudest of the text adventure games he wrote when he was still wearing short trousers. You can learn more about those (the games, not the trousers) at grahamcluley.com. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.