Full Disclosure? 10,000 PCs infected and counting

Filed Under: Google, Malware, Microsoft, Podcast, Vulnerability

Screenshot of Windows Help Center in Windows XP

Microsoft reported yesterday that the flaw disclosed by Tavis Ormandy in the Windows Help Center has been used to infect more than 10,000 PCs in less than one month. Update: Chris Kozlowski pointed out that these were attempts at infecting PCs, not necessarily successful infections. Thanks Chris.

While these attacks are very serious, it strikes me as some classic PR on Microsoft's part to release a statistic like this while trying to blame Google for Tavis's "irresponsible disclosure." Has Microsoft commented on the hundreds of thousands of Windows PCs infected with the ZBot Trojan? How about malicious PDFs? It seems that Microsoft is putting on the full court press to make a point about how they want vulnerability disclosures to be handled.

I am not taking sides here, but what would seem to best serve the community is an open, honest discussion among the parties involved where we can all learn from this incident. It is difficult to strike a balance between protecting users against unpatched flaws and allowing a vendor enough time to provide a workable fix to protect those same users.

Coincidentally this is exactly what Sophos Australia's Peter Lee and I discussed this week on Sophos Security Chet Chat. We talk in depth about reputation, disclosure, and how to best determine a course of action from the viewpoint of both the security researcher and the vendor.


On a totally unrelated note, it is Canada Day here in, well, Canada, and I would like to wish all Canadians a happy 143rd birthday. This is quite the party weekend for me; as an American living in Canada I get to celebrate my adopted land right before the stars and stripes. Check back on the 4th for another update.

Chet Wisniewski enjoying Canada Day

, , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.