Tavis Ormandy - are you pleased with yourself? Website exploits Microsoft zero-day

Filed Under: Google, Malware, Microsoft, Vulnerability

Updated Last week I railed against the irresponsible disclosure by a Google engineer of a zero-day vulnerability in Microsoft's code.

Tavis Ormandy, a security researcher employed by Google, found a vulnerability in Windows XP's Help and Support Center, but only gave the company five days to fix the problem before going public with details of how hackers could write malicious code to exploit it.

Windows XP Help and Support Center

In my opinion publishing exploit code was utterly irresponsible behaviour, and I was worried that having such information floating around the internet would make it easy for cybercriminals to take advantage.

Predictably enough, malicious hackers are now using the zero-day vulnerability according to a blog post by my colleague Donato Ferrante in SophosLabs, as a compromised website has been found that uses the exploit to drop a Trojan horse onto unsuspecting users' computers.

Sophos proactively detects the page as Sus/HcpExpl-A, and the Trojan horse it downloads as Troj/Drop-FS.

So my question to Mr Ormandy is this - do you feel proud of your behaviour? Do you think that you have helped raise security on the internet? Or did you put your vanity ahead of others' safety?

A responsible security researcher would have been happy working with Microsoft on a successful resolution of the issue, and only shared details once a safe patch had been developed. Five days isn't a sensible period of time to expect Microsoft to develop a fix which has to be tested thoroughly to ensure it doesn't cause more problems than it intends to correct.

More details on the zero-day vulnerability can be found in Microsoft's security advisory on the subject.

Update I'm pleased to report that the website we discovered that had been compromised by malicious hackers in order to exploit the Microsoft vulnerability has now been cleaned-up. At the time of writing we haven't seen any other websites affected by the security problem.

Meanwhile, Microsoft has issued a "Fix it" tool that reportedly helps to block known attack vectors until a proper security update is available from the firm.

, ,

You might like

3 Responses to Tavis Ormandy - are you pleased with yourself? Website exploits Microsoft zero-day

  1. Passer by · 1070 days ago

    It looks like this post pissed Travis off enough to found multiple holes in Sophos antivirus...

  2. Ty · 480 days ago

    If you don't think these type of actions by individuals are improving overall end user security, you're a fool. Microsoft has NO ONE to hold them accountable for things other than companies like Google. Microsoft has no motive to fix these things until they are exploited.

    • Jack · 480 days ago

      You are a fool if you think this Google employee enhanced end user security by giving MS only 5 days before releasing exploit code.

      Lets see how quickly Google responds when/if their SW makes it to 9 years old (as XP was during this attack)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley