Tavis Ormandy – are you pleased with yourself? Website exploits Microsoft zero-day

Updated Last week I railed against the irresponsible disclosure by a Google engineer of a zero-day vulnerability in Microsoft’s code.

Tavis Ormandy, a security researcher employed by Google, found a vulnerability in Windows XP’s Help and Support Center, but only gave the company five days to fix the problem before going public with details of how hackers could write malicious code to exploit it.

Windows XP Help and Support Center

In my opinion publishing exploit code was utterly irresponsible behaviour, and I was worried that having such information floating around the internet would make it easy for cybercriminals to take advantage.

Predictably enough, malicious hackers are now using the zero-day vulnerability according to a blog post by my colleague Donato Ferrante in SophosLabs, as a compromised website has been found that uses the exploit to drop a Trojan horse onto unsuspecting users’ computers.

Sophos proactively detects the page as Sus/HcpExpl-A, and the Trojan horse it downloads as Troj/Drop-FS.

So my question to Mr Ormandy is this – do you feel proud of your behaviour? Do you think that you have helped raise security on the internet? Or did you put your vanity ahead of others’ safety?

A responsible security researcher would have been happy working with Microsoft on a successful resolution of the issue, and only shared details once a safe patch had been developed. Five days isn’t a sensible period of time to expect Microsoft to develop a fix which has to be tested thoroughly to ensure it doesn’t cause more problems than it intends to correct.

More details on the zero-day vulnerability can be found in Microsoft’s security advisory on the subject.

Update I’m pleased to report that the website we discovered that had been compromised by malicious hackers in order to exploit the Microsoft vulnerability has now been cleaned-up. At the time of writing we haven’t seen any other websites affected by the security problem.

Meanwhile, Microsoft has issued a “Fix it” tool that reportedly helps to block known attack vectors until a proper security update is available from the firm.