Microsoft reported yesterday that the flaw disclosed by Tavis Ormandy in the Windows Help Center has been used to infect more than 10,000 PCs in less than one month. Update: Chris Kozlowski pointed out that these were attempts at infecting PCs, not necessarily successful infections. Thanks Chris.
While these attacks are very serious, it strikes me as some classic PR on Microsoft’s part to release a statistic like this while trying to blame Google for Tavis’s “irresponsible disclosure.” Has Microsoft commented on the hundreds of thousands of Windows PCs infected with the ZBot Trojan? How about malicious PDFs? It seems that Microsoft is putting on the full court press to make a point about how they want vulnerability disclosures to be handled.
I am not taking sides here, but what would seem to best serve the community is an open, honest discussion among the parties involved where we can all learn from this incident. It is difficult to strike a balance between protecting users against unpatched flaws and allowing a vendor enough time to provide a workable fix to protect those same users.
Coincidentally this is exactly what Sophos Australia’s Peter Lee and I discussed this week on Sophos Security Chet Chat. We talk in depth about reputation, disclosure, and how to best determine a course of action from the viewpoint of both the security researcher and the vendor.
On a totally unrelated note, it is Canada Day here in, well, Canada, and I would like to wish all Canadians a happy 143rd birthday. This is quite the party weekend for me; as an American living in Canada I get to celebrate my adopted land right before the stars and stripes. Check back on the 4th for another update.