Hackers are currently exploiting a Windows XP security hole that a Swiss Google security
engineer, Tavis Ormandy, publicly released detailed information about last week. Ormandy
discovered the issue, a Windows Help and Support center flaw that allows easy access to
download Microsoft help files and launch remote support applications. It enables hackers
to take control of a computer by luring users to malicious websites that contain code to
exploit the hole, and it works with any browser.
engineer, Tavis Ormandy, publicly released detailed information about last week. Ormandy
discovered the issue, a Windows Help and Support center flaw that allows easy access to
download Microsoft help files and launch remote support applications. It enables hackers
to take control of a computer by luring users to malicious websites that contain code to
exploit the hole, and it works with any browser.
The Google engineer had been in contact with Microsoft to notify them of the vulnerability and
request that a patch be developed. He has stated that he released the information because he
thought Microsoft was displaying irresponsibility by not committing to produce a fix for the
problem within a 60-day period.
request that a patch be developed. He has stated that he released the information because he
thought Microsoft was displaying irresponsibility by not committing to produce a fix for the
problem within a 60-day period.
Ormandy had been working and cooperating with Microsoft after notifying them of the
vulnerability on June 5th, but reportedly became frustrated with their progress after five days of
negotiating a fix. On June 10, Ormandy released the details of the vulnerability, complete with
working code, publicly via the Full Disclosure Mailing List. “This is another example of
the problems with bug secrecy (or in PR speak, ‘responsible disclosure’),” Ormandy said.
“Those of us who work hard to keep networks safe are forced to work in isolation without
the open collaboration with our peers.”
vulnerability on June 5th, but reportedly became frustrated with their progress after five days of
negotiating a fix. On June 10, Ormandy released the details of the vulnerability, complete with
working code, publicly via the Full Disclosure Mailing List. “This is another example of
the problems with bug secrecy (or in PR speak, ‘responsible disclosure’),” Ormandy said.
“Those of us who work hard to keep networks safe are forced to work in isolation without
the open collaboration with our peers.”
“We were in the early phases of the investigation and communicated [to him] on 6/7 that we
would not know what our release schedule would be until the end of the week,” said Jerry Bryant,
Microsoft’s group manager of response communications. “We were surprised by the public
release of details.”
would not know what our release schedule would be until the end of the week,” said Jerry Bryant,
Microsoft’s group manager of response communications. “We were surprised by the public
release of details.”
Security experts are saying that it was unreasonable of Ormandy to expect Microsoft to
develop a fix within the five-day period. Graham Cluley, a senior technology consultant
for Sophos antivirus, calls the release of the information “utterly irresponsible,” and said,
“Five days isn’t enough time to expect Microsoft to develop a fix, which has to be tested
thoroughly to ensure it doesn’t cause more problems than it intends to correct.”
develop a fix within the five-day period. Graham Cluley, a senior technology consultant
for Sophos antivirus, calls the release of the information “utterly irresponsible,” and said,
“Five days isn’t enough time to expect Microsoft to develop a fix, which has to be tested
thoroughly to ensure it doesn’t cause more problems than it intends to correct.”
Microsoft has reiterated to customers that Windows XP is the only OS that is affected by
the issue, and has released an official security advisory regarding the issue. They have also
released a temporary workaround via Microsoft Fix It until a more permanent solution is in place.
the issue, and has released an official security advisory regarding the issue. They have also
released a temporary workaround via Microsoft Fix It until a more permanent solution is in place.
On one hand, I believe that Ormandy’s release of the information was unprofessional at best.
On the other hand, I can see how the fact Microsoft couldn’t say within 5 days that they’d
have a solution within 60 days would be frustrating. Blog posts about the issue seem to be
siding with Microsoft, with many railing against Ormandy’s actions.
On the other hand, I can see how the fact Microsoft couldn’t say within 5 days that they’d
have a solution within 60 days would be frustrating. Blog posts about the issue seem to be
siding with Microsoft, with many railing against Ormandy’s actions.
No comments:
Post a Comment