Hackers are currently exploiting a Windows XP security hole that a Swiss Google security engineer, Tavis Ormandy, publicly released detailed information about last week. Ormandy discovered the issue, a Windows Help and Support center flaw that allows easy access to download Microsoft help files and launch remote support applications. It enables hackers to take control of a computer by luring users to malicious websites that contain code to exploit the hole, and it works with any browser.
The Google engineer had been in contact with Microsoft to notify them of the vulnerability and request that a patch be developed. He has stated that he released the information because he thought Microsoft was displaying irresponsibility by not committing to produce a fix for the problem within a 60-day period.
Ormandy had been working and cooperating with Microsoft after notifying them of the vulnerability on June 5th, but reportedly became frustrated with their progress after five days of negotiating a fix. On June 10, Ormandy released the details of the vulnerability, complete with working code, publicly via the Full Disclosure Mailing List. "This is another example of the problems with bug secrecy (or in PR speak, 'responsible disclosure')," Ormandy said. "Those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers."
“We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week," said Jerry Bryant, Microsoft's group manager of response communications. "We were surprised by the public release of details.”
Security experts are saying that it was unreasonable of Ormandy to expect Microsoft to develop a fix within the five-day period. Graham Cluley, a senior technology consultant for Sophos antivirus, calls the release of the information "utterly irresponsible," and said, "Five days isn't enough time to expect Microsoft to develop a fix, which has to be tested thoroughly to ensure it doesn't cause more problems than it intends to correct."
Microsoft has reiterated to customers that Windows XP is the only OS that is affected by the issue, and has released an official security advisory regarding the issue. They have also released a temporary workaround via Microsoft Fix It until a more permanent solution is in place.
On one hand, I believe that Ormandy’s release of the information was unprofessional at best. On the other hand, I can see how the fact Microsoft couldn’t say within 5 days that they’d have a solution within 60 days would be frustrating. Blog posts about the issue seem to be siding with Microsoft, with many railing against Ormandy’s actions.
