Feeds

Google geek slammed over XP exploit

Impatient engineer called, but you were out, you f**ker

Top 5 reasons to deploy VMware with Tegile

Google engineer Tavis Ormandy is under fierce fire on security lists this afternoon for releasing code to exploit an unpatched hole in Windows XP and Windows Server 2003.

The flaw is in XP's Windows Help Centre. In simple terms, Help uses a white list of approved web pages to go to in order to get help information. But a problem with this white list means it is possible to add unsafe URLs to it.

The attack exploits Internet Explorer but will work with other browsers too. It is even easier if Windows Media Player is also in use.

But far more controversial is how this information has been released by Ormandy. The usual protocol is that you tell the company and wait for a fix to be ready for download before telling the world, and hackers, about the existence of the weakness.

Ormandy chose to post the code needed to exploit the hole to an open security mailing list just five days after informing Microsoft.

His action was immediately criticised by Susan Bradley - "not an enterprise customer, but I am a mouthy female"- who wanted to know what he had heard back from Microsoft since 5 June. She suggested he should have spent a little more time getting angry with Microsoft and emailing them before posting the exploit.

Ormandy left a snotty reply explaining he didn't have time to explain disclosure to Bradley but she could research it for herself. The full post is on FullDisclosure here.

Ormandy seems to believe Microsoft, which is not exactly known for the speed of its responses to security (and many other) issues, would never have acted to patch this hole unless he, or someone else, had also provided code to exploit it.

Other observers suggested Ormandy was acting on behalf of his employer to fuel the row between Google and Microsoft. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.