Feeds

Google geek slammed over XP exploit

Impatient engineer called, but you were out, you f**ker

Providing a secure and efficient Helpdesk

Google engineer Tavis Ormandy is under fierce fire on security lists this afternoon for releasing code to exploit an unpatched hole in Windows XP and Windows Server 2003.

The flaw is in XP's Windows Help Centre. In simple terms, Help uses a white list of approved web pages to go to in order to get help information. But a problem with this white list means it is possible to add unsafe URLs to it.

The attack exploits Internet Explorer but will work with other browsers too. It is even easier if Windows Media Player is also in use.

But far more controversial is how this information has been released by Ormandy. The usual protocol is that you tell the company and wait for a fix to be ready for download before telling the world, and hackers, about the existence of the weakness.

Ormandy chose to post the code needed to exploit the hole to an open security mailing list just five days after informing Microsoft.

His action was immediately criticised by Susan Bradley - "not an enterprise customer, but I am a mouthy female"- who wanted to know what he had heard back from Microsoft since 5 June. She suggested he should have spent a little more time getting angry with Microsoft and emailing them before posting the exploit.

Ormandy left a snotty reply explaining he didn't have time to explain disclosure to Bradley but she could research it for herself. The full post is on FullDisclosure here.

Ormandy seems to believe Microsoft, which is not exactly known for the speed of its responses to security (and many other) issues, would never have acted to patch this hole unless he, or someone else, had also provided code to exploit it.

Other observers suggested Ormandy was acting on behalf of his employer to fuel the row between Google and Microsoft. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.