Google geek slammed over XP exploit
Impatient engineer called, but you were out, you f**ker
Google engineer Tavis Ormandy is under fierce fire on security lists this afternoon for releasing code to exploit an unpatched hole in Windows XP and Windows Server 2003.
The flaw is in XP's Windows Help Centre. In simple terms, Help uses a white list of approved web pages to go to in order to get help information. But a problem with this white list means it is possible to add unsafe URLs to it.
The attack exploits Internet Explorer but will work with other browsers too. It is even easier if Windows Media Player is also in use.
But far more controversial is how this information has been released by Ormandy. The usual protocol is that you tell the company and wait for a fix to be ready for download before telling the world, and hackers, about the existence of the weakness.
Ormandy chose to post the code needed to exploit the hole to an open security mailing list just five days after informing Microsoft.
His action was immediately criticised by Susan Bradley - "not an enterprise customer, but I am a mouthy female"- who wanted to know what he had heard back from Microsoft since 5 June. She suggested he should have spent a little more time getting angry with Microsoft and emailing them before posting the exploit.
Ormandy left a snotty reply explaining he didn't have time to explain disclosure to Bradley but she could research it for herself. The full post is on FullDisclosure here.
Ormandy seems to believe Microsoft, which is not exactly known for the speed of its responses to security (and many other) issues, would never have acted to patch this hole unless he, or someone else, had also provided code to exploit it.
Other observers suggested Ormandy was acting on behalf of his employer to fuel the row between Google and Microsoft. ®
Only if you give enough time for a fix.
I'm usually the last to be on MSFT's side, being an apple fanboy and all, but five days? Even ignoring how slow MSFT (and Apple) have been to patch flaws, five days is by no means a timely fashion.
Even assuming MSFT was able to find and fix the bug instantly, there's lag involved in regression testing to ensure the patch doesn't adversely interact with the numerous permutations of setups out there. There's lag in getting the word out or to wait till Patch Tuesday. There's lag involved for sysadmins to download and find time to test the patch themselves. There's lag for actually being able to deploy the patch onto all machines.
This was not 'Here is your notice of the exploit.' This was, 'By the time you can even look, much less solve this, I'll have already released the exploit into the wild.' Yes, it bothers me as well that MSFT made yet another security hole, but two wrongs don't make a right.
not a major flaw
That particular 'feature' is one of the first things I disable when setting up a WinBox.
But he's still a twat for posting the code after waiting only 5 days.
Oh for f*cks sake
And how many days does it take to code, build, test and deploy a fix across millions of computers? Why should a snotty "security researcher" who can barely manage to be civil to other people have a say in the speed of the software development cycle of enterprise level software? Twat is still the final word on this idiot.