Fresh from the Stupid Human Tricks Department. A Google engineer published attack code that exploits a zero-day vulnerability in Windows XP today, giving hackers another new way to hijack and infect systems with malware. Real security experts objected to the engineer disclosing the bug just five days after it was reported to Microsoft. In my opinion, it just proves that there is a political peeing contest going on between these two companies. Google should know better, Google staff should know better, and all “researchers” would serve the public better to use common sense and ethics, regardless of the response they get from vendors when reporting. We don’t arm the local population to increase the safety around Jane & Finch, why would providing attack vectors improve security on the Internet? Knucklehead…
Microsoft said it is investigating the vulnerability and would have more information on next steps later today. According to Tavis Ormandy who works for Google in Switzerland, hackers can leverage a flaw in Windows’ Help and Support Center, which lets users easily access and download Microsoft help files from the Web and can be used by support technicians to launch remote support tools on a local PC. He posted details of the vulnerability and proof-of-concept code to the Full Disclosure mailing list on Thursday. His attack scenario works against all major browsers, including IE8 and is even easier to exploit when the machine has Windows Media Player installed, (installed by default with all versions of Windows). The attack is complicated and involves several steps, but his attack code works. Switching browsers is not a solution. “They are all equally vulnerable”.
Ormandy also slammed the concept of “responsible disclosure,” a term applied to bug reports submitted privately to vendors, giving developers time to craft a patch before the information is publicly released. “This is another example of the problems with bug secrecy. Those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers.” I smell a funny barnyard smell, what about you, Tavis? How exactly is releasing attack code for an unpatchable vulnerability that impacts every XP system in the world, allowing remote code execution and backdoor insertion, and silent stealthy operation, doing me and my busines any favours, OR keeping my networks safe with all of your “hard work”?
Microsoft is not pleased with Ormandy for giving it less than a week to deal with his report. I empathize with them in this case, and will have to start viewing Google in a whole new light. What happened to “Do no evil”? Irresponsible is evil, Googlers, and it often sneaks up behind you to bite.