Google security researcher Tavis Ormandy warned Microsoft of the flaw on Saturday, but just five days later took it public, releasing a proof of concept for the exploit code on the Full Disclosure mailing list.
This is another example of the problems with bug secrecy – or in PR speak, ‘responsible disclosure’
Microsoft has since acknowledged the flaw, which affects the Windows Help and Support Centre functions in Windows XP and Windows Server 2003. It doesn’t appear to affect any other operating system.
While the exploit works regardless of the browser being used, older versions of Internet Explorer running Media Player are most vulnerable.
Despite the flaw being made public, Microsoft said it had not yet seen any attacks.
Responsible disclosure?
Ormandy claimed that he had to publish the details of the flaw, as “without a working exploit, I would have been ignored.”
“This is another example of the problems with bug secrecy (or in PR speak, ‘responsible disclosure’), those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers that we need, especially in complex cases like this, where creative thinking and input from experts in multiple disciplines is required to join the dots,” Ormandy claimed.
Microsoft disagreed, saying that the software vendor who created the code “is in the best position” to understand and fix a flaw.
“While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented,” said security centre director Mike Reavey in a post on the Microsoft blog. “In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems.”
Microsoft has offered its own workaround on its security site, and is working on creating a patch to fix the flaw.
Subscribers 0
Fans 0
Followers 0
Followers