Google researcher outs zero-day exploit in Windows XP

new-google-logo

On June 5th, Google researcher Tavis Ormandy notified Microsoft of a very serious bug in the Windows Help and Support Center of Windows XP. The report Ormandy provided to Microsoft detailed how arbitrary code could be executed by a remote attacker, and included a proof of concept exploit. Five days later, on June 10th, Ormandy released the vulnerability details to the public. The decision to divulge the exploit has sparked a debate about how such matters should be handled, and what responsibility, if any, security experts have. Orandy explains, “if I had reported the…issue without a working exploit, I would have been ignored,” he also went onto say that “responsible disclosure” was a farce, a tool used by companies to buy themselves time. “Those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers,” Ormandy wrote. Security experts are weighting in on the situation with all sort of opinions. One camp is describing Orandy’s as, and engineer “going off half-cocked,” others see it as a clear shot ar Microsoft from Google. Either way, the zero-day exploit is now public knowledge and has the attention that Ormandy originally wanted. What do you think? A frustrated security engineer or a shot directly at Microsoft?

Read

blog comments powered by Disqus