Attackers Exploit Windows XP Bug Exposed by Google Researcher

"Like sands through the hourglass, so are the Days of Our Lives..."

This one is playing out like a steamy summer soap opera. OK, maybe it's not that good, but it's not bad for the middle of June. Attackers are exploiting a nasty little vulnerability in XP that remains un-patched (although Microsoft has offered a workaround).

Boring, right? No need for the sands through the hourglass? Well, you only know part of the story. Here's the rest: The fellow who discovered this vulnerability is a Google researcher in Switzerland. He did the right thing and notified Microsoft of the bug. Then, a few days later, he did something else. He posted the bug to a popular mailing list called Full Disclosure -- along with instructions on how to exploit (and also mitigate) it.

It's that last bit that's so interesting. The researcher said that he had to include a potential exploit in his message or nobody would have paid attention to him. Hmmm…Would that have been such a bad thing? If nobody had paid attention to him, would anybody be exploiting the hole now? Maybe not. Would Microsoft be fixing it? That's a good question.

Ultimately, Microsoft is responsible for securing its products, particularly the world's most popular operating system. So, if there's no patch for this vulnerability -- which gives attackers a method of installing malware on computers through a browser -- then it's Microsoft's responsibility to create one and distribute it as soon as possible. This is Microsoft's problem, and any negative consequences that result from it are Microsoft's fault.

But how about this guy at Google who did the responsible thing by notifying Microsoft of  the bug but sure didn't leave much time before he gave instructions on how to use it to hack XP? The Forbes article linked above quotes a researcher from security firm Sophos as saying that the Google researcher's behavior was "utterly irresponsible." That's probably not much of an overstatement. And we're guessing -- just guessing -- that this guy from Google didn't mind opening a rival's hugely popular product to attacks...and to criticism.

As for Google itself, the company has its hands in the air in innocence like a World Cup soccer player who has just tried to break his opponent's leg and is trying to get out of a red card. Here's what a Google spokesperson told Forbes about the researcher: "His personal views on disclosure don't reflect the views of his colleagues or Google's stance on disclosure as a whole."

The Google spokesperson forgot to add, "But we still find this hilarious." OK, maybe not. But, just as is often the case in soap operas (from what we hear...) nobody is coming out of this situation looking all that good (except maybe Sophos).

What's your take on disclosure of security flaws? Did the Google researcher do the right thing, or was he reckless? Speak your mind at [email protected].

Posted by Lee Pender on June 16, 2010