James Delahunty
11 Jun 2010 22:17
A Google engineer has been targeted with harsh criticism from security researchers everywhere for releasing code to exploit a vulnerability in Microsoft operating systems.
Tavis Ormandy has been criticized for releasing code to exploit an unpatched hole in Windows XP and Windows Server 2003.
Critics take issue with Ormandy releasing the code needed to exploit the vulnerability five days after he alerted Microsoft of the problem. Generally, software vendors are alerted to the problem and once a patch is prepared and is available for end users to download and install - and only then - is the vulnerability in all its details made public.
Microsoft Corp. is not known for fixing such issues quickly, and doesn't often release such updates outside of its normal "Patch Tuesday" schedule. Ormandy, according to his own writing afterward, didn't seem convinced that Microsoft would actually fix the problem unless there was exploit code freely available in the wild as motivation to do so.
The probable main reason for Ormandy's actions prompting such a backlash is his link with Google, whose relations with Microsoft as of late have only gotten more sour.
Specifically, the problem is with the Help Center in Windows. The Windows Help Center utilizes a white list of approved web pages to send users for assistance, but a flaw would allow the addition of unsafe URLs to the white list.