Pender's Blog

Blog archive

Attackers Exploit Windows XP Bug Exposed by Google Researcher

"Like sands through the hourglass, so are the Days of Our Lives..."

This one is playing out like a steamy summer soap opera. OK, maybe it's not that good, but it's not bad for the middle of June. Attackers are exploiting a nasty little vulnerability in XP that remains un-patched (although Microsoft has offered a workaround).

Boring, right? No need for the sands through the hourglass? Well, you only know part of the story. Here's the rest: The fellow who discovered this vulnerability is a Google researcher in Switzerland. He did the right thing and notified Microsoft of the bug. Then, a few days later, he did something else. He posted the bug to a popular mailing list called Full Disclosure -- along with instructions on how to exploit (and also mitigate) it.

It's that last bit that's so interesting. The researcher said that he had to include a potential exploit in his message or nobody would have paid attention to him. Hmmm…Would that have been such a bad thing? If nobody had paid attention to him, would anybody be exploiting the hole now? Maybe not. Would Microsoft be fixing it? That's a good question.

Ultimately, Microsoft is responsible for securing its products, particularly the world's most popular operating system. So, if there's no patch for this vulnerability -- which gives attackers a method of installing malware on computers through a browser -- then it's Microsoft's responsibility to create one and distribute it as soon as possible. This is Microsoft's problem, and any negative consequences that result from it are Microsoft's fault.

But how about this guy at Google who did the responsible thing by notifying Microsoft of  the bug but sure didn't leave much time before he gave instructions on how to use it to hack XP? The Forbes article linked above quotes a researcher from security firm Sophos as saying that the Google researcher's behavior was "utterly irresponsible." That's probably not much of an overstatement. And we're guessing -- just guessing -- that this guy from Google didn't mind opening a rival's hugely popular product to attacks...and to criticism.

As for Google itself, the company has its hands in the air in innocence like a World Cup soccer player who has just tried to break his opponent's leg and is trying to get out of a red card. Here's what a Google spokesperson told Forbes about the researcher: "His personal views on disclosure don't reflect the views of his colleagues or Google's stance on disclosure as a whole."

The Google spokesperson forgot to add, "But we still find this hilarious." OK, maybe not. But, just as is often the case in soap operas (from what we hear...) nobody is coming out of this situation looking all that good (except maybe Sophos).

What's your take on disclosure of security flaws? Did the Google researcher do the right thing, or was he reckless? Speak your mind at

Posted by Lee Pender on 06/16/2010 at 1:23 PM


  • Secured-Core PCs Promise To Stop Malware at the Firmware Level

    Microsoft and its hardware partners recently described new "Secured-core" PCs, which add protections against firmware-based attacks.

  • How To Ransomware-Proof Your Backups: 4 Key Best Practices

    Backups are the only guaranteed way to save your data after a ransomware attack. Here's how to make sure your backup strategy has ransomware mitigation built right in.

  • Microsoft Buys Mover To Aid Microsoft 365 Shifts

    Microsoft announced on Monday that it bought Mover to help organizations migrate data and shift to using Microsoft 365 services.

  • Microsoft Explains Windows 7 Extended Security Updates Setup Process

    Microsoft this week described installation instructions for volume licensing users of Windows 7 Service Pack 1 to get Extended Security Updates (ESU) activated on PCs.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.