Google Researcher Issues How-To On Attacking XP

theodp writes "A Google engineer Thursday published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware. But other security experts objected to the way the Google engineer disclosed the bug — just five days after it was reported to Microsoft — and said the move is more evidence of the ongoing, and increasingly public, war between the two giants."

Negative.

He waited five days without even receiving a response from MS. I'd have done the same thing he did.

Re:Negative.

[SanityInAnarchy]

Microsoft was informed about this vulnerability on 5-Jun-2010, and they confirmed receipt of my report on the same day.

So they did respond. They just didn't fix it in five days:

Those of you with large support contracts are encouraged to tell your support representatives that you would like to see Microsoft invest in developing processes for faster responses to external security reports.

That's what he was complaining about, and I think it's a legitimate complaint.

Re:Irresponsible

[axl917]

Could he be sued for this by someone who gets infected?

Don't be stupid. It isn't the messenger's fault.

Zero days notice

[RulerOf]

I have been led to believe that "Zero-day" refers to the amount of time that exists between public knowledge of an exploit and when you see it being used in the wild.

If, for example, you heard about this exploit today, and the same exploit was WTFPWNing computers today, then it is, by definition, a "Zero-day exploit."

It's kind of like "hacker" though, and gets thrown around to mean all sorts of shit that it does not.

Re:Thanks Google

5 days is plenty of time to issue a patch, even if it just closes the hole while a proper fix is worked on.

You live in a dream world. Yes, 5 days is fine if you have a non-os product that isn't part of an ecosystem with millions of applications running on it. For example to patch something like a text editor - 5 days is probably enough. But a responsible company with millions of installs (Microsoft, Apple) isn't going to rush something out that would break more than it fixes. That would be stupid.

Re:Thanks Google

[Xest]

That depends on the company.

Sure some companies don't give a fuck about incompatability caused by updates and that sort of thing, however MS very much does.

Further, as they have such a large share of the desktop and server market that depends on working it would be irresponsible of them to throw out a patch in a mere 5 days that can't have been fully tested with countless configurations and ended up causing more harm to customers machines than if they'd just not bothered to patch at all.

You can't reasonably build and test a patch that has minimal effect on your customer base in 5 days when your customer base is as large and varied as Microsoft's.

Re:They did no evil

[gad_zuki!]

Im sure his hotfix and one man testing matches MS's extensive testing. Seriously, do you think any company would just release this fix immediately without serious testing?

Re:Do no evil

[gad_zuki!]

>Whatever it takes to damage Microsoft is okay with me.

This doesnt punish MS, it punishes end users and admins. Sadly, this fact doesnt matter to those who are just full of MS hate.

Re:Do no evil

[master_p]

It only punishes end users and admins in the short term. When these people are fed up with Microsoft, they will turn elsewhere, and then Microsoft will be hurt.