Slashdot Mirror
Google Researcher Issues How-To On Attacking XP
theodp writes "A Google engineer Thursday published attack code that exploits a zero-day vulnerability in Windows XP, giving hackers a new way to hijack and infect systems with malware. But other security experts objected to the way the Google engineer disclosed the bug — just five days after it was reported to Microsoft — and said the move is more evidence of the ongoing, and increasingly public, war between the two giants."
...leverage a flaw in Windows' Help and Support Center...
This service is turned off be default on all systems I manage both as part of initial installation; and where possible by Group Policy. Just another parasitic service which is not necessary....because everyone just uses Google anyways.
Every mans' island needs an ocean; choose your ocean carefully.
I thought there was a big fuss a few years back about how vendors didn't respond to researchers and how they took forever to fix problems with close sourced software. So the industry decided that 5-7 days after letting a vendor know about a problem that everyone would release the information so that everyone would know about rather than just the bad guys and so system admins would know to watch for that type of attack and force the vendor to fix it in a timely manner.
Seem like this is just standard timing since vendors have gotten in the habit of ignoring researchers and not spending the time and resources to fix problems that they should have tested for in the beginning and most of the time don't want to bother fixing. Historically companies have not wanted to spend manpower and money required to fix program bugs. They more want to fix them when they get around to having the free time a few months later to fix the bugs. After all bug fixes don't make them any money. If I remember correctly there was a quote from Microsoft saying that exact thing. "People don't want bug fixes, they want new features and bells and whistles instead." So if Microsoft really feels that way then this shouldn't bother them at all, since people don't care about having bugs fixed.
The quote was from German weekly magazine FOCUS (nr.43, October 23,1995, pages 206-212). Bill Gates was being interviewed when he made statements to that effect.
If you treat program bugs as a PR issue, then don't be surprised when people use PR against you for bugs you don't want to be bothered to fixed, in a timely manner historically.
Google, like Apple, is no longer any better/different than the companies they claim to be better than (from an ethical stand point).
Did you RTFA? The Google engineer - who btw didn't use any indication that they are from google, other than the link back to code.google.com - also posted a hotfix. So... they told Microsoft 5 days ago AND GAVE THEM A FIX... If this person was from a company that wasn't a competitor, would anyone call disclosing an (NON-ZERO DAY) issue on the security list so that security professionals are aware evil, after giving MS time to see the vulnerability and test the potential fix - I'd expect a company that derives Microsoft sized revenue from their OS to have someone readily available for these issues.