Miscreants Exploit Google-Outed Windows XP Zero-Day
CWmike writes "A compromised website is serving an exploit of the bug in Windows' Help and Support Center, identified by a Google engineer last week, to hijack PCs running Windows XP. Graham Cluley, a senior technology consultant at antivirus vendor Sophos, declined to identify the site, saying only that it was dedicated to open source software. 'It's a classic drive-by attack,' said Cluley. The tactic was one of two that Microsoft said last week were the likely attack avenues. (The other was convincing users to open malicious e-mail messages.) The vulnerability was disclosed last Thursday by Google security engineer Tavis Ormandy, who also posted proof-of-concept attack code. Ormandy defended his decision to reveal the flaw only five days after reporting it to Microsoft. Cluley called Ormandy's action 'utterly irresponsible,' and in a blog post asked, 'Tavis Ormandy — are you pleased with yourself?'"
"This kind of behavior is childish at best, but in my opinion borders on criminal."
You think that exposing a problem with software is "borderline criminal"? When a vulnerability like this gets released it will generally result in the creation of some kind of malware. You seem to think that the solution is simply to make it illegal to know about it.
I realize that you probably don't understand what it's like to manage a network of computers that actually has to work reliably without relying on the vendor to do all your work for you, but it's your job to disable vulnerable services and properly secure your network. It's not the vendor's job to make sure that your machines work, and it sure as hell isn't the general public's job to remain silent about the security holes in your system.
It's almost as if you don't think that the vulnerability will be used if it's not disclosed. It's like you think that this is the only guy that could ever fucking find such a bug. Seriously, if it's not publicly disclosed then the only people with access to it are going to be the people that will use it to completely fuck you sideways. I'd prefer it gets released and a bunch of script kiddies try to make it into some easy to prevent malware so it gets patched rather than leave it only in the hands of those that know how to use it to its full potential.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.