I'm a little late to the party on this one, so my apologies for the delay in delivering this news.
Microsoft has released a workaround for an un-patched vulnerability in Windows XP. Earlier this week, this vulnerability was being actively exploited on the Internet.
If you are running XP, I recommend that you implement the workaround (note, however, it will break your Control Panel and any other applications that rely on the HCP protocol until it is removed.)
That being said, I want to briefly touch on one of the aspects on the disclosure of this vulnerability that is interesting to me. This vulnerability was discovered by a Google engineer, Tavis Ormandy, and he initially reported it to Microsoft On June 5th. Microsoft acknowledged the receipt of the report on the same day. Now, we all know that Microsoft delivers patches on Tuesdays, they usually package them up into one Tuesday a month, and I'm sure everyone can understand that you don't just write a patch and deploy it, you have to test it, make sure it doesn't cause more problems (or vulnerabilities) and ensure that it doesn't cause problems for other software on the system. There is no way any reasonable person would expect that Microsoft would have issued a patch for this immediately, it was going to take time to find a viable solution.
Apparently Mr. Ormandy didn't think that Microsoft was taking this threat seriously enough, so five days after reporting the issue to Microsoft he created an exploit for the vulnerability and posted it to a popular discussion group that deals with these types of software bugs.
There's been a lot of speculation about the motivation for this action, especially since Tavis Ormandy works for Google, and Google is one of Microsoft's competitors. Were his actions altruistic as he states (Microsoft was not responding in a timely manner, so I had to pressure them into acting, and then they did post a fix, so I was right to do this)? Or were his actions simply a marketing ploy to be-smudge a competitor's reputation? Who knows, it's all speculation, right?
One thing I want to say is that when you are dealing with open source, the "marketing ploy" aspect of this type of disclosure becomes moot. The only reason that Microsoft has to complain is that they believe in "security through obscurity" which, as we can see, is not really any security at all. In an open development, vulnerabilities are discussed, awareness is high, and patches and workarounds are deployed rapidly because there's no attempt to cover up the problem while it is being worked on. Microsoft is doing a disservice to their customers by not notifying them of these vulnerabilities immediately so that the customers can take actions to protect their networks.
In any case, this is an interesting story and I will be watching to see how it unfolds in the press.
About Me
- Jonathan Watts
- Los Angeles, CA, United States
- I have over 15 years of professional experience in the I.T. field, working with individuals and small to mid-size businesses. I've received a certificate in Project Management from UCLA, and I am a member of PMI. I have expertise in Active Directory, Open Directory, VMWare, Windows, Mac OSX, *nix, Exchange, IIS, Cisco, Forefront TMG, MARS, ACS, CSA, EMC, NetApp, and Websense. I've worked in all aspects of I.T., from end-user support to engineering and design.
Subscribe
Posts
Comments