Cybercriminals are busy these days exploiting a bug in Windows XP, exposed by the Google researcher Tavis Ormandy. Online security experts are divided on whether Ormandy should have allowed more than 5 days before publicizing the vulnerability. The bug exposed was a flaw in XP’s help and support center and it has been used to infect connected computers from all around the world with variety of exploit codes.
5 Day issue
A hate wave is being initiated by XP users, against Tavis Ormandy for his “irresponsible behavior” as labeled in some places on the internet. Since 5 days is less than what is considered as the minimum reasonable time period to allow a patch be developed by the particular vendor, Tavis Ormandy has been bombarded with criticism by many including experts in the security industry. However they all seem one sided considering his tweet regarding the issue, which read: “I’m getting pretty tired of all the “5 days” hate mail. Those five days were spent trying to negotiate a fix within 60 days”. Nevertheless the damage has been done and the cybercriminals have got something to work on again, at least until Microsoft completely eliminates the risks.
Exploits by thousands
Cybercriminals apparently are awaiting on such opportunities to leech on in search for quick and dirty profits. More than 10,000 attacks have been recorded within a matter of few days. Although Microsoft has suggested a work around for it last month, it is not yet clear as to when a security patch will be released. Various types of malware have been tried with these exploits by the ill minded cybercriminals.
Magnitude of the overall risk
Microsoft in a post has described a breakdown of the attacks, country by country. They also have provided a timeline of the growth of the attack. However this level of scrutiny is considered to be very rare by a vendor. Nevertheless all necessary information related to the attacks have been made public by Microsoft, may be as means of retaliation to the controversy surrounding the whole thing.
What Ormandy should have done otherwise
Ormandy in his tweet justifying his actions, indicates that the 5 days were used to negotiate a 60 day deadline period with Microsoft, which apparently has been unsuccessful. Was it still a mistake to have publicized the security bug, probably yes. But why was Microsoft reluctant to cut a deal with the Google researcher in order to have another 60-day window to come up with a fix, although they were offered the chance for a negotiation? There is no point in arguing as to what should have Ormandy done with the information, because its all been done and dusted now.
Google in a separate occasion has excluded itself from the situation officially, saying that the controversial bug exposure of Microsoft Windows XP and the corresponding researches were all Ormandy’s independent work.