Google engineer Tavis Ormandy is under fierce fire on security lists this afternoon for releasing code to exploit an unpatched hole in Windows XP and Windows Server 2003.
The flaw is in XP's Windows Help Centre. In simple terms, Help uses a white list of approved web pages to go to in order to get help information. But a problem with this white list means it is possible to add unsafe URLs to it.
The attack exploits Internet Explorer but will work with other browsers too. It is even easier if Windows Media Player is also in use.
But far more controversial is how this information has been released by Ormandy. The usual protocol is that you tell the company and wait for a fix to be ready for download before telling the world, and hackers, about the existence of the weakness.
Ormandy chose to post the code needed to exploit the hole to an open security mailing list just five days after informing Microsoft.
His action was immediately criticised by Susan Bradley - "not an enterprise customer, but I am a mouthy female"- who wanted to know what he had heard back from Microsoft since 5 June. She suggested he should have spent a little more time getting angry with Microsoft and emailing them before posting the exploit.
Ormandy left a snotty reply explaining he didn't have time to explain disclosure to Bradley but she could research it for herself. The full post is on FullDisclosure here.
Ormandy seems to believe Microsoft, which is not exactly known for the speed of its responses to security (and many other) issues, would never have acted to patch this hole unless he, or someone else, had also provided code to exploit it.
Other observers suggested Ormandy was acting on behalf of his employer to fuel the row between Google and Microsoft. ®