Zero-day Microsoft flaw already being exploited

By Phil Muncaster on Jun 17, 2010 7:01 AM
Filed under Security

Vulnerability published by Google researcher could allow remote code execution.

Security experts have warned that hackers are already exploiting a zero-day vulnerability in Windows Help and Support Center, just days after a Google researcher published exploit code for the attack.

Tavis Ormandy went public with the CVE 2010-1885 vulnerability last week, having given Microsoft just five days to develop a fix. The flaw affects Windows XP and Windows Server 2003.

However, security vendor Sophos warned in a blog post yesterday that a compromised web site has been discovered that exploits the vulnerability by installing Trojan malware which could result in arbitrary code execution on a victim's machine.

Sophos senior technology consultant Graham Cluley launched a scathing attack on Ormandy, arguing that he should have worked with Microsoft to fix the problem and disclosed the vulnerability only when a patch was available.

"Do you feel proud of your behaviour? Do you think that you have helped raise security on the internet? Or did you put your vanity ahead of others' safety?" he wrote in a blog post.

"Five days isn't a sensible period of time to expect Microsoft to develop a fix which has to be tested thoroughly to ensure it doesn't cause more problems than it intends to correct."

Zero-day Microsoft flaw already being exploited

2 comments in this discussion

"Comparing car security to software is ridiculous. Do you have 1000 people trying to break into your car every day? If there was, how long do you think your car security would last? 10 minutes? ..."

By Ace

Tags

vulnerability, microsoft, fix, security, windows, already

ME Bank sticks to long-term IT vision

Why Microsoft is staying the Windows course

Further security flaws found in Java Runtime Environment

Microsoft hikes profit on cloud and entertainment

Breaking Stories

Aussie retailers falling behind on 'couch commerce'

eHealth measures missing the point

Microsoft adds Azure sub-regions in NSW and VIC

Rio Tinto scales BYOD to 4000 users

Carriers attack NBN Co's 'lack of urgency'

Comments: 2

Res

Jun 17, 2010 9:10 AM

I agree publishing it after 5 days is asking for trouble. The person concerned should have waited perhaps 30 days, but then, what if someone else (a bad guy) found it and published it, then the guy at google wouldn't get his name in the press, oh my, cant have that now, can we.

However, it is typical of microslop and its ongoing sloppy coding.
Its more of a reason I would never touch a microslop, errr sorry, I mean microsoft product, ever.

Is it because for 20 odd years we have been accustomed to their continual inability to code and product insecurity and vulnerabilities that we just shrug it off now days?

Why do people simply attack the people who use the software as microslop have released it, they get called the hackers/script kiddies and bad guys, why is no-one challenging microslop on their inability to get things right after so so so long.

If a car manufacturer released a model of a car with keyless entry, but, because of an error, everyone can access everyone else's cars, sure the crims would have a field day, but, the car manufacturer would be held accountable, in probably the largest class action suit ever seen in history, but yet MS are free to screw up for 20 odd years and remain un-challenged, something is not quite right.

Ace

Jun 17, 2010 11:39 AM

Comparing car security to software is ridiculous. Do you have 1000 people trying to break into your car every day? If there was, how long do you think your car security would last? 10 minutes?

Also, you are talking about code that is probably 10 years old, so claiming 'on-going sloppy coding' may also be ridiculous. And 20 years? Exactly how much internet-based hacking do you think there was going on 20 years ago that involved a Microsoft product? I imagine it's pretty much zero, especially as the www had not even been invented at that stage.

The fact MS is on so many desktops and PCs is because they wrote an OS people could use, and marketed it very well. The fact no-one else has bothered to any great extent is hardly their fault.

I find it extraordinary that a Google employee would publish such code. It's gonna come back and bite them on the bum via Android and other applications they have. I assume he will be reprimanded by Google for putting so many of their own customers at risk.

Comments have been disabled for this article.

Ads by Google