Tuesday afternoon, Microsoft reported that they were "aware of limited exploits" of the recently disclosed vulnerability in the Windows Help and Support Center. After looking into the Microsoft report, it appears the exploit was being delivered via videohelp.com, allegedly via a non-related vulnerability in the OpenX ad banner exchange used by that site.
The maliciously inserted script loaded the exploit code from opensourcecms.com, a legitimate open source website that apparently acted as unwitting host. During the infection process, (which led to the installation of a trojan dropper) the following error message occurred:
"Your input can't be opened: VLC is unable to open the MRL 'http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/bug-vs-feature.jpg'. Check the log for details."
Ironically, lock.cmpxchg8b.com is the website used/owned by Tavis Ormandy who engineered the exploit to begin with. Ormandy is a full-time Google employee, dubbed a security researcher nonetheless, who apparently works without restriction by Google. After all, this is the second zero day exploit he's written and released in as many months (the previous impacting Sun's Java Web Start) with seemingly no repercussions from his employer.
In both of these cases, Tavis provided full, public and very detailed instructions for engineering successful exploits of the vulnerabilities, essentially spoon-feeding attackers the information they needed to infect your systems and steal your data.
Tavis defends his actions, in part, by referring to what he calls the "accessible and balanced essay on the disclosure debate by Bruce Schneier". It's ironic then that he appears to have missed several pertinent statements Bruce makes in that commentary:
"I am opposed to attacks that primarily sow fear. Publishing vulnerabilities that there's no real evidence for is bad."
"I believe in giving the vendor advance notice."
"...it is irresponsible, and possibly criminal, to distribute easy-to-use exploits."
"I like the "be part of the solution, not part of the problem" metric."
Tavis clearly did not publish his exploit because users were in imminent danger. By his own admission, the Microsoft exploit was so hard to engineer he almost gave up. (Unfortunately for the rest of us, his colleagues chipped in to help him).
He also clearly did not give adequate advance notice. Instead, Tavis chose to wait mere days (in Microsoft's case, two working days).
Tavis clearly did irresponsibly and possibly criminally distribute an easy-to-use exploit which is now being used to attack perfectly innocent Web surfers.
And all because he felt entitled to extort control over development resources at other software companies. His excuse: Microsoft would not commit to the timeframe he specified - 60 days.
It's especially worth noting that Tavis chose to approach Microsoft in the crucial days leading up to Patch Tuesday. Of course Microsoft isn't going to commit to anything until they've had a chance to fully research the matter - which isn't feasible to do in two days, much less the day before and day of Patch Tuesday. It would be grossly unfair to customers and to shareholders if Microsoft were to do otherwise.
Full disclosure and responsible disclosure are not mutually exclusive goals; both approach from the standpoint of what's in the best interest of users and security. Irresponsible disclosure is an entirely different beast altogether, with purely selfish motives and throwing both users and security under the bus in the process.
Irresponsible disclosure puts innocent users at real, immediate harm. And as Google itself can attest, the malware problem is already severe enough without Tavis' help. And SANS, do we really need to massage his ego by fawning over his writing style?
Freaking prick. As an administrator, educated idiots like him are the ones that make my work harder.
people like him should have to use their talent for the good of others not do harm.does he knows the meaning of boomerang?whatever he does will go back to him doublefold