Researchers at Sophos have detected malware that exploits the zero-day Windows XP flaw disclosed last week by a Google engineer.
Disclosure of the flaw, which is contained in the Windows Help and Support Center, a Web-based feature providing technical support to end users, renewed the old debate about responsible disclosure. Microsoft said the Google engineer, Tavis Ormandy, a bug hunter known for finding kernel-level operating system coding errors, only gave the software giant three days to investigate the flaw before publicizing it.
In a blog post, Sophos researchers said they discovered malware that exploits the vulnerability on Tuesday. The malicious code, which spreads via a compromised website, downloads and executes an additional piece of malware on a victim’s computer, they said.
In a separate blog post, Graham Cluley, senior technology consultant at Sophos, said Ormandy’s disclosure was irresponsible. “So my question to Mr Ormandy is this — do you feel proud of your behaviour? Do you think that you have helped raise security on the Internet? Or did you put your vanity ahead of others’ safety?” he asked.
Microsoft said in a Twitter message that it was aware of limited attacks exploiting the Windows Help vulnerability, and advised customers to apply the fix included its advisory last week.