Google Publicly Pulls Microsoft Up On Security Flaw In XP

Oh, it is ON between Google and Microsoft. A Google security engineer in Switzerland warned Microsoft of a vulnerability in Windows XP, but after they didn't fix it within five days, he went public with the hacker's wet dream.

Tavis Ormandy was the Google engineer who discovered the XP hole in the Help and Support Center of Windows, which normally allows people to download help documents from the internet if needed. The hole though (if you know what you're doing), actually lets you download more than just the help files—you could actually "execute arbitrary commands with the privileges of the current user," according to the engineer, with PCs running Windows XP SP2 and SP3, and IE7 or IE8.

While going public before the flaw was fixed might not have been the smartest move, Ormandy believes it was the only way to make Microsoft sit up and pay attention, rather than shelve the problem for a later day: "If I had reported the...issue without a working exploit, I would have been ignored," he wrote in the Full Disclosure email newsletter. Microsoft understandably hit back, with Jeff Bryant, the group manager at the Microsoft Security Response Center writing of his concern "about the public disclosure of this issue given we were only notified about it by this researcher on the 5th of June."

Security experts are now calling for a public hanging (well, dismissal) of Ormandy, with the CEO of SecTheory, Robert Hansen, wading in and saying that he should be fired. I think that's a little harsh personally, but what do you feel about Google publicly admonishing Microsoft about their security flaws—especially in light of ditching Windows as their HQ OS of choice? [Full Disclosure via ComputerWorld]