Another irresponsible disclosure put PC users at risk

December 30th, 2005

The [tag]WMF exploit[/tag] is another example of an irresponsible disclosure by people with an interest in security putting millions of PC users worldwide at risk from the vulnerability (I want to make it clear here that it is not Sunbelt who was irresponsible - I saw a number of irresponsible disclosures of proof of concept code on several websites and this code has formed the basis for many of the current exploits we are seeing).

The timeline is predictable - the disclosure is made and within hours there are a few sites making use of this vulnerability.  Over the period of a few days the number of sites hosting the exploit explode.  And web criminals are putting this exploit to some really nasty uses - such as installing software that logs personal and financial information when users of infected computers enter data at certain websites, such as banking or e-commerce sites.  Soon we could see this vulnerability being used to send email worms.

OK, I have some serious points I want to make.  First, there is little doubt that the initial disclosure was totally irresponsible (I suspect that the disclosure was made thinking that this was a problem fixed by December's Windows Update, which did address a graphics rendering issue, just not this one).

But there's another serious and sinister side to all this.  So far, recent exploits have revolved around work carried out by security firms.   They make an irresponsible disclosure and then the bad guys jump on it.  How long will it be until we see the bad guys actually looking for and finding these kinds of exploits for themselves?  This would put users and the security world on the back foot and a response could be delayed.

Doesn't bear thinking about. 

More coverage on the TechBlog.

This entry was posted on Friday, December 30th, 2005 at 11:41 and is filed under Stay Secure. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.