Loose Google Lips Can Sink ShipsLoose Google Lips Can Sink Ships

Security researchers at major companies are usually very responsible about disclosing vulnerabilities. Last week a Google researcher did something very irresponsible though, and it may affect security in your company.Tavis Ormandy, a security researcher at Google, started things out the right way. On June 5, he notified Microsoft of a vulnerability in the way URLs are handled in Windows help files. An attacker can craft a URL in a help file in a way that can run arbitrary script code on the computer. All in all, this is just another typical exploit that is found in code all the time. Usually it will take a few weeks at least to investigate the problem, come up with a solution, test it, and schedule it to be delivered for the next Patch Tuesday.

There are exceptions to this rule, of course. If Microsoft knows that there is already an exploit rattling around in the wild, they will fast-track the patch and even recommend it for immediate installation. The tradeoff there is the higher risk of compatibility issues and the extra effort it takes for all of Microsoft customers to install these patches. So the threat from malicious use of the exploit has to be balanced against those costs.

Google's Ormandy threw those tradeoffs out of balance with his next move. Just five days after he reported the exploit to Microsoft, he publicly revealed information about the exploit. Perhaps Google's server-based web code can be changed that quickly, but Windows code cannot be. There is just no good reason to publicize an exploit so soon after reporting it, when nobody seems to be exploiting the problem yet. Of course, that may change now that Ormandy's given this exploit so much attention.