Malicious hackers are reportedly exploiting a Windows XP zero-day vulnerability recently disclosed by Google engineer Tavis Ormand.
According to SophosLabs, a compromised website has been positively identified as using the exploit to deploy a Trojan horse onto unsuspecting users’ computers.
“Sophos proactively detects the page as Sus/HcpExpl-A and the Trojan horse it downloads as Troj/Drop-FS,” Sophos researcher Graham Cluley explained in a company blog post.
“So my question to Mr Ormandy is this – do you feel proud of your behavior? Do you think that you have helped raise security on the Internet? Or did you put your vanity ahead of others’ safety?”
Cluley opined that a “responsible security researcher” would have been “happy” working with Microsoft on a successful resolution of the issue – and only shared details once a safe patch had been developed.
However, the vulnerability was first reported to Microsoft on June 5 and publicized just four days later.
“Five days isn’t a sensible period of time to expect Microsoft to develop a fix which has to be tested thoroughly to ensure it doesn’t cause more problems than it intends to correct,” he added.
Microsoft spokesperson Mike Reavey expressed similar sentiments.
“Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk.
“One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause.”