Less than a week after Google security researcher Tavis Ormandy disclosed a security problem with the Windows Help application, attackers are exploiting the hole on Windows XP. Their work was simple since he provided proof-of-concept code.This is exactly the situation I feared would happen a few days ago, and it didn't take long for the bad guys to deliver. Sophos has seen an exploit in the wild. Microsoft has a emergency fix that disables the feature being exploited, and you may want to use it in your company.

This harsh publicity has put Ormandy on the defensive; he recently tweeted, "I'm getting pretty tired of all the '5 days' hate mail. Those five days were spent trying to negotiate a fix within 60 days." That's in reference to earlier concerns Ormandy expressed about how slowly Microsoft was fixing bugs. If that's the case, why not just tell them they had 60 days before the exploit would be revealed, rather than five?

Some of the commenters on my previous post seemed to blame Microsoft for this situation. I completely disagree. There is no way that Microsoft could reasonably respond to something like this in only five days. The "Windows is full of bugs" argument doesn't wash, either; every OS has its bugs. No responsible security researcher should be making a decision to release an exploit for an operating system without giving the OS maker a reasonable chance to respond. That's doubly true for a researcher employed by Google, a competitor to Microsoft.