CWmike writes: Google engineer Tavis Ormandy published attack code on Thursday that exploits a zero-day vulnerability in Windows XP. Security experts objected to the way he disclosed the bug — just five days after it was reported to Microsoft — and said the move is more evidence of the ongoing, and increasingly public, war between the two giants. Microsoft said it is investigating the vulnerability and would have more information on its next steps later on Thursday. Researchers at French security vendor Vulpen Security confirmed that Ormandy's proof-of-concept works as advertised on Windows XP Service Pack 2 (SP2) and SP3 machines running Internet Explorer 7 or IE8. Ormandy said he decided to go public because of its severity, and, 'If I had reported the
... issue without a working exploit, I would have been ignored.' He also slammed the concept of 'responsible disclosure,' a term that Microsoft and others apply to bug reports submitted privately, giving developers time to patch before the information is publicly released. Microsoft took Ormandy to task for giving it less than a week to deal with his report. And Microsoft was not the only one. Robert Hansen, CEO of SecTheory, chastised Google for claiming that the company abides by responsible disclosure when its security researchers do not. 'Their researchers are going off half-cocked,' said Hansen, who deplored Ormandy's quick publication. 'It just doesn't add up.'