Security researchers: They smell your fear

There’s a bunch of press today out on the interwebs about a new vulnerability in Windows 7.  Actually, let me rephrase.  It’s not actually a vulnerability according to the researchers – instead, they’re calling it a “fundamental flaw”.

Here’s the short story:  you see, there’s a apparently some issue with the way Windows 7 handles DMA – DMA (direct memory access) is a performance feature that’s been with us since 1999-ish, so it’s not like this is something new out of the wild blue yonder.

What’s the issue, you might ask?  Well, the researchers aren’t saying.  They don’t want to give the bad guys an advantage, you see – so they’re going to hold off on putting the details out there until an upcoming security conference where they will present their issue.

But here’s what tweaks me about this: they won’t release the details so that we the general public can validate the issue, but yet they took the story to the press where it was syndicated to every corner of the earth.  Don’t you suppose it’s in the realm of possibility that some bad guy somewhere – reading this article in one of the many languages it’s been translated into – will get an inkling of where they might go to turn this into an attack?

And even if by some miracle the bad guys don’t leverage it right away, what’s the point?  Why get everyone all fired up about the issue without giving enough details to actually evaluate whether it’s a concern or not?  They won’t tell us what the problem is, but instead tell us to disable DMA?  WTF!?  Have you ever used a machine w/o DMA.  ”Performance hit” is an understatement.  ”Someone replaced my CPU with blackstrap molasses” is an understatement.  Nobody’s going to do it.

Anyway, I think these researchers should have gone one way or the other – either release the issue or don’t.    But this sitting in the middle and putting out a teaser?  While it works for their apparent goal of general press-houndery, I’m not sure it does the public any favors.