Google engineer Tavis Ormandy is under fierce fire on security lists this afternoon for releasing code to exploit an unpatched hole in Windows XP and Windows Server 2003. The flaw is in XP's Windows Help Centre. In simple terms, Help uses a white list of approved web pages to go to in order to get help information. But a problem …
......observers suggested Ormandy was acting on behalf of his employer to fuel the row between Google and Microsoft
Not in a million years!
not a major flaw
That particular 'feature' is one of the first things I disable when setting up a WinBox.
But he's still a twat for posting the code after waiting only 5 days.
Not so simple
A lot of medium to large organisations with significant numbers of end users doing their jobs on Windows boxes use Remote Assistance to support them. It would be a brave sysadmin who simply disabled the Help & Support Centre. Even the more nuanced forms of mitigation suggested in the disclosure would not be deployed without some serious testing in a support environment that relied significantly on RA.
Need to get someone to do what you want
Create a crisis. Now in this case the crises was not created by the engineer, M$ did that by not paying attention to security holes and taking fast-action to repair them. Indeed, is the problem the code or the inability to repair and rapidly deploy the fix? It's both actually (trick question).
What the engineer did is perhaps not ethical, but creating a crisis does work and you can be fairly certain that the call to battle-stations is sounding at Redmond as things get kicked into high gear to fix the problem and deploy the patch.
They have to cover their fanny.
I'm with you on this one
I can just heat the chatter in the MS meeting rooms
"Oh oh oh....I know...Instead of fixing the problem, or blaiming the people exploiting the problem, or blaiming the people who allowed the problem to exist, lets blaim the person who pointed out the problem, who we ignored and who had to take it public to even get an acknowlegement the problem exists."
good on him
if people started giving MS ultimatums here is your notice of the exploit is goes public in X No. of days maybe they might start actually fixing their fuck ups
Only if you give enough time for a fix.
I'm usually the last to be on MSFT's side, being an apple fanboy and all, but five days? Even ignoring how slow MSFT (and Apple) have been to patch flaws, five days is by no means a timely fashion.
Even assuming MSFT was able to find and fix the bug instantly, there's lag involved in regression testing to ensure the patch doesn't adversely interact with the numerous permutations of setups out there. There's lag in getting the word out or to wait till Patch Tuesday. There's lag involved for sysadmins to download and find time to test the patch themselves. There's lag for actually being able to deploy the patch onto all machines.
This was not 'Here is your notice of the exploit.' This was, 'By the time you can even look, much less solve this, I'll have already released the exploit into the wild.' Yes, it bothers me as well that MSFT made yet another security hole, but two wrongs don't make a right.
That's exactly what I was going to say! The only way M$ will ever act is with a rocket up their ass. Of course the Google angle makes it interesting as well especially since their moving away from using Windows.
Most courts will consider this blackmail.
Oh for f*cks sake
And how many days does it take to code, build, test and deploy a fix across millions of computers? Why should a snotty "security researcher" who can barely manage to be civil to other people have a say in the speed of the software development cycle of enterprise level software? Twat is still the final word on this idiot.
Was he asking for payment to refrain from posting the exploit?
I think he jumped the gun shamefully, but I wouldn't describe it as blackmail. That's not to say that there aren't a range of options of criminal and/or civil charges that might be brought, but I don't think blackmail is one of them...
we will see
So did Microsoft even email this gentleman back? I have seen no information if Microsoft sent him back an email if but to only say 'thanks we are looking into it'. 5 days is plenty of time to respond to an email sent in especially on security exploits from reliable sources.
That being said if they did respond to him and gave him some sort of eta then I agree with your statement. Two wrongs do make a right.
Keep in mind it was Microsoft that sold this and many other problems to the public, not Google.
This is a very old very dead horse. Do you air dirty laundry or not? The problem on the one hand is that the folks responsible for a code base often don't respond in a timely fashion to security problems when they are made aware of them. On the other hand, releasing exploit code facilitates exploitation.
The google geek isn't doing anything irregular. The only thing which makes it "news" worthy is the google vs. microsoft angle. If negative press and yellow dog journalism is the image you're cultivating... please continue to post crap like this.
"The google geek isn't doing anything irregular"
I puked a little.
waiting only 5 days before posting a previously-unseen exploit for software which you KNOW has a regular monthly patch cycle isn't responsible disclosure. Given the timing (pretty much immediately after a patch release), 2 months isn't an unreasonable time to wait (i.e. the August updates... if this had taken place a couple of weeks ago, I'd have said July)
He also stated he released the exploit early because it was actively being exploited in the wild... It would be tough to actively sit on that knowledge waiting on MS to do their thing.
Good one Google !!!
After all they are merely pointed out one (of millions) security defect
Microsoft are obviously afraid of the truth (such as they are yesterdays news) , hey - if it were opensource maybe the issue would already be fixed.....
If a Microsoft engineer discovered a flaw in google's O.S they would probably pay a 3rd party (e.g - SCO are you busy..) to disclose the info - thats the way they work - get some attack dog to do their dirty work (it is now known that MS paid SCO to attack Linux in 2004 - and now look - SCO are completely dead !!!!!!)
(although I imagine a Microsoft employee is banned from using any rival OS so they would never know anyway)
I have noticed in the past than Microsoft can take years to fix known security vulnerabilities (often MS start to get busy when customers start getting raped by these vulnerabilities) in fact maybe they should pay Google for helping them .............
Cry me a fucking river
If vendors weren't so tardy about fixing their stuff it wouldn't be necessary. Whining on Full Disclosure about full disclosure is asking for ridicule.
I'd rather know about something and be able to mitigate it than wait for the vendor to get their arses in gear deciding to patch something I'm vulnerable to that I don't even know about.
Rep for the Google bloat cloud is declining-- they hoover private information off the airwaves with what they claim was poorly written code, now they have a loser "engineer" who can't control himself. Or maybe executives who can't control themselves (that is hardly new anywhere in the Universe as We Know It though).
Susan Bradley - "not an enterprise customer, but I am a mouthy female"
Kind of a redundant statement, really. Most females are...
Paris, mouthy but for different reasons.
I have no problem with mouthy females
But unless you have something relevant to mouth off about, shut the hell up.
Re: Mouthy female?
Keep it up, AC, and I will zap you. Silently. Not like a typical female at *all*.
"not an enterprise customer, but I am a mouthy female"
Oh joy another one of those.
Hat, coat, wallet, spectacles... ah you know the rest.
(Chorus) Fight!, Fight!, Fight!...
"The row between Google and Microsoft"
I love it, I just love it.
First, note to John Oates -- "tell the company and wait for a fix to be ready for download before telling the world" is NOT the usual protocol. That may be what Microsoft wants, but consensus among security researchers is to tell the company, wait 30 days, release to the public. Although a sizeable portion argue (I think convincingly) for open disclosure -- the flaws are ALREADY being exploited anyway by spyware, viruses, etc. anyway, so releasing to the public immediately is just fine. In reality, though, I'm most unconcerned about this -- as an Ubuntu user, open disclosure is the default, then a security update comes out usually within 1 or 2 days.
Susan Bradely is wrong and Ormandy is not. When she finds a security flaw, she can get pissed and play E-Mail tag all she wants. This isn't a bill that he's trying to get Microsoft to fix, this is him doing them a favor by reporting a flaw to them. He gave notice, they didn't even trouble themselves to even acknowledge receipt after almost a week. I might have waited the full 30 days, but I would expect a TOTAL of 30 days to fix, if they hadn't even replied in 5 days... well, frankly, Ormandy is probably right, they probably were planning to just sit on this flaw -- they have been caught sitting on known security flaws for YEARS multiples times -- someone will release an exploit, Microsoft says "naughty naughty, that's not responsible disclosure", and then whoever wrote the exploit points out a report of the EXACT SAME flaw from 5, 10, 15 years ago, that Microsoft never bothered to fix.
I guess he forgot...
Do No Evil.
Patching an OS is not to be undertaken lightly and testing has to be performed. Microsoft has been, rightly, lambasted in the past for releasing shoddy code in a patch that has trashed machines so one can appreciate that writing a patch, particularly for a server platform, and then regression testing is not a small job and certainly one that takes more than 5 days.
Ormandy's action was unprofessional, spiteful and small minded at best. It was also possibly illegal. Google should fire the prat and be well shot of him.
So, let's see
The events were:
1) Googler finds major flaw in a piece of software that a lot of people trust their data to.
2) Googler tells Microsoft that the software that their customers trust them to fix is flawed and needs fixing to preserve their safety
3) Not a squeak from Microsoft for 5 days, essentially giving the middle finger to their customers and their trust in them.
4) Googler publishes the code, forcing Microsoft to react, and showing how little they care about their customers.
What a lot of people seem to forget is that the FLAW IS ALREADY THERE, it's nobody but Microsoft's fault, and there's no reason to assume that this flaw hasn't been exploited before by people who don't disclose their flaws, but SELL THEM.
Five days is in no way an unreasonable time to expect a fix, or at least an advisory from your vendor. Patch turn around time from notice to actual patch in system is measured in days in most cases on free operating systems.
And it's DEFINITELY not unreasonable to expect *some* response like "We're looking into it, please give us a x time to make a patch."
This is just your vendor throwing your trust back in your face, nothing more.
Are we sure ?
"3) Not a squeak from Microsoft for 5 days, essentially giving the middle finger to their customers and their trust in them"
Is that completely true? Are we sure? Has M$ been emailing this chap back saying "we're investigating" or completely ignoring him.
If they've responded then I think it was a bad thing to release the exploit.
If they haven't then I agree that they needed a big kick up the arse to get them going.
incompetent development methodology
Open source security bugs on any program in much use tend to get fixed in less time than this following disclosure. If not, the person informing a lead developer of a bug, morally deserves to be recompensed for the delay to their career resulting from being expected to sit on this information for longer than needed.
What is it about Microsoft in particular that makes their cumbersome and monopolistic internal development and maintenance processes deserving of more leeway than they would be given if they published their source code, allowed distribution of user modifications, developed code within the public domain and were open to peer review ?
incompetent development methodology
The real problem is that MS has the only commercially available operating system in the world, they hold a total monopoly. OPen source is their only competition. With no other software companies commercially producing operating systems, there is little incentive for MS to produce a quality produce.
Keeping the pirate ship afloat
Windows has relied on shed loads of security suppliers looking after them for decades. It is about time that came to an end.
If everyone posted their discoveries immediately not waiting 4 or 5 days the company would have to write decent stuff.
The patch is called Windows 7!!!! Don't tell anyone just get the mto purchase.
It's an XP problem. Microsoft doesn't give a ^@^& about XP. The longevity of XP is negatively impacting the acceptance and purchase of Windows 7. They would just tell you to "upgrade" your OS to the "latest version".
Publicity, in large volume, is the only way to get a reaction from Microsoft.
The negative marketing tactic of pushing customers to new purchases instead of fixing the current product the customer is using is their biggest problem.
It leads to the same response the consumer has for any product. Why should I buy the new one when the old on doesn't work right to begin with and yuo won't support it/ I'm supposed to trust you that the new on will resolve my problem? And pay for it?
How about you give me the upgrade for free and make me happy and maybe will continue to be a customer. Otherwise I guess I will have to check out the competition.
I'm usually happy with the Regs reporting on Computer Security, but this piece was disappointing.
If the author had taken the time to remember why the full-disclosure list was created in the first place and aknowledged the fact that the whole disclosure debate is more complicated than just right/wrong the article would perhaps have been a bit more nuanced. Also I'm not sure that quoting from unmoderated public maling lists constitutes reporting. shape up...
It's not as if this was the last ever security flaw in Windows and Windows would now be entirely safe if it wasn't for this one man and his evil communist actions.
"mouthy female" Susan Bradley evidently needs a refill on her prescription for chill pills.
the users get hurt
Google and Microsoft can have a slap fight in private or public, but releasing this exploit before a patch is available is putting users at risk. The guy, likely a typical Google aspie, got his panties in a bunch because Microsoft wasn't taking him seriously, so he decided that he would show them by putting this out there and proving how right he was. I doubt he had the support of his superiors on this one.
I'm not one to defend MS's lousy security record, but the point of the disclosure protocol is to protect the millions of people out there who use this stuff. Even those that are proactive about security may be bitten by a zero-day exploit with no patch available.
Also, why do we not have an icon for Eric Schmidt with horns? Surely he deserves that much.
In Opera you at least get a prompt, but IE8 just goes ahead and runs it!
Personally I don't see why Microsoft is maintaining a 8, nearly 9 year old OS. The sooner they cut off support the sooner people move on to better things.
@Giles Jones re. 8 or 9 yo OS?
Yes the OS is this old, but even if you consider Vista GA as being the point when vendors stopped shipping XP (which it wasn't), there are computers less than three-and-a-half years old that were shipped with XP. This is not old for a consumer device, and is less than the accounting depreciation period for some companies.
MS cannot, if they have any morals (debatable), stop supporting XP without providing a reasonably priced upgrade option. (I believe that they leagally have to provide support for 10 years after ship date for any kit shipped to the US DoD or other government agencies anyway)
Also remember that for non-gaming users, the amount of computing power required by ordinary home or office users topped out at around the 1.8GHz Pentium D. Beyond this, the extra power is just providing gloss. This means that many people with 2+GHz Pentium 4 or Athlon XP 2000 have perfectly usable systems that do not need to be replaced yet, and with the correct maintenance and care, could run for many more years.
Any other line is just buying into the *blatant* consumerism that is driving the retail electronics market at the moment, leading to increased consumption and greater waste disposal and recycling problems that we face.
Actually, there are still plenty of NetBooks being sold right now, (well there were before the iPad arrived) which have XP on them by default, and still will for many more weeks.
Another one, yawn
There's enough "security researchers" that are so fed up with corporate inaction, or worse, corporate litigation for even mentioning there might possibly be holes in their crap software, that they don't even give advance notice any longer, to anyone. That includes things like all-volunteer open source projects that _do_ make an effort to fix problems and be communicative about it.
It might be this guy apparently leaned that way but didn't dare just dump it out in the wild. Or maybe he got impatient, goofed, and tried to cover it up with being snotty. It's often tried but rarely works. Then again, "security researchers" often are quite snotty, in one, more, all senses of the word.
Personally, I say that giving notice with a deadline of two months is reasonable, extendable to six if the company/project/what-have-you asks nicely. Should the company have a standing track record of being non-responsive (say, three times in a row) or litigative (once is all it takes) and no public apologies, then release right away if you wish.
But then again, why would you want to release that quickly? Why does this guy not have time to wait (and do other things in the meantime) while he does have time to look for holes in a rival's software in the first place? Whorin' for attention or something? Get back to work!
too long for those going somewhere
In what sense does the fact that megacorp likes to have a 6 monthly develop test patch cycle on vulnerabilities mean that an indvididual who has discovered something embarrassing about a megacorp product has to put his/her career on hold ? Supposing someone is going to be interviewed for an important security job in a fortnight's time, and publishing a week after discovery is likely to raise security researcher's reputation ? Perhaps if you were the interviewer, you might consider a week too short so he/she wouldn't get the job on grounds of poor judgement. But if the employer is open source with an agile development and patch process they would more likely consider a week adequate. So why should sclerotic and inflexible megacorp with methods stuck in the past hold up security researcher's career ?
I megacorp is willing to compensate security researcher to sit on something for longer than a week generously enough to want to keep this out of his/her CV then that would seem a fair trade.
... that's such a crap arguement and I can't even be bothered to explain why.
Regarding the Full Disclosure Posts
I was reading the posts...before I got to Ormandy's last response, the posts by Susan Bradley started disappearing, except one where she was answering a troll. This was as of 02:01 CDT (-5 GMT)
...the reason patch Tuesday was done was so that admins didn't have to worry about firing patches out to 10's of thousands of pc's at completely random times. This is a thing thepublic lead, not something MS forced upon people. Admins requested, MS listened, that's a model MANY decent software companies are now follwing.
Many of the arseholes here run "networks" of 10 pc's and a FP server (maybe a web servers as well" so have no worries about testing a patch about 3 bit's of software. When you have hundered of different apps, you really want to make sure a patch ain't gonna completely f**k up the systems and costs the company millions in lost business.
Linux, Windows, Unix, whatever, you want to make sure things are fixed in a timely manner and not rushed and screwed up.
This sort of behaviour just smacks of a corperate spat getting out of hand, the only loosers being Joe Public.
"Making information available"
Isn't the Google 'raison de etre' to make information available? You know: OS exploits, your WiFi traffic, pr0n... that sort of thing.
Google sucks.. They blatantly & admittedly have a total disrespect for users privacy,and having been taking heat for , and should be, therefore they are taking a stab at Microsoft to 'divert' attention from their own misdeeds. Yea, Microsoft has issues, but don't we all , and yes they are slow to fix them, but to spread *#*# on someone after only a 5 day notice.. BS. And, in the end it is the end users that mostly suffer from attacks, from getting their bank accounts to their identities stolen.
Shame on Google!