Maybe he should fix the zillions of Android bugs first?
Google cyber-knight lances Microsoft for bug-hunter 'hostilities'
Top Google engineer Tavis Ormandy has slammed Microsoft for apparently treating security bug hunters with “great hostility”. He blasted Redmond's behaviour towards those who report vulnerabilities as he publicly revealed a new unpatched security hole in the Windows operating system - a bug that can be exploited to crash …
-
-
Tuesday 28th May 2013 12:11 GMT Anonymous Coward
So you want to go on the Internet, have two dozen third party programs installed, an operating system (that you have no idea how the source code looks) and you assume you are secure.
M$ is no different than Apple or any other software vendor. Their vuln's are kept stumm to keep the punters happy and ignorant in their 'security'.
-
Tuesday 28th May 2013 12:14 GMT Tchou
MS "treating security bug hunters with “great hostility”.
Of course they do, for at least four reasons :
- Plenty of these bugs are really features requested and paid for by "security" agencies (NSA,...)
- MS don't give a fuck about end user's system security, but rather their generous sponsors (NSA...) interests
- Developing fixes cost money and reduce the functionalities requested by generous sponsors
- Publicly revealing these bugs make them exploitable by competing sponsors whose interest may diverge from those of the 51th state of America (by order of creation, but 1st by importance)
-
Tuesday 28th May 2013 12:25 GMT Don Jefe
Whining
Yes there are security issues. There are security issues in every piece of software if you look hard enough. It is up to the vendor to sort them out. It is not the role of the penetration tester to escalate 'his' vulnerabilities to the top. His role stops with disclosure of the issue, he's no good for fixing it: It is beyond his purview to direct corporate security priorities.
Not to be an MS apologist but everyone I know in computer security gives MS a lot of credit for changing their security processes for the better.
-
Tuesday 28th May 2013 15:16 GMT Anonymous Coward
The SYSTEMATIC Fix
..is using memory-safe languages. This would eliminate about 50% of exploits of the CVE database and certainly this one, too. And no, memory safe != {dog slow, memory-chewing, unpredictable runtime}
Here's an efficient, memory-safe subset of C++:
http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/doc/SAPPEUR.pdf
http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/
MS actually did quite a bit of research into memory-safe languages, but so far the results of research are very much stuck in the research labs. Bread-and-butter stuff like Office and Windows are still plain old, highly brittle, highly insecure C++. And yeah, MS employs quite a few highly capable developers and even those make exploitable mistakes under pressure "to ship".
-
Tuesday 28th May 2013 21:20 GMT Ken Hagan
Re: The SYSTEMATIC Fix
Followed the link. Found nothing beyond a pre-processor that only lets you use smart pointers. Good luck interfacing with existing libraries and good luck trying to persuade someone who already *is* using smart pointers to insert a little-known and barely supported preprocessor into their tool chain for zero benefit.
-
-
Thursday 30th May 2013 21:21 GMT Michael Wojcik
Re: The SYSTEMATIC Fix
C and C++ are perfectly safe if used sanely.
Writing machine code in binary is perfectly safe if used sanely.
Don't get me wrong - I wrote and maintain a lot of C (and a little C++, though I consider that language to have neatly managed the trick of combining the worst aspects of everything) code in production, and it's mostly quite solid. But we add layers of abstraction for a reason, and writing good C code means adding a lot of abstraction on top of the core language. You may have already created that layer, and/or have it supplied by third-party code you believe is reliable. But that's not qualitatively different from using more-expressive languages and frameworks.
-
-
-
-
Friday 31st May 2013 01:31 GMT Michael Wojcik
Re: Dat be sum insanity right there
Because drawing bezier curves is really part of the OS kernel's job.
Agreed, though there's no shortage of UNIX / Linux machines running the X11 server as root, either. And at least in the early days of X11 (circa the original release of X11R4), curve drawing was often pushed into the ddx layer1, in code contributed by anyone who wanted to send source to MIT. Some of it was not of the highest quality.
I don't know the details of modern X11 architectures - haven't worked in that area in 20 years - so isolation and protection may be better. I'd be surprised if many systems aren't doing rendering in an excessive-privilege environment, though, and some of those are likely to have similar vulnerabilities.
1At the time, the X11 server architecture was split into dix (device-independent X) and ddx (device-dependent X) layers. dix covered the network protocol, and abstractions like bitmaps and atoms, and included a generic implementation of the drawing primitives. ddx talked to specific devices, with the assistance of the actual device drivers. The ddx implementation for a display could just push pixels - the "dumb framebuffer" approach - but you could also override the dix implementation of any of the drawing primitives with ddx ones, to take advantage of graphics hardware. I did X11 ddx implementations for a couple of video adapters when I was at IBM.
-
Tuesday 28th May 2013 21:21 GMT Conrad Longmore
I just knew..
I just knew it would be Tavis Ormandy when I read the headline. I don't doubt his excellent skills as an engineer, but I think he's a bit lacking in skills in the way he interacts with these other companies. I can't see Sophos or Microsoft offering him a job at any time in the future..
-
Friday 31st May 2013 01:31 GMT Michael Wojcik
Re: I just knew..
I can't see Sophos or Microsoft offering him a job at any time in the future.
Their loss. I'd hire Ormandy in an instant, if he were looking for a job and I was in a position to do so. His analysis of the #GP trap handler bug (which he also discovered) is a thing of beauty. (It's also worth noting that Ormandy has been reasonable about the likelihood of a vendor catching such bugs, as in his conclusions in this blog post.)
With people like Ormandy and Derek Soeder, Google has some of the best people for finding obscure and difficult to exploit but dangerous vulnerabilities in complex systems. When folks like that contact you, you should be damn grateful. They could have just sold the exploit on the APT black market.
-
-
Wednesday 29th May 2013 09:39 GMT twolegs
off the wall
security? bugs? has nobody worked in IT? when was a bug ever found, analysed, fixed, tested, signed off and distributed GLOBALLY in less than 5 days?
adobe - meaning, loosely, a place to shelter in/home; a building made of natural materials including SAND, WATER, CLAY and STRAW to bind them together.
perhaps rather unfairly, adobe's might be slated for being full 'poorly put together' and full of 'bugs' - what do you expect in sand, clay and straw?
tavis ormandy? is that with an 'o' or a '0' for zero day maybe? an unusual name that seems to be an anagram of 'normandy vista'? 'white cliffs' anyone?
-