Other...
......observers suggested Ormandy was acting on behalf of his employer to fuel the row between Google and Microsoft
Never!
Not in a million years!
:-)
Google engineer Tavis Ormandy is under fierce fire on security lists this afternoon for releasing code to exploit an unpatched hole in Windows XP and Windows Server 2003. The flaw is in XP's Windows Help Centre. In simple terms, Help uses a white list of approved web pages to go to in order to get help information. But a …
A lot of medium to large organisations with significant numbers of end users doing their jobs on Windows boxes use Remote Assistance to support them. It would be a brave sysadmin who simply disabled the Help & Support Centre. Even the more nuanced forms of mitigation suggested in the disclosure would not be deployed without some serious testing in a support environment that relied significantly on RA.
Create a crisis. Now in this case the crises was not created by the engineer, M$ did that by not paying attention to security holes and taking fast-action to repair them. Indeed, is the problem the code or the inability to repair and rapidly deploy the fix? It's both actually (trick question).
What the engineer did is perhaps not ethical, but creating a crisis does work and you can be fairly certain that the call to battle-stations is sounding at Redmond as things get kicked into high gear to fix the problem and deploy the patch.
They have to cover their fanny.
I can just heat the chatter in the MS meeting rooms
"Oh oh oh....I know...Instead of fixing the problem, or blaiming the people exploiting the problem, or blaiming the people who allowed the problem to exist, lets blaim the person who pointed out the problem, who we ignored and who had to take it public to even get an acknowlegement the problem exists."
I'm usually the last to be on MSFT's side, being an apple fanboy and all, but five days? Even ignoring how slow MSFT (and Apple) have been to patch flaws, five days is by no means a timely fashion.
Even assuming MSFT was able to find and fix the bug instantly, there's lag involved in regression testing to ensure the patch doesn't adversely interact with the numerous permutations of setups out there. There's lag in getting the word out or to wait till Patch Tuesday. There's lag involved for sysadmins to download and find time to test the patch themselves. There's lag for actually being able to deploy the patch onto all machines.
This was not 'Here is your notice of the exploit.' This was, 'By the time you can even look, much less solve this, I'll have already released the exploit into the wild.' Yes, it bothers me as well that MSFT made yet another security hole, but two wrongs don't make a right.
So did Microsoft even email this gentleman back? I have seen no information if Microsoft sent him back an email if but to only say 'thanks we are looking into it'. 5 days is plenty of time to respond to an email sent in especially on security exploits from reliable sources.
That being said if they did respond to him and gave him some sort of eta then I agree with your statement. Two wrongs do make a right.
Was he asking for payment to refrain from posting the exploit?
I think he jumped the gun shamefully, but I wouldn't describe it as blackmail. That's not to say that there aren't a range of options of criminal and/or civil charges that might be brought, but I don't think blackmail is one of them...
And how many days does it take to code, build, test and deploy a fix across millions of computers? Why should a snotty "security researcher" who can barely manage to be civil to other people have a say in the speed of the software development cycle of enterprise level software? Twat is still the final word on this idiot.
This is a very old very dead horse. Do you air dirty laundry or not? The problem on the one hand is that the folks responsible for a code base often don't respond in a timely fashion to security problems when they are made aware of them. On the other hand, releasing exploit code facilitates exploitation.
The google geek isn't doing anything irregular. The only thing which makes it "news" worthy is the google vs. microsoft angle. If negative press and yellow dog journalism is the image you're cultivating... please continue to post crap like this.
waiting only 5 days before posting a previously-unseen exploit for software which you KNOW has a regular monthly patch cycle isn't responsible disclosure. Given the timing (pretty much immediately after a patch release), 2 months isn't an unreasonable time to wait (i.e. the August updates... if this had taken place a couple of weeks ago, I'd have said July)
After all they are merely pointed out one (of millions) security defect
Microsoft are obviously afraid of the truth (such as they are yesterdays news) , hey - if it were opensource maybe the issue would already be fixed.....
If a Microsoft engineer discovered a flaw in google's O.S they would probably pay a 3rd party (e.g - SCO are you busy..) to disclose the info - thats the way they work - get some attack dog to do their dirty work (it is now known that MS paid SCO to attack Linux in 2004 - and now look - SCO are completely dead !!!!!!)
(although I imagine a Microsoft employee is banned from using any rival OS so they would never know anyway)
I have noticed in the past than Microsoft can take years to fix known security vulnerabilities (often MS start to get busy when customers start getting raped by these vulnerabilities) in fact maybe they should pay Google for helping them .............
If vendors weren't so tardy about fixing their stuff it wouldn't be necessary. Whining on Full Disclosure about full disclosure is asking for ridicule.
I'd rather know about something and be able to mitigate it than wait for the vendor to get their arses in gear deciding to patch something I'm vulnerable to that I don't even know about.
Rep for the Google bloat cloud is declining-- they hoover private information off the airwaves with what they claim was poorly written code, now they have a loser "engineer" who can't control himself. Or maybe executives who can't control themselves (that is hardly new anywhere in the Universe as We Know It though).
First, note to John Oates -- "tell the company and wait for a fix to be ready for download before telling the world" is NOT the usual protocol. That may be what Microsoft wants, but consensus among security researchers is to tell the company, wait 30 days, release to the public. Although a sizeable portion argue (I think convincingly) for open disclosure -- the flaws are ALREADY being exploited anyway by spyware, viruses, etc. anyway, so releasing to the public immediately is just fine. In reality, though, I'm most unconcerned about this -- as an Ubuntu user, open disclosure is the default, then a security update comes out usually within 1 or 2 days.
Susan Bradely is wrong and Ormandy is not. When she finds a security flaw, she can get pissed and play E-Mail tag all she wants. This isn't a bill that he's trying to get Microsoft to fix, this is him doing them a favor by reporting a flaw to them. He gave notice, they didn't even trouble themselves to even acknowledge receipt after almost a week. I might have waited the full 30 days, but I would expect a TOTAL of 30 days to fix, if they hadn't even replied in 5 days... well, frankly, Ormandy is probably right, they probably were planning to just sit on this flaw -- they have been caught sitting on known security flaws for YEARS multiples times -- someone will release an exploit, Microsoft says "naughty naughty, that's not responsible disclosure", and then whoever wrote the exploit points out a report of the EXACT SAME flaw from 5, 10, 15 years ago, that Microsoft never bothered to fix.
Patching an OS is not to be undertaken lightly and testing has to be performed. Microsoft has been, rightly, lambasted in the past for releasing shoddy code in a patch that has trashed machines so one can appreciate that writing a patch, particularly for a server platform, and then regression testing is not a small job and certainly one that takes more than 5 days.
Ormandy's action was unprofessional, spiteful and small minded at best. It was also possibly illegal. Google should fire the prat and be well shot of him.
The events were:
1) Googler finds major flaw in a piece of software that a lot of people trust their data to.
2) Googler tells Microsoft that the software that their customers trust them to fix is flawed and needs fixing to preserve their safety
3) Not a squeak from Microsoft for 5 days, essentially giving the middle finger to their customers and their trust in them.
4) Googler publishes the code, forcing Microsoft to react, and showing how little they care about their customers.
What a lot of people seem to forget is that the FLAW IS ALREADY THERE, it's nobody but Microsoft's fault, and there's no reason to assume that this flaw hasn't been exploited before by people who don't disclose their flaws, but SELL THEM.
Five days is in no way an unreasonable time to expect a fix, or at least an advisory from your vendor. Patch turn around time from notice to actual patch in system is measured in days in most cases on free operating systems.
And it's DEFINITELY not unreasonable to expect *some* response like "We're looking into it, please give us a x time to make a patch."
This is just your vendor throwing your trust back in your face, nothing more.
"3) Not a squeak from Microsoft for 5 days, essentially giving the middle finger to their customers and their trust in them"
Is that completely true? Are we sure? Has M$ been emailing this chap back saying "we're investigating" or completely ignoring him.
If they've responded then I think it was a bad thing to release the exploit.
If they haven't then I agree that they needed a big kick up the arse to get them going.
I'm usually happy with the Regs reporting on Computer Security, but this piece was disappointing.
If the author had taken the time to remember why the full-disclosure list was created in the first place and aknowledged the fact that the whole disclosure debate is more complicated than just right/wrong the article would perhaps have been a bit more nuanced. Also I'm not sure that quoting from unmoderated public maling lists constitutes reporting. shape up...
It's an XP problem. Microsoft doesn't give a ^@^& about XP. The longevity of XP is negatively impacting the acceptance and purchase of Windows 7. They would just tell you to "upgrade" your OS to the "latest version".
Publicity, in large volume, is the only way to get a reaction from Microsoft.
The negative marketing tactic of pushing customers to new purchases instead of fixing the current product the customer is using is their biggest problem.
It leads to the same response the consumer has for any product. Why should I buy the new one when the old on doesn't work right to begin with and yuo won't support it/ I'm supposed to trust you that the new on will resolve my problem? And pay for it?
How about you give me the upgrade for free and make me happy and maybe will continue to be a customer. Otherwise I guess I will have to check out the competition.
Open source security bugs on any program in much use tend to get fixed in less time than this following disclosure. If not, the person informing a lead developer of a bug, morally deserves to be recompensed for the delay to their career resulting from being expected to sit on this information for longer than needed.
What is it about Microsoft in particular that makes their cumbersome and monopolistic internal development and maintenance processes deserving of more leeway than they would be given if they published their source code, allowed distribution of user modifications, developed code within the public domain and were open to peer review ?
The real problem is that MS has the only commercially available operating system in the world, they hold a total monopoly. OPen source is their only competition. With no other software companies commercially producing operating systems, there is little incentive for MS to produce a quality produce.
Yes the OS is this old, but even if you consider Vista GA as being the point when vendors stopped shipping XP (which it wasn't), there are computers less than three-and-a-half years old that were shipped with XP. This is not old for a consumer device, and is less than the accounting depreciation period for some companies.
MS cannot, if they have any morals (debatable), stop supporting XP without providing a reasonably priced upgrade option. (I believe that they leagally have to provide support for 10 years after ship date for any kit shipped to the US DoD or other government agencies anyway)
Also remember that for non-gaming users, the amount of computing power required by ordinary home or office users topped out at around the 1.8GHz Pentium D. Beyond this, the extra power is just providing gloss. This means that many people with 2+GHz Pentium 4 or Athlon XP 2000 have perfectly usable systems that do not need to be replaced yet, and with the correct maintenance and care, could run for many more years.
Any other line is just buying into the *blatant* consumerism that is driving the retail electronics market at the moment, leading to increased consumption and greater waste disposal and recycling problems that we face.
Google and Microsoft can have a slap fight in private or public, but releasing this exploit before a patch is available is putting users at risk. The guy, likely a typical Google aspie, got his panties in a bunch because Microsoft wasn't taking him seriously, so he decided that he would show them by putting this out there and proving how right he was. I doubt he had the support of his superiors on this one.
I'm not one to defend MS's lousy security record, but the point of the disclosure protocol is to protect the millions of people out there who use this stuff. Even those that are proactive about security may be bitten by a zero-day exploit with no patch available.
Also, why do we not have an icon for Eric Schmidt with horns? Surely he deserves that much.
There's enough "security researchers" that are so fed up with corporate inaction, or worse, corporate litigation for even mentioning there might possibly be holes in their crap software, that they don't even give advance notice any longer, to anyone. That includes things like all-volunteer open source projects that _do_ make an effort to fix problems and be communicative about it.
It might be this guy apparently leaned that way but didn't dare just dump it out in the wild. Or maybe he got impatient, goofed, and tried to cover it up with being snotty. It's often tried but rarely works. Then again, "security researchers" often are quite snotty, in one, more, all senses of the word.
Personally, I say that giving notice with a deadline of two months is reasonable, extendable to six if the company/project/what-have-you asks nicely. Should the company have a standing track record of being non-responsive (say, three times in a row) or litigative (once is all it takes) and no public apologies, then release right away if you wish.
But then again, why would you want to release that quickly? Why does this guy not have time to wait (and do other things in the meantime) while he does have time to look for holes in a rival's software in the first place? Whorin' for attention or something? Get back to work!
In what sense does the fact that megacorp likes to have a 6 monthly develop test patch cycle on vulnerabilities mean that an indvididual who has discovered something embarrassing about a megacorp product has to put his/her career on hold ? Supposing someone is going to be interviewed for an important security job in a fortnight's time, and publishing a week after discovery is likely to raise security researcher's reputation ? Perhaps if you were the interviewer, you might consider a week too short so he/she wouldn't get the job on grounds of poor judgement. But if the employer is open source with an agile development and patch process they would more likely consider a week adequate. So why should sclerotic and inflexible megacorp with methods stuck in the past hold up security researcher's career ?
I megacorp is willing to compensate security researcher to sit on something for longer than a week generously enough to want to keep this out of his/her CV then that would seem a fair trade.
...the reason patch Tuesday was done was so that admins didn't have to worry about firing patches out to 10's of thousands of pc's at completely random times. This is a thing thepublic lead, not something MS forced upon people. Admins requested, MS listened, that's a model MANY decent software companies are now follwing.
Many of the arseholes here run "networks" of 10 pc's and a FP server (maybe a web servers as well" so have no worries about testing a patch about 3 bit's of software. When you have hundered of different apps, you really want to make sure a patch ain't gonna completely f**k up the systems and costs the company millions in lost business.
Linux, Windows, Unix, whatever, you want to make sure things are fixed in a timely manner and not rushed and screwed up.
This sort of behaviour just smacks of a corperate spat getting out of hand, the only loosers being Joe Public.
Google sucks.. They blatantly & admittedly have a total disrespect for users privacy,and having been taking heat for , and should be, therefore they are taking a stab at Microsoft to 'divert' attention from their own misdeeds. Yea, Microsoft has issues, but don't we all , and yes they are slow to fix them, but to spread *#*# on someone after only a 5 day notice.. BS. And, in the end it is the end users that mostly suffer from attacks, from getting their bank accounts to their identities stolen.
Shame on Google!
Perhaps because they have some small degree of customer care left? Yes, I know hard to believe, but never mind. Out in the real world where you have 10,000 users, 90% of whom don't give a flying **** about what version of Windows they have, they just want the frigging computers to work, the relentless upgrade cycle is becoming increasingly unproductive...
In this bit of the public service I reckon 85% of our IT resource goes not in improving service to the taxpayer, but in keeping up with countless largely pointless upgrades just so that the environment stays something like supported. You may think this is a good use of your tax, but I find it hard to agree. If we we'ren't constantly upgrading some system or another - a portfolio of applications approaching 4 figures - we might be able to do something about some of the dreadful business systems, but at the moment: no chance.
As someone working for a company which gets its revenue and provides applications and generally has a good view in the public eye (with the exception of privacy controversies) then google and its employees should be more conscious of protecting its users.
As undeniable, the competition factor between both Google and Microsoft, Google should still think about the protection of its users and be professional about such things as pointing out exploits which could potentially harm its own users computers.
I'm sure a Microsoft engineer wouldn't have carried out such an unethical attempt at putting Google on the spotlight should they have a security hole in their software.
Come on kids, play nice and think about all those who believe Windows 7 was their idea........
so putting it all together we get:
Google gets hacked, much to the displeasure of goolge its a MS box at fault!
Google employee discovers an exploit in the MS Boxes that google uses (or used).
Google employee decides to publicise rapidly much to the chargirn of MS.
Google employee gives reason that it *could already be in the public domain*
Question now is what does he know? that could lead to this statement that we don't know?
Whats the betting that google knows *exactly how* it was hacked? whats the betting that after a big hack you publically say "yeah we know how and its been fixed" even if you have been left scratching your head going how did they do that???
I find it interesting that people are expecting Microsoft to have a fix out in only five days. As a software developer myself I know that a fix in that time frame needs to be either:
a) Super critical, something that is going to cost your company massive amount of money or drastically affect your customer base enough that you will just throw money and resources at it
b) The bug is so simple that it can be found, fixed and tested in a matter of hours.
Please remember how complex a system the operating system is. I notice above that some commenters said well XXXX open source project would have fixed it by now. One thing to remember that open source OSs do not have the same compatibility that Windows has (oh and before I get flamed I'm writing this in Firefox on Ubuntu). Microsoft will need to fix this bug and then test it against every configuration it has in its test library.
For those of you not in software development here is how the bug might have been handles
1) Bug gets sent into Microsoft, possibly to a dedicated bug e-mail address/contact with hundreds of other potential bugs.
2) Someone has to go through each and every bug submitted and try and replicate the bug in their test environments.
3) If they can replicate it then a priority would be assigned to it based on the severity of the bug, ease of exploitation, what can be done with the exploit etc.
4) The bug gets picked up by the developer/development team as long as there is no high priority bug. The developer then needs to step through the code while using the exploit to see what needs to be fixed. Simply saying it is related to the white list of the Help tool isn't as bigger help as you might think.
5) The developer fixes the code
6) The tester tests the fix against the original issue and see if it fixes the issues without raising new ones. They'll have a list of tests that that they will need to run on this functionality.
7) The tester or more likely a team of testers will test the fix across multiple configurations of Window to see if this fix breaks any other element of the OS. This is called regression testing and means test will Windows.
8) Prepare fix for release.
Now if anyone believes they can do that in five days, then I suggest you submit your CV to Microsoft ASAP. My experience is with web sites, but I would estimate that you're looking at at least two weeks for a fix, if the bug has a sufficiently high priority.
As posters above have also pointed out you would then have weeks until the fix would have been rolled out sufficiently.
The person who found this fix was irresponsible to the point of criminality for releasing the details of this issue when Microsoft is probably still trying to confirm the issue and give it a priority.
How many of the people who have posted above have any experience with the software lifecycle? It normally takes us about 2 days at least for the call to get through bureaucracy and resourcing to be fixed, then another day at least to fix and do developer testing on, then another day at least to do testing on it. Considering the size of MS, the state of the Win32 APIs, and the size of their customer base, I don't really see any reason to think that 5 days is an acceptable time period, unless you want them to start pushing fixes out the door untested and undocumented.
I understand what Shakje is saying, but he's missing the point.
I expect a company with the resources that Microsoft has behind it, to drop everything and get this security vulnerability fixed, tested, documented, and out the door in 2 hours flat.
It shouldn't take 5 hours, let alone 5 days, and certainly not 5 weeks to get a security vulnerability patch out the door.
I understand what Arion is saying and consider that he is deomonstrating that he has no experience of diagnosing problems in large scale complex software and preparing fixes that do not cause regression in any of the numerous configurations and environments that the software has to work in.
Clearly too Arion has never come across a bug that was a symptom of a serious design defect and required thousands of lines of code to be replaced, since no-one (not even Arion, I venture to suggest) writes thousands of lines of code to fit into a complex environment, tests it thoroughly, wraps it up in a fix installer package, and ships it in two hours flat. Or does Arion somehow know that the loopholes that this hack exploits are not such as to require such a large-scale change to the software?
Ormandy was asked three times whether he had had any response from MS to his report and has refused to answer this question, twice substituting a blatant ad hominem attack on the person asking the question and the third time not responding at all. I think that says it all - he's not interested in responsible full disclosure, only in making as much trouble as possible. I guess the nummerous commenters who support his action haven't read the thread at the full disclosure site, they just saw an opportunity to say "isn't MS awful" yet again and jumped on it without bothering to verify anything - particularly the idiots who asserted that Ormandy had received no response, which seems a strange thing to believe when he's using personal abuse to weasel out of answering that question.