back to article Google cyber-knight lances Microsoft for bug-hunter 'hostilities'

Top Google engineer Tavis Ormandy has slammed Microsoft for apparently treating security bug hunters with “great hostility”. He blasted Redmond's behaviour towards those who report vulnerabilities as he publicly revealed a new unpatched security hole in the Windows operating system - a bug that can be exploited to crash …


This topic is closed for new posts.
  1. Himalayaman

    Maybe he should fix the zillions of Android bugs first?

    1. DrXym

      Big orgs hire people explicitly for penetration testing, finding vulnerabilities etc.. Perhaps that's his whole job, to act the role of the attacker and find these problems and it's up to project stakeholders to actually fix them.

    2. Anonymous Coward
      Anonymous Coward

      I wasn't aware that he was part of the Android development team.

      1. Don Jefe

        I wasn't aware he was part of the Windows development team.

        1. Destroy All Monsters Silver badge

          I wasn't aware that he was part of a development team.

    3. eulampios

      find them yourself

      At least a thousand or two of those? Find a single one exploitable on Android first.

      Well, find them in Chrome and you might get yourself a pretty big sum of money. Google is not as cheap as Microsoft when it comes to discovering exploits of their products, after all.

  2. nuked

    Tip of the iceberg I think, and rather pointless trying to find them all. Another bug-ridden iteration of Windows will be out before you do.

    1. Anonymous Coward
      Anonymous Coward

      Yes, the 0day bugs in windows are better off left to the Chinese intelligence.

      Lets criminalize full-disclosure and be at the mercy of blackhat entrepreneurs and spy agencies.

  3. jnffarrell1

    When Sales PR Competes on Security

    This kind of stuff will continue to happen. You can't bluff your way to security, like you can with a sale.

  4. Anonymous Coward
    Anonymous Coward

    I wonder what makes MS shirty over disclosure of vulnerabilities?

    "Three years ago he publicly disclosed a zero-day Windows XP Help Center security bug that he had notified Microsoft about only five days before"

    Yeah, that might do it.

  5. Anonymous Coward
    Anonymous Coward

    So you want to go on the Internet, have two dozen third party programs installed, an operating system (that you have no idea how the source code looks) and you assume you are secure.

    M$ is no different than Apple or any other software vendor. Their vuln's are kept stumm to keep the punters happy and ignorant in their 'security'.

    1. Destroy All Monsters Silver badge

      But your Operating System does Bezier Curves!

      That must count for something?

  6. Tchou

    MS "treating security bug hunters with “great hostility”.

    Of course they do, for at least four reasons :

    - Plenty of these bugs are really features requested and paid for by "security" agencies (NSA,...)

    - MS don't give a fuck about end user's system security, but rather their generous sponsors (NSA...) interests

    - Developing fixes cost money and reduce the functionalities requested by generous sponsors

    - Publicly revealing these bugs make them exploitable by competing sponsors whose interest may diverge from those of the 51th state of America (by order of creation, but 1st by importance)

    1. Anonymous Coward
      Anonymous Coward

      Re: MS "treating security bug hunters with “great hostility”.

      Wrong icon, you need the balck helicopters one...

  7. Don Jefe


    Yes there are security issues. There are security issues in every piece of software if you look hard enough. It is up to the vendor to sort them out. It is not the role of the penetration tester to escalate 'his' vulnerabilities to the top. His role stops with disclosure of the issue, he's no good for fixing it: It is beyond his purview to direct corporate security priorities.

    Not to be an MS apologist but everyone I know in computer security gives MS a lot of credit for changing their security processes for the better.

  8. TeeCee Gold badge


    "....I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself,”

    "Dear Kettle. I am very worried about the use you might put my personal information to, were I to let you have it. Signed Pot."

  9. Anonymous Coward

    The SYSTEMATIC Fix using memory-safe languages. This would eliminate about 50% of exploits of the CVE database and certainly this one, too. And no, memory safe != {dog slow, memory-chewing, unpredictable runtime}

    Here's an efficient, memory-safe subset of C++:

    MS actually did quite a bit of research into memory-safe languages, but so far the results of research are very much stuck in the research labs. Bread-and-butter stuff like Office and Windows are still plain old, highly brittle, highly insecure C++. And yeah, MS employs quite a few highly capable developers and even those make exploitable mistakes under pressure "to ship".

    1. Ken Hagan Gold badge

      Re: The SYSTEMATIC Fix

      Followed the link. Found nothing beyond a pre-processor that only lets you use smart pointers. Good luck interfacing with existing libraries and good luck trying to persuade someone who already *is* using smart pointers to insert a little-known and barely supported preprocessor into their tool chain for zero benefit.

    2. Tchou

      Re: The SYSTEMATIC Fix

      And your memory safe languages are build on what?

      This just delegate security to a third party, which you know nothing about (code quality, practices, competence, etc...).

      C and C++ are perfectly safe if used sanely.

      1. Michael Wojcik Silver badge

        Re: The SYSTEMATIC Fix

        C and C++ are perfectly safe if used sanely.

        Writing machine code in binary is perfectly safe if used sanely.

        Don't get me wrong - I wrote and maintain a lot of C (and a little C++, though I consider that language to have neatly managed the trick of combining the worst aspects of everything) code in production, and it's mostly quite solid. But we add layers of abstraction for a reason, and writing good C code means adding a lot of abstraction on top of the core language. You may have already created that layer, and/or have it supplied by third-party code you believe is reliable. But that's not qualitatively different from using more-expressive languages and frameworks.

  10. Sil

    The hysteric

    5 days for a company to fix a bug, test the fix then distribute is not enough. Clearly one should not encourage corporations to take 6 months to fix a bug but please 5 days? This is self publicity not a righteous outcry.

  11. M Gale

    Dat be sum insanity right there

    Because drawing bezier curves is really part of the OS kernel's job.

    Any dafter and you'd almost believe they would shove an entire Internet services suite into kernel space.

    OH, WAIT.

    1. Someone Else Silver badge

      Re: Dat be sum insanity right there

      Or, perhaps load the graphics engine into Ring 0...

      Oh, wait some more...

    2. Michael Wojcik Silver badge

      Re: Dat be sum insanity right there

      Because drawing bezier curves is really part of the OS kernel's job.

      Agreed, though there's no shortage of UNIX / Linux machines running the X11 server as root, either. And at least in the early days of X11 (circa the original release of X11R4), curve drawing was often pushed into the ddx layer1, in code contributed by anyone who wanted to send source to MIT. Some of it was not of the highest quality.

      I don't know the details of modern X11 architectures - haven't worked in that area in 20 years - so isolation and protection may be better. I'd be surprised if many systems aren't doing rendering in an excessive-privilege environment, though, and some of those are likely to have similar vulnerabilities.

      1At the time, the X11 server architecture was split into dix (device-independent X) and ddx (device-dependent X) layers. dix covered the network protocol, and abstractions like bitmaps and atoms, and included a generic implementation of the drawing primitives. ddx talked to specific devices, with the assistance of the actual device drivers. The ddx implementation for a display could just push pixels - the "dumb framebuffer" approach - but you could also override the dix implementation of any of the drawing primitives with ddx ones, to take advantage of graphics hardware. I did X11 ddx implementations for a couple of video adapters when I was at IBM.

  12. Conrad Longmore

    I just knew..

    I just knew it would be Tavis Ormandy when I read the headline. I don't doubt his excellent skills as an engineer, but I think he's a bit lacking in skills in the way he interacts with these other companies. I can't see Sophos or Microsoft offering him a job at any time in the future..

    1. Michael Wojcik Silver badge

      Re: I just knew..

      I can't see Sophos or Microsoft offering him a job at any time in the future.

      Their loss. I'd hire Ormandy in an instant, if he were looking for a job and I was in a position to do so. His analysis of the #GP trap handler bug (which he also discovered) is a thing of beauty. (It's also worth noting that Ormandy has been reasonable about the likelihood of a vendor catching such bugs, as in his conclusions in this blog post.)

      With people like Ormandy and Derek Soeder, Google has some of the best people for finding obscure and difficult to exploit but dangerous vulnerabilities in complex systems. When folks like that contact you, you should be damn grateful. They could have just sold the exploit on the APT black market.

  13. Wzrd1 Silver badge

    "Two years ago he accused Adobe of "trying to bury" scores of bugs in its Flash Player software."

    Sad, but true. However, in Adobe's favor, they buried their scores of bugs under even more bugs.

  14. cs94njw

    ... treating security bug hunters with “great hostility”...

    Whereas Google treats everyone with "great hostility".

    I love Google, but jeez - they making me love them with a little 'L'.

  15. twolegs

    off the wall

    security? bugs? has nobody worked in IT? when was a bug ever found, analysed, fixed, tested, signed off and distributed GLOBALLY in less than 5 days?

    adobe - meaning, loosely, a place to shelter in/home; a building made of natural materials including SAND, WATER, CLAY and STRAW to bind them together.

    perhaps rather unfairly, adobe's might be slated for being full 'poorly put together' and full of 'bugs' - what do you expect in sand, clay and straw?

    tavis ormandy? is that with an 'o' or a '0' for zero day maybe? an unusual name that seems to be an anagram of 'normandy vista'? 'white cliffs' anyone?

  16. Michael Wojcik Silver badge

    Ormandy discovered the flaw in the bezier curve-handling bit

    Man, what a bunch o' NURBS.

This topic is closed for new posts.

Other stories you might like