back to article Google geek slammed over XP exploit

Google engineer Tavis Ormandy is under fierce fire on security lists this afternoon for releasing code to exploit an unpatched hole in Windows XP and Windows Server 2003. The flaw is in XP's Windows Help Centre. In simple terms, Help uses a white list of approved web pages to go to in order to get help information. But a …

COMMENTS

This topic is closed for new posts.
  1. DI_Wyman
    Go

    Other...

    ......observers suggested Ormandy was acting on behalf of his employer to fuel the row between Google and Microsoft

    Never!

    Not in a million years!

    :-)

  2. James O'Shea

    not a major flaw

    That particular 'feature' is one of the first things I disable when setting up a WinBox.

    But he's still a twat for posting the code after waiting only 5 days.

    1. Ian McNee
      Stop

      Not so simple

      A lot of medium to large organisations with significant numbers of end users doing their jobs on Windows boxes use Remote Assistance to support them. It would be a brave sysadmin who simply disabled the Help & Support Centre. Even the more nuanced forms of mitigation suggested in the disclosure would not be deployed without some serious testing in a support environment that relied significantly on RA.

  3. Anonymous Coward
    Anonymous Coward

    Need to get someone to do what you want

    Create a crisis. Now in this case the crises was not created by the engineer, M$ did that by not paying attention to security holes and taking fast-action to repair them. Indeed, is the problem the code or the inability to repair and rapidly deploy the fix? It's both actually (trick question).

    What the engineer did is perhaps not ethical, but creating a crisis does work and you can be fairly certain that the call to battle-stations is sounding at Redmond as things get kicked into high gear to fix the problem and deploy the patch.

    They have to cover their fanny.

    1. Doug Glass
      Go

      Microsoft and.....

      ..BP eh???

    2. peter 45
      Gates Halo

      I'm with you on this one

      I can just heat the chatter in the MS meeting rooms

      "Oh oh oh....I know...Instead of fixing the problem, or blaiming the people exploiting the problem, or blaiming the people who allowed the problem to exist, lets blaim the person who pointed out the problem, who we ignored and who had to take it public to even get an acknowlegement the problem exists."

    3. Tim Elphick
      Paris Hilton

      Ha ha!

      Fanny.

  4. gareth 5

    good on him

    if people started giving MS ultimatums here is your notice of the exploit is goes public in X No. of days maybe they might start actually fixing their fuck ups

    1. Blain Hamon
      Alert

      Only if you give enough time for a fix.

      I'm usually the last to be on MSFT's side, being an apple fanboy and all, but five days? Even ignoring how slow MSFT (and Apple) have been to patch flaws, five days is by no means a timely fashion.

      Even assuming MSFT was able to find and fix the bug instantly, there's lag involved in regression testing to ensure the patch doesn't adversely interact with the numerous permutations of setups out there. There's lag in getting the word out or to wait till Patch Tuesday. There's lag involved for sysadmins to download and find time to test the patch themselves. There's lag for actually being able to deploy the patch onto all machines.

      This was not 'Here is your notice of the exploit.' This was, 'By the time you can even look, much less solve this, I'll have already released the exploit into the wild.' Yes, it bothers me as well that MSFT made yet another security hole, but two wrongs don't make a right.

      1. L1feless

        we will see

        So did Microsoft even email this gentleman back? I have seen no information if Microsoft sent him back an email if but to only say 'thanks we are looking into it'. 5 days is plenty of time to respond to an email sent in especially on security exploits from reliable sources.

        That being said if they did respond to him and gave him some sort of eta then I agree with your statement. Two wrongs do make a right.

    2. Hawke
      Gates Horns

      Title!

      That's exactly what I was going to say! The only way M$ will ever act is with a rocket up their ass. Of course the Google angle makes it interesting as well especially since their moving away from using Windows.

    3. Anonymous Coward
      Thumb Down

      unlikely

      Most courts will consider this blackmail.

      1. BorkedAgain
        Headmaster

        Really?

        Was he asking for payment to refrain from posting the exploit?

        I think he jumped the gun shamefully, but I wouldn't describe it as blackmail. That's not to say that there aren't a range of options of criminal and/or civil charges that might be brought, but I don't think blackmail is one of them...

    4. Anonymous Coward
      FAIL

      Oh for f*cks sake

      And how many days does it take to code, build, test and deploy a fix across millions of computers? Why should a snotty "security researcher" who can barely manage to be civil to other people have a say in the speed of the software development cycle of enterprise level software? Twat is still the final word on this idiot.

  5. L.T.

    Retired

    Keep in mind it was Microsoft that sold this and many other problems to the public, not Google.

  6. Anonymous Coward
    Thumb Down

    reality check

    This is a very old very dead horse. Do you air dirty laundry or not? The problem on the one hand is that the folks responsible for a code base often don't respond in a timely fashion to security problems when they are made aware of them. On the other hand, releasing exploit code facilitates exploitation.

    The google geek isn't doing anything irregular. The only thing which makes it "news" worthy is the google vs. microsoft angle. If negative press and yellow dog journalism is the image you're cultivating... please continue to post crap like this.

    1. Destroy All Monsters Silver badge
      FAIL

      "The google geek isn't doing anything irregular"

      I puked a little.

    2. frymaster

      very irregular

      waiting only 5 days before posting a previously-unseen exploit for software which you KNOW has a regular monthly patch cycle isn't responsible disclosure. Given the timing (pretty much immediately after a patch release), 2 months isn't an unreasonable time to wait (i.e. the August updates... if this had taken place a couple of weeks ago, I'd have said July)

  7. Falafel

    Missing information

    He also stated he released the exploit early because it was actively being exploited in the wild... It would be tough to actively sit on that knowledge waiting on MS to do their thing.

  8. Anonymous Coward
    Linux

    Good one Google !!!

    After all they are merely pointed out one (of millions) security defect

    Microsoft are obviously afraid of the truth (such as they are yesterdays news) , hey - if it were opensource maybe the issue would already be fixed.....

    If a Microsoft engineer discovered a flaw in google's O.S they would probably pay a 3rd party (e.g - SCO are you busy..) to disclose the info - thats the way they work - get some attack dog to do their dirty work (it is now known that MS paid SCO to attack Linux in 2004 - and now look - SCO are completely dead !!!!!!)

    (although I imagine a Microsoft employee is banned from using any rival OS so they would never know anyway)

    I have noticed in the past than Microsoft can take years to fix known security vulnerabilities (often MS start to get busy when customers start getting raped by these vulnerabilities) in fact maybe they should pay Google for helping them .............

  9. Jango Bananaman

    Cry me a fucking river

    If vendors weren't so tardy about fixing their stuff it wouldn't be necessary. Whining on Full Disclosure about full disclosure is asking for ridicule.

    I'd rather know about something and be able to mitigate it than wait for the vendor to get their arses in gear deciding to patch something I'm vulnerable to that I don't even know about.

  10. Anonymous Coward
    Paris Hilton

    Mouthy female?

    Susan Bradley - "not an enterprise customer, but I am a mouthy female"

    Kind of a redundant statement, really. Most females are...

    Paris, mouthy but for different reasons.

    1. Anonymous Coward
      Thumb Up

      I have no problem with mouthy females

      But unless you have something relevant to mouth off about, shut the hell up.

    2. Sarah Bee (Written by Reg staff)

      Re: Mouthy female?

      Keep it up, AC, and I will zap you. Silently. Not like a typical female at *all*.

  11. Anonymous Coward
    Thumb Down

    AW Ormandy

    Rep for the Google bloat cloud is declining-- they hoover private information off the airwaves with what they claim was poorly written code, now they have a loser "engineer" who can't control himself. Or maybe executives who can't control themselves (that is hardly new anywhere in the Universe as We Know It though).

  12. John Sanders
    Linux

    (Chorus) Fight!, Fight!, Fight!...

    "The row between Google and Microsoft"

    I love it, I just love it.

  13. mego
    Coat

    "not an enterprise customer, but I am a mouthy female"

    Oh joy another one of those.

    Hat, coat, wallet, spectacles... ah you know the rest.

  14. Henry Wertz 1 Gold badge

    "usual protocol"

    First, note to John Oates -- "tell the company and wait for a fix to be ready for download before telling the world" is NOT the usual protocol. That may be what Microsoft wants, but consensus among security researchers is to tell the company, wait 30 days, release to the public. Although a sizeable portion argue (I think convincingly) for open disclosure -- the flaws are ALREADY being exploited anyway by spyware, viruses, etc. anyway, so releasing to the public immediately is just fine. In reality, though, I'm most unconcerned about this -- as an Ubuntu user, open disclosure is the default, then a security update comes out usually within 1 or 2 days.

    Susan Bradely is wrong and Ormandy is not. When she finds a security flaw, she can get pissed and play E-Mail tag all she wants. This isn't a bill that he's trying to get Microsoft to fix, this is him doing them a favor by reporting a flaw to them. He gave notice, they didn't even trouble themselves to even acknowledge receipt after almost a week. I might have waited the full 30 days, but I would expect a TOTAL of 30 days to fix, if they hadn't even replied in 5 days... well, frankly, Ormandy is probably right, they probably were planning to just sit on this flaw -- they have been caught sitting on known security flaws for YEARS multiples times -- someone will release an exploit, Microsoft says "naughty naughty, that's not responsible disclosure", and then whoever wrote the exploit points out a report of the EXACT SAME flaw from 5, 10, 15 years ago, that Microsoft never bothered to fix.

  15. Bill 11

    Unprofessional

    Patching an OS is not to be undertaken lightly and testing has to be performed. Microsoft has been, rightly, lambasted in the past for releasing shoddy code in a patch that has trashed machines so one can appreciate that writing a patch, particularly for a server platform, and then regression testing is not a small job and certainly one that takes more than 5 days.

    Ormandy's action was unprofessional, spiteful and small minded at best. It was also possibly illegal. Google should fire the prat and be well shot of him.

  16. Trib

    I guess he forgot...

    Do No Evil.

  17. Hein-Pieter van Braam
    Stop

    So, let's see

    The events were:

    1) Googler finds major flaw in a piece of software that a lot of people trust their data to.

    2) Googler tells Microsoft that the software that their customers trust them to fix is flawed and needs fixing to preserve their safety

    3) Not a squeak from Microsoft for 5 days, essentially giving the middle finger to their customers and their trust in them.

    4) Googler publishes the code, forcing Microsoft to react, and showing how little they care about their customers.

    What a lot of people seem to forget is that the FLAW IS ALREADY THERE, it's nobody but Microsoft's fault, and there's no reason to assume that this flaw hasn't been exploited before by people who don't disclose their flaws, but SELL THEM.

    Five days is in no way an unreasonable time to expect a fix, or at least an advisory from your vendor. Patch turn around time from notice to actual patch in system is measured in days in most cases on free operating systems.

    And it's DEFINITELY not unreasonable to expect *some* response like "We're looking into it, please give us a x time to make a patch."

    This is just your vendor throwing your trust back in your face, nothing more.

    1. max allan

      Are we sure ?

      "3) Not a squeak from Microsoft for 5 days, essentially giving the middle finger to their customers and their trust in them"

      Is that completely true? Are we sure? Has M$ been emailing this chap back saying "we're investigating" or completely ignoring him.

      If they've responded then I think it was a bad thing to release the exploit.

      If they haven't then I agree that they needed a big kick up the arse to get them going.

  18. Anonymous Coward
    FAIL

    Disapointed

    I'm usually happy with the Regs reporting on Computer Security, but this piece was disappointing.

    If the author had taken the time to remember why the full-disclosure list was created in the first place and aknowledged the fact that the whole disclosure debate is more complicated than just right/wrong the article would perhaps have been a bit more nuanced. Also I'm not sure that quoting from unmoderated public maling lists constitutes reporting. shape up...

  19. Anonymous Coward
    Megaphone

    The patch is called Windows 7!!!! Don't tell anyone just get the mto purchase.

    It's an XP problem. Microsoft doesn't give a ^@^& about XP. The longevity of XP is negatively impacting the acceptance and purchase of Windows 7. They would just tell you to "upgrade" your OS to the "latest version".

    Publicity, in large volume, is the only way to get a reaction from Microsoft.

    The negative marketing tactic of pushing customers to new purchases instead of fixing the current product the customer is using is their biggest problem.

    It leads to the same response the consumer has for any product. Why should I buy the new one when the old on doesn't work right to begin with and yuo won't support it/ I'm supposed to trust you that the new on will resolve my problem? And pay for it?

    How about you give me the upgrade for free and make me happy and maybe will continue to be a customer. Otherwise I guess I will have to check out the competition.

  20. copsewood
    Linux

    incompetent development methodology

    Open source security bugs on any program in much use tend to get fixed in less time than this following disclosure. If not, the person informing a lead developer of a bug, morally deserves to be recompensed for the delay to their career resulting from being expected to sit on this information for longer than needed.

    What is it about Microsoft in particular that makes their cumbersome and monopolistic internal development and maintenance processes deserving of more leeway than they would be given if they published their source code, allowed distribution of user modifications, developed code within the public domain and were open to peer review ?

    1. henrydddd
      Linux

      incompetent development methodology

      The real problem is that MS has the only commercially available operating system in the world, they hold a total monopoly. OPen source is their only competition. With no other software companies commercially producing operating systems, there is little incentive for MS to produce a quality produce.

  21. Anonymous Coward
    Anonymous Coward

    who cares?

    It's not as if this was the last ever security flaw in Windows and Windows would now be entirely safe if it wasn't for this one man and his evil communist actions.

    "mouthy female" Susan Bradley evidently needs a refill on her prescription for chill pills.

  22. I. Aproveofitspendingonspecificprojects 1
    Coat

    Keeping the pirate ship afloat

    Windows has relied on shed loads of security suppliers looking after them for decades. It is about time that came to an end.

    If everyone posted their discoveries immediately not waiting 4 or 5 days the company would have to write decent stuff.

  23. Giles Jones Gold badge

    XP

    Personally I don't see why Microsoft is maintaining a 8, nearly 9 year old OS. The sooner they cut off support the sooner people move on to better things.

    1. Peter Gathercole Silver badge
      Flame

      @Giles Jones re. 8 or 9 yo OS?

      Yes the OS is this old, but even if you consider Vista GA as being the point when vendors stopped shipping XP (which it wasn't), there are computers less than three-and-a-half years old that were shipped with XP. This is not old for a consumer device, and is less than the accounting depreciation period for some companies.

      MS cannot, if they have any morals (debatable), stop supporting XP without providing a reasonably priced upgrade option. (I believe that they leagally have to provide support for 10 years after ship date for any kit shipped to the US DoD or other government agencies anyway)

      Also remember that for non-gaming users, the amount of computing power required by ordinary home or office users topped out at around the 1.8GHz Pentium D. Beyond this, the extra power is just providing gloss. This means that many people with 2+GHz Pentium 4 or Athlon XP 2000 have perfectly usable systems that do not need to be replaced yet, and with the correct maintenance and care, could run for many more years.

      Any other line is just buying into the *blatant* consumerism that is driving the retail electronics market at the moment, leading to increased consumption and greater waste disposal and recycling problems that we face.

      1. The First Dave
        Boffin

        @XP age

        Actually, there are still plenty of NetBooks being sold right now, (well there were before the iPad arrived) which have XP on them by default, and still will for many more weeks.

  24. Tom 64
    Badgers

    tested...

    In Opera you at least get a prompt, but IE8 just goes ahead and runs it!

  25. joe_bruin
    FAIL

    the users get hurt

    Google and Microsoft can have a slap fight in private or public, but releasing this exploit before a patch is available is putting users at risk. The guy, likely a typical Google aspie, got his panties in a bunch because Microsoft wasn't taking him seriously, so he decided that he would show them by putting this out there and proving how right he was. I doubt he had the support of his superiors on this one.

    I'm not one to defend MS's lousy security record, but the point of the disclosure protocol is to protect the millions of people out there who use this stuff. Even those that are proactive about security may be bitten by a zero-day exploit with no patch available.

    Also, why do we not have an icon for Eric Schmidt with horns? Surely he deserves that much.

  26. Anonymous Coward
    Anonymous Coward

    Regarding the Full Disclosure Posts

    I was reading the posts...before I got to Ormandy's last response, the posts by Susan Bradley started disappearing, except one where she was answering a troll. This was as of 02:01 CDT (-5 GMT)

  27. Anonymous Coward
    Anonymous Coward

    Another one, yawn

    There's enough "security researchers" that are so fed up with corporate inaction, or worse, corporate litigation for even mentioning there might possibly be holes in their crap software, that they don't even give advance notice any longer, to anyone. That includes things like all-volunteer open source projects that _do_ make an effort to fix problems and be communicative about it.

    It might be this guy apparently leaned that way but didn't dare just dump it out in the wild. Or maybe he got impatient, goofed, and tried to cover it up with being snotty. It's often tried but rarely works. Then again, "security researchers" often are quite snotty, in one, more, all senses of the word.

    Personally, I say that giving notice with a deadline of two months is reasonable, extendable to six if the company/project/what-have-you asks nicely. Should the company have a standing track record of being non-responsive (say, three times in a row) or litigative (once is all it takes) and no public apologies, then release right away if you wish.

    But then again, why would you want to release that quickly? Why does this guy not have time to wait (and do other things in the meantime) while he does have time to look for holes in a rival's software in the first place? Whorin' for attention or something? Get back to work!

    1. copsewood
      Linux

      too long for those going somewhere

      In what sense does the fact that megacorp likes to have a 6 monthly develop test patch cycle on vulnerabilities mean that an indvididual who has discovered something embarrassing about a megacorp product has to put his/her career on hold ? Supposing someone is going to be interviewed for an important security job in a fortnight's time, and publishing a week after discovery is likely to raise security researcher's reputation ? Perhaps if you were the interviewer, you might consider a week too short so he/she wouldn't get the job on grounds of poor judgement. But if the employer is open source with an agile development and patch process they would more likely consider a week adequate. So why should sclerotic and inflexible megacorp with methods stuck in the past hold up security researcher's career ?

      I megacorp is willing to compensate security researcher to sit on something for longer than a week generously enough to want to keep this out of his/her CV then that would seem a fair trade.

      1. Anonymous Coward
        FAIL

        Seriously...

        ... that's such a crap arguement and I can't even be bothered to explain why.

  28. Anonymous Coward
    Grenade

    idiot....

    ...the reason patch Tuesday was done was so that admins didn't have to worry about firing patches out to 10's of thousands of pc's at completely random times. This is a thing thepublic lead, not something MS forced upon people. Admins requested, MS listened, that's a model MANY decent software companies are now follwing.

    Many of the arseholes here run "networks" of 10 pc's and a FP server (maybe a web servers as well" so have no worries about testing a patch about 3 bit's of software. When you have hundered of different apps, you really want to make sure a patch ain't gonna completely f**k up the systems and costs the company millions in lost business.

    Linux, Windows, Unix, whatever, you want to make sure things are fixed in a timely manner and not rushed and screwed up.

    This sort of behaviour just smacks of a corperate spat getting out of hand, the only loosers being Joe Public.

  29. Anonymous Coward
    Joke

    "Making information available"

    Isn't the Google 'raison de etre' to make information available? You know: OS exploits, your WiFi traffic, pr0n... that sort of thing.

  30. tech savvy

    Google sucks

    Google sucks.. They blatantly & admittedly have a total disrespect for users privacy,and having been taking heat for , and should be, therefore they are taking a stab at Microsoft to 'divert' attention from their own misdeeds. Yea, Microsoft has issues, but don't we all , and yes they are slow to fix them, but to spread *#*# on someone after only a 5 day notice.. BS. And, in the end it is the end users that mostly suffer from attacks, from getting their bank accounts to their identities stolen.

    Shame on Google!

  31. Anonymous Coward
    FAIL

    >Maintaining a 9 year old OS

    Perhaps because they have some small degree of customer care left? Yes, I know hard to believe, but never mind. Out in the real world where you have 10,000 users, 90% of whom don't give a flying **** about what version of Windows they have, they just want the frigging computers to work, the relentless upgrade cycle is becoming increasingly unproductive...

    In this bit of the public service I reckon 85% of our IT resource goes not in improving service to the taxpayer, but in keeping up with countless largely pointless upgrades just so that the environment stays something like supported. You may think this is a good use of your tax, but I find it hard to agree. If we we'ren't constantly upgrading some system or another - a portfolio of applications approaching 4 figures - we might be able to do something about some of the dreadful business systems, but at the moment: no chance.

  32. Lars Silver badge
    Gates Horns

    He should have waited

    But, now, perhaps, Microsoft was so kind to tell us for how long you should wait. "As long as it takes", or half a year to one year is not acceptable either.

  33. Anonymous Coward
    Anonymous Coward

    Thank F*ck it wasn't on OS X

    Would be waiting years for a response and would only be patched if you signed your pension rights over.

  34. miknik
    FAIL

    Journalism school is ace

    If I'd have written that story the most I could probably pad it out to is:

    "guy posts on forum and gets flamed by another irate internet user"

    and that's not even news is it?

  35. Jamchal
    Flame

    Think about the users

    As someone working for a company which gets its revenue and provides applications and generally has a good view in the public eye (with the exception of privacy controversies) then google and its employees should be more conscious of protecting its users.

    As undeniable, the competition factor between both Google and Microsoft, Google should still think about the protection of its users and be professional about such things as pointing out exploits which could potentially harm its own users computers.

    I'm sure a Microsoft engineer wouldn't have carried out such an unethical attempt at putting Google on the spotlight should they have a security hole in their software.

    Come on kids, play nice and think about all those who believe Windows 7 was their idea........

  36. Anonymous Coward
    Anonymous Coward

    2+2

    so putting it all together we get:

    Google gets hacked, much to the displeasure of goolge its a MS box at fault!

    Google employee discovers an exploit in the MS Boxes that google uses (or used).

    Google employee decides to publicise rapidly much to the chargirn of MS.

    Google employee gives reason that it *could already be in the public domain*

    Question now is what does he know? that could lead to this statement that we don't know?

    Whats the betting that google knows *exactly how* it was hacked? whats the betting that after a big hack you publically say "yeah we know how and its been fixed" even if you have been left scratching your head going how did they do that???

  37. James Hughes 1

    Why is this Google vs microsoft

    When my reading of it makes it

    Ormandy vs Microsoft

    He does work for Google, but does he do this security stuff in his spare time, or when actually working for Google? That fact seems to be conveniently missing from the article.

  38. Gareth Howell
    WTF?

    A fix is not a click on your fingers

    I find it interesting that people are expecting Microsoft to have a fix out in only five days. As a software developer myself I know that a fix in that time frame needs to be either:

    a) Super critical, something that is going to cost your company massive amount of money or drastically affect your customer base enough that you will just throw money and resources at it

    b) The bug is so simple that it can be found, fixed and tested in a matter of hours.

    Please remember how complex a system the operating system is. I notice above that some commenters said well XXXX open source project would have fixed it by now. One thing to remember that open source OSs do not have the same compatibility that Windows has (oh and before I get flamed I'm writing this in Firefox on Ubuntu). Microsoft will need to fix this bug and then test it against every configuration it has in its test library.

    For those of you not in software development here is how the bug might have been handles

    1) Bug gets sent into Microsoft, possibly to a dedicated bug e-mail address/contact with hundreds of other potential bugs.

    2) Someone has to go through each and every bug submitted and try and replicate the bug in their test environments.

    3) If they can replicate it then a priority would be assigned to it based on the severity of the bug, ease of exploitation, what can be done with the exploit etc.

    4) The bug gets picked up by the developer/development team as long as there is no high priority bug. The developer then needs to step through the code while using the exploit to see what needs to be fixed. Simply saying it is related to the white list of the Help tool isn't as bigger help as you might think.

    5) The developer fixes the code

    6) The tester tests the fix against the original issue and see if it fixes the issues without raising new ones. They'll have a list of tests that that they will need to run on this functionality.

    7) The tester or more likely a team of testers will test the fix across multiple configurations of Window to see if this fix breaks any other element of the OS. This is called regression testing and means test will Windows.

    8) Prepare fix for release.

    Now if anyone believes they can do that in five days, then I suggest you submit your CV to Microsoft ASAP. My experience is with web sites, but I would estimate that you're looking at at least two weeks for a fix, if the bug has a sufficiently high priority.

    As posters above have also pointed out you would then have weeks until the fix would have been rolled out sufficiently.

    The person who found this fix was irresponsible to the point of criminality for releasing the details of this issue when Microsoft is probably still trying to confirm the issue and give it a priority.

  39. Shakje

    Come on seriously

    How many of the people who have posted above have any experience with the software lifecycle? It normally takes us about 2 days at least for the call to get through bureaucracy and resourcing to be fixed, then another day at least to fix and do developer testing on, then another day at least to do testing on it. Considering the size of MS, the state of the Win32 APIs, and the size of their customer base, I don't really see any reason to think that 5 days is an acceptable time period, unless you want them to start pushing fixes out the door untested and undocumented.

    1. Arion

      Yes - seriously

      I understand what Shakje is saying, but he's missing the point.

      I expect a company with the resources that Microsoft has behind it, to drop everything and get this security vulnerability fixed, tested, documented, and out the door in 2 hours flat.

      It shouldn't take 5 hours, let alone 5 days, and certainly not 5 weeks to get a security vulnerability patch out the door.

      1. Tom Thomson
        FAIL

        Yes - seriously

        I understand what Arion is saying and consider that he is deomonstrating that he has no experience of diagnosing problems in large scale complex software and preparing fixes that do not cause regression in any of the numerous configurations and environments that the software has to work in.

        Clearly too Arion has never come across a bug that was a symptom of a serious design defect and required thousands of lines of code to be replaced, since no-one (not even Arion, I venture to suggest) writes thousands of lines of code to fit into a complex environment, tests it thoroughly, wraps it up in a fix installer package, and ships it in two hours flat. Or does Arion somehow know that the loopholes that this hack exploits are not such as to require such a large-scale change to the software?

  40. Tom Thomson
    Flame

    Evasive weaseling

    Ormandy was asked three times whether he had had any response from MS to his report and has refused to answer this question, twice substituting a blatant ad hominem attack on the person asking the question and the third time not responding at all. I think that says it all - he's not interested in responsible full disclosure, only in making as much trouble as possible. I guess the nummerous commenters who support his action haven't read the thread at the full disclosure site, they just saw an opportunity to say "isn't MS awful" yet again and jumped on it without bothering to verify anything - particularly the idiots who asserted that Ormandy had received no response, which seems a strange thing to believe when he's using personal abuse to weasel out of answering that question.

This topic is closed for new posts.

Other stories you might like