backtop


Print 32 comment(s) - last by Wombat_56.. on May 30 at 9:36 PM


Tavis Ormandy  (Source: flickr)
Tavis Ormandy said Microsoft is difficult to work with regarding these issues

A Google engineer has called Microsoft out on a recent security flaw in the Windows operating system, and even said that the Windows creator is hostile toward third-party vulnerability researchers.

Tavis Ormandy, a Google security engineer, exposed the flaw on Full Disclosure. The Microsoft vulnerability, which was in the Windows kernel driver "Win32k.sys," was featured in a Full Disclosure mailing list on May 17. 

Before that, Ormandy revealed the flaw on GitHub back in March in hopes of bringing other security researchers on board to investigate. 

Ormandy said on Full Disclosure, "I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation."

Ormandy posted on Full Disclosure yet again on Monday, saying "I have a working exploit that grants SYSTEM on all currently supported versions of Windows. Code is available on request to students from reputable schools."

Ormandy also insulted Microsoft on Full Disclosure, saying "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed ;-)."

Microsoft has been annoyed with Ormandy for publicly discussing vulnerabilities before they could be patched. Microsoft prefers "responsible disclosure," where security experts are asked to report flaws privately to the company.

"Note that Microsoft treat[s] vulnerability researchers with great hostility, and are often very difficult to work with," said Ormandy. "I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."

Source: ComputerWorld





Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Ormandy
By ipay on 5/23/2013 11:50:53 AM , Rating: 5
"I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."

Interesting suggestion given the context and considering Tor has vulnerabilities.

I'm sure things would have gone smoother had he done the respectable thing and notified MS first like most other researchers of these matters do.




RE: Ormandy
By AlphaVirus on 5/23/2013 11:57:01 AM , Rating: 5
quote:
I'm sure things would have gone smoother had he done the respectable thing and notified MS first like most other researchers of these matters do.


Yep, he acts very immature about this entire situation. Why would you release it to college students before sending it directly to Microsoft. It sounds like this kid is an attention whore.


RE: Ormandy
By Mitch101 on 5/23/2013 12:09:38 PM , Rating: 5
Dear Tavis Ormandy we apologize for for not responding sooner as the developer has a date with a girl.

We realize this may require additional explaining by your subsequent e-mails and your need to share this with others that are also not equally interested in the female species.

We highly recommend doing this sometime instead of staying home looking for code issues and thinking this is a higher priority than going outside once in a while.

Microsoft


RE: Ormandy
By Obujuwami on 5/23/2013 12:12:41 PM , Rating: 5
He's doing it for his employer...so Google can make MS look stupid. No big shock there as they are rivals and they want to make each other look inept or hostile.


RE: Ormandy
By Ammohunt on 5/23/2013 1:39:50 PM , Rating: 5
Well i would buy that if Google software was sooo perfect as to not have security flaws. There is a big Karma trap in running down a competitor in this fashion.


RE: Ormandy
By Stephen! on 5/23/2013 2:01:41 PM , Rating: 2
quote:
Google can make MS look stupid


Seems like Microsoft is perfectly capable of doing that on their own.


RE: Ormandy
By Reclaimer77 on 5/23/2013 2:19:54 PM , Rating: 1
I seem to remember a certain below the belt "Scroogled" smear campaign running first...


RE: Ormandy
By lanceredel on 5/24/2013 9:37:16 PM , Rating: 5
I think the salvo "don't be evil" was first in this relationship.


RE: Ormandy
By Omega215D on 5/23/2013 3:03:44 PM , Rating: 2
"I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation."

Fat boy needs to go back to the basement and stuff his face with cheetos as google code isn't all that either.

I'm still bitter about Google only wanting to hire those from prestigious colleges despite there being plenty of programming talent in "lesser" colleges. Granted, this was a long time ago but it hurts when you get told that you're not talented because you didn't go to some snot nosed school.


RE: Ormandy
By crispbp04 on 5/23/2013 3:58:46 PM , Rating: 3
"Microsoft is hostile" coming from a Google engineer who disclosed an exploit that affects hundreds of millions of users.


RE: Ormandy
By HrilL on 5/23/2013 6:00:53 PM , Rating: 2
You mean over a billion users. It works on all versions of windows. Its 20+ year old code. Joys =)


RE: Ormandy
By Darksurf on 5/23/2013 11:30:46 PM , Rating: 1
I'm a linux user... So make that Over a 1,000,000,000 - (one + other linux users) ;)


RE: Ormandy
By talikarni on 5/23/2013 4:27:22 PM , Rating: 1
If DT would have reported the entire story, you would know that he tried to contact MS privately but they flat out refused to hear what he had to say or admit there was any bug, so he had to go public with it.


RE: Ormandy
By ipay on 5/23/2013 4:48:14 PM , Rating: 4
Given he has a history of dick moves like this, that claim is suspect.


RE: Ormandy
By amelia321 on 5/29/13, Rating: 0
RE: Ormandy
By Wombat_56 on 5/30/2013 9:36:39 PM , Rating: 2

quote:
"I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."

Interesting suggestion given the context and considering Tor has vulnerabilities.

I'm sure things would have gone smoother had he done the respectable thing and notified MS first like most other researchers of these matters do.


I don't know about Microsoft, but there have been many other instances where people revealing security bugs have been threatened with legal action. Seems like good advice to me. And while Tor may not be perfect, it still provides a good degree of protection.


Fire the guy...
By SecDriver on 5/23/2013 6:37:12 PM , Rating: 3
This guys should be fired - for putting millions of people at risk. Responsible disclosure is *not* an option to work in today's security community. His claim that Microsoft ignored him is highly doubtful, as I know many in the Windows Security realm - and today they all care - a lot.




Microsoft is a lazy SOB!!!
By tecknurd on 5/24/2013 12:27:54 AM , Rating: 2
Tavis Ormandy should not have posted his program that exploits the Windows Kernel driver on GitHub. Posting on GitHub gives everybody to access the program.

Microsoft should not always use its PR speak to third-party security researchers. Microsoft should acknowledge third-party security researcher skills and figure out how severe the security threat is. An exploit that makes the kernel vulnerable is a huge major security risk. The kernel in an operating system is the main engine. This means Microsoft is not taking the exploit serious enough. Microsoft should stop what they are doing with other projects and fix it ASAP. Who cares Microsoft programmers have to work 24 hours to fix the issue. The issue is an absolute severity.




Microsoft lol
By Argon18 on 5/23/13, Rating: -1
RE: Microsoft lol
By EasyC on 5/23/2013 11:46:01 AM , Rating: 5
Apple has no security flaws, because it has no security. What a revolutionary, magical idea.


RE: Microsoft lol
By Cheesew1z69 on 5/23/2013 12:03:14 PM , Rating: 3
God, don't feed it! Ugh...


RE: Microsoft lol
By quiksilvr on 5/23/2013 12:43:01 PM , Rating: 2
RE: Microsoft lol
By Cheesew1z69 on 5/23/2013 1:00:52 PM , Rating: 1
lol


RE: Microsoft lol
By ipay on 5/23/2013 1:03:06 PM , Rating: 2
You don't pee on hospitality!


RE: Microsoft lol
By Argon18 on 5/23/13, Rating: -1
RE: Microsoft lol
By crispbp04 on 5/24/2013 9:40:55 AM , Rating: 1
Let's hear about your awesome technologically advanced life. Fill us in on your awesomeness. I want a full bio, educational background, employment history.. the works.


RE: Microsoft lol
By Apone on 5/23/2013 12:48:21 PM , Rating: 3
@ Argon18

You sure you want to open that door?

http://www.dailytech.com/Apples+OS+X+is+First+OS+t...

http://www.informationweek.com/security/vulnerabil...

http://www.zdnet.com/blog/security/apple-plugs-28-...

I could post more links but I'm sure you get point.

@ Cheesew1z69

Sorry, couldn't resist and I have to agree with EasyC; I'm not a MS fanboy but this type of security ignorance is disturbing.


RE: Microsoft lol
By Argon18 on 5/23/13, Rating: -1
RE: Microsoft lol
By Fleeb on 5/23/2013 6:10:02 PM , Rating: 2
quote:
Redmond Cheerleading squad makes

quote:
Sorry, couldn't resist and I have to agree with EasyC; I'm not a MS fanboy but this type of security ignorance is disturbing.


Funny what assumptions people make.


RE: Microsoft lol
By Apone on 5/23/2013 10:54:42 PM , Rating: 2
@ Argon18

quote:
Why do people still use that crap?


Because there's another large mass of ignorant, non-techy common folk "Average Joe" computer users who are fully aware of both Windows and OS X's security flaws and choose to use neither?

@ Fleeb

My apologies for the assumption, force of habit I guess, LOL.


FIFY
By DT_Reader on 5/23/13, Rating: -1
"We don't know how to make a $500 computer that's not a piece of junk." -- Apple CEO Steve Jobs










botimage
Copyright 2015 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki