Last bug Ormandy disclosed took three years to get fixed by MSFT after private disclosure

Google Inc. (GOOG) engineer Tavis Ormandy has a tough job tracking down security flaws across Google's various software products and the Android operating system.  In his free time he enjoys poking around in rival operating systems and finding clever low-level exploits.

I. Google Engineer's Discovery Leads to Internet Explorer Hack

Now Mr. Ormandy is at the center of a firestorm of controversy after he chose to disclose a security flaw in a graphics-related Windows library without first telling Microsoft Corp. (MSFT).

Microsoft confirmed this month that it had seen "targeted attacks" on its Internet Explorer browser in the wild that appear to use Mr. Ormandy's detailed insight on the flaw, which he posted to his personal blog on May 15.  The timing of the disclosure meant that Microsoft would be unable to publish a “Patch Tuesday” fix in May, as that falls on the second Tuesday of each month.

Fist bump
Microsoft wasn't exactly fist-bumping Mr. Ormandy about his disclosure.
[Image Source: ExtremeTech]

Microsoft then had four weeks to patch the flaw before the June Patch Tuesday.  But that set of updates came and went with nary a patch from Microsoft.  Microsoft also failed to deliver an off-cycle patch in late June.  By the start of July, hackers had begin to attack users with malicious page code, which affected Internet Explorer 6, 7, 8, 9, and 10.  The attack code appears to be based on Mr. Ormandy's detailed explanations and published exploit code.

IE browser
Microsoft's IE browser has been under attack due to a critical bug found by a Google researcher.  [Image Source: LILkillaBees Blog]

At that point, Microsoft finally published a patch.  That patch landed this last Tuesday (July's Patch Tuesday).  Now the cries of condemnation and consternation against Mr. Ormandy have begun.  But many of his critics seem either confused about the story's details or to have a personal ax to grind with the Google engineer.

II. Media Gets Confused on the Timeline of Events

For example ZDNet's Zach Whittaker writes:

Ormandy should not have disclosed the issue publicly, putting real businesses and people at risk by accelerating hackers' ability to exploit the flaw. He put his ego above the safety of the people he sought to protect, and there's little to defend that.

But he bases this on a serious flawed premise writing:

Microsoft admitted this week that hackers had launched "targeted attacks" against its customers by exploiting a bug publicly disclosed by a Google engineer in June....In fairness, the software giant had a fairly short runway to make the fix available: just six days before it was scheduled to issue its monthly security update. 

But that's entirely wrong.  Mr. Ormandy didn't publish on June 4.  He published on Wed. May 15 on his blog and on the security website's "Full Disclosure" mailing list on Fri. May 17.  Just in case you don't believe the dates on those posts, check out the piece The Verge ran on the disclosure back on May 23.

Tavis Ormandy
Tavis Ormandy's private warnings to Microsoft have gone ignored by Microsoft in the past.
[Image Source: HITBSecPhotos]

In fact the public first got wind of the underlying flaw (albeit not knowing its severity) back on Mar. 5, when he posted about its discovery on Twitter:
III. Ex-Sophos Expert Lashes Out at Ormandy

Another broadly cited criticism comes from Graham Cluely, who's described by Reuters as an "independent security researcher".  He comments, "It leaves a slightly bad taste in the mouth to see somebody who is a Google security researcher have a pop at Microsoft."

But it turns out Graham Cluley isn't so "independent".  He was a long time employee for Sophos [source] -- an antivirus company that Mr. Ormandy recently publicly criticized.

One former Sophos employee chose to lash out regarding Mr. Ormandy's disclosure, after Mr. Ormandy had public criticized his former employer. [Image Source: Forbes]

In the Sophos case, Mr. Ormandy had disclosed a flaw privately to Sophos and worked with them to fix it, however, he was unhappy with the process writing in an email to UK security mailing list:

Sophos claim that their products are deployed throughout healthcare, government, finance, and even the military.  The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient.

The source of Mr. Ormandy's frustration lay largely in the company's slowness patching.  He had originally revealed the flaw in September, yet it took until November 2012 for a partial patch, and February 2013 for a full patch.  

He also took issue with Sophos's underlying business model, remarking, "It is simply inexcusable to disable ASLR [address space layout randomization] systemwide like this, especially in order to sell a naive alternative to customers that is functionally poorer than that provided by Microsoft."

Basically Sophos had taken Windows' built in memory protections and disabled them by default, peddling its own troubled alternatives on customers.  Given that Mr. Cluley directly interacted with Mr. Ormandy regarding the Sophos vulnerabilities and bore the brunt of his criticism, he seems like anything but an unbiased "independent" party to get quotes on the Microsoft disclosure from

IV. Why Didn't Mr. Ormandy Tell Microsoft in Advance?  Here's Why

All that said maybe what Mr. Ormandy did -- what any full disclosure researcher does -- is wrong on some level, as Mr. Whittaker suggests.  But Mr. Ormandy does offer a pretty compelling defense of his reasoning, writing:

Note that Microsoft treat vulnerability researchers with great hostility, and are often very difficult to work with. I would advise only speaking to them under a pseudonym, using tor and anonymous email to protect yourself.

His problems with Microsoft seem to at least go back a couple years, as documented in this post on his blog.  Basically Mr. Ormandy disclosed some bugs he found back in 2009 to Microsoft, privately.  But Microsoft never fixed the bugs.  To add insult to injury a Microsoft "expert" in Dec. 2012 posted that the scenario that Mr. Ormandy had privately outlined was "impossible" in Windows.  Mr. Ormandy posted a comment under the handle "Axxan" rebuking him.

Shortly after Microsoft patched the bug.  Mr. Ormandy explains why in his blog, writing:

I think I figured it out, here is the attack I think Microsoft realised before I did:
  • From a Low Integrity process, spawn a cmd.exe and wait for explorer to add it to the task list.
  • Use keybd_event to send Win+Shift+[1 ... 9]
  • Explorer will spawn a new cmd.exe, which will inherit Medium Integrity from explorer.
  • Use SendMessage with HWND_BROADCAST to send WM_CHAR messages.
  • Drive the command prompt to send any new command you want, along with some ASCII art skulls to make it look like a scene from a Hollywood movie.
Apparently Packetstorm are offering a reward for a working implementation of this, so be my guest if you want to practice your Win32 scripting skills.

Microsoft did not thank Mr. Ormandy or cite him in their patch post on that bug.

Say what you will about Mr. Ormandy's full disclosure, but it got a fast fix from Microsoft unlike his past private disclosures. [Image Source: unknown]

So say what you will about Mr. Ormandy, but when consider his last experience with Microsoft:
  • He asked them to patch something and three years later they still weren't even acknowledging there's a problem
  • They gave him no credit when a patch is published
  • His employer Google has been hacked in the past via unpatched flaws in Internet Explorer 
Given that kind of behavior is Mr. Ormandy's role in the IE bug scandal really worth condemnation?  After all, some people were attacked, but this time around Microsoft patched the flaw in under two months, rather than taking over three years.

Sources: Tavis Ormandy [blog], Reuters

"What would I do? I'd shut it down and give the money back to the shareholders." -- Michael Dell, after being asked what to do with Apple Computer in 1997

Latest Blog Posts
Amazon Fire HD 8
Nenfort Golit - Jun 19, 2017, 6:00 AM
Something big at Apple
DailyTech Staff - Jun 9, 2017, 8:15 AM

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki