Print 43 comment(s) - last by agon.. on Jul 23 at 8:40 AM

Last bug Ormandy disclosed took three years to get fixed by MSFT after private disclosure

Google Inc. (GOOG) engineer Tavis Ormandy has a tough job tracking down security flaws across Google's various software products and the Android operating system.  In his free time he enjoys poking around in rival operating systems and finding clever low-level exploits.

I. Google Engineer's Discovery Leads to Internet Explorer Hack

Now Mr. Ormandy is at the center of a firestorm of controversy after he chose to disclose a security flaw in a graphics-related Windows library without first telling Microsoft Corp. (MSFT).

Microsoft confirmed this month that it had seen "targeted attacks" on its Internet Explorer browser in the wild that appear to use Mr. Ormandy's detailed insight on the flaw, which he posted to his personal blog on May 15.  The timing of the disclosure meant that Microsoft would be unable to publish a “Patch Tuesday” fix in May, as that falls on the second Tuesday of each month.

Fist bump
Microsoft wasn't exactly fist-bumping Mr. Ormandy about his disclosure.
[Image Source: ExtremeTech]

Microsoft then had four weeks to patch the flaw before the June Patch Tuesday.  But that set of updates came and went with nary a patch from Microsoft.  Microsoft also failed to deliver an off-cycle patch in late June.  By the start of July, hackers had begin to attack users with malicious page code, which affected Internet Explorer 6, 7, 8, 9, and 10.  The attack code appears to be based on Mr. Ormandy's detailed explanations and published exploit code.

IE browser
Microsoft's IE browser has been under attack due to a critical bug found by a Google researcher.  [Image Source: LILkillaBees Blog]

At that point, Microsoft finally published a patch.  That patch landed this last Tuesday (July's Patch Tuesday).  Now the cries of condemnation and consternation against Mr. Ormandy have begun.  But many of his critics seem either confused about the story's details or to have a personal ax to grind with the Google engineer.

II. Media Gets Confused on the Timeline of Events

For example ZDNet's Zach Whittaker writes:

Ormandy should not have disclosed the issue publicly, putting real businesses and people at risk by accelerating hackers' ability to exploit the flaw. He put his ego above the safety of the people he sought to protect, and there's little to defend that.

But he bases this on a serious flawed premise writing:

Microsoft admitted this week that hackers had launched "targeted attacks" against its customers by exploiting a bug publicly disclosed by a Google engineer in June....In fairness, the software giant had a fairly short runway to make the fix available: just six days before it was scheduled to issue its monthly security update. 

But that's entirely wrong.  Mr. Ormandy didn't publish on June 4.  He published on Wed. May 15 on his blog and on the security website's "Full Disclosure" mailing list on Fri. May 17.  Just in case you don't believe the dates on those posts, check out the piece The Verge ran on the disclosure back on May 23.

Tavis Ormandy
Tavis Ormandy's private warnings to Microsoft have gone ignored by Microsoft in the past.
[Image Source: HITBSecPhotos]

In fact the public first got wind of the underlying flaw (albeit not knowing its severity) back on Mar. 5, when he posted about its discovery on Twitter:
III. Ex-Sophos Expert Lashes Out at Ormandy

Another broadly cited criticism comes from Graham Cluely, who's described by Reuters as an "independent security researcher".  He comments, "It leaves a slightly bad taste in the mouth to see somebody who is a Google security researcher have a pop at Microsoft."

But it turns out Graham Cluley isn't so "independent".  He was a long time employee for Sophos [source] -- an antivirus company that Mr. Ormandy recently publicly criticized.

One former Sophos employee chose to lash out regarding Mr. Ormandy's disclosure, after Mr. Ormandy had public criticized his former employer. [Image Source: Forbes]

In the Sophos case, Mr. Ormandy had disclosed a flaw privately to Sophos and worked with them to fix it, however, he was unhappy with the process writing in an email to UK security mailing list:

Sophos claim that their products are deployed throughout healthcare, government, finance, and even the military.  The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient.

The source of Mr. Ormandy's frustration lay largely in the company's slowness patching.  He had originally revealed the flaw in September, yet it took until November 2012 for a partial patch, and February 2013 for a full patch.  

He also took issue with Sophos's underlying business model, remarking, "It is simply inexcusable to disable ASLR [address space layout randomization] systemwide like this, especially in order to sell a naive alternative to customers that is functionally poorer than that provided by Microsoft."

Basically Sophos had taken Windows' built in memory protections and disabled them by default, peddling its own troubled alternatives on customers.  Given that Mr. Cluley directly interacted with Mr. Ormandy regarding the Sophos vulnerabilities and bore the brunt of his criticism, he seems like anything but an unbiased "independent" party to get quotes on the Microsoft disclosure from

IV. Why Didn't Mr. Ormandy Tell Microsoft in Advance?  Here's Why

All that said maybe what Mr. Ormandy did -- what any full disclosure researcher does -- is wrong on some level, as Mr. Whittaker suggests.  But Mr. Ormandy does offer a pretty compelling defense of his reasoning, writing:

Note that Microsoft treat vulnerability researchers with great hostility, and are often very difficult to work with. I would advise only speaking to them under a pseudonym, using tor and anonymous email to protect yourself.

His problems with Microsoft seem to at least go back a couple years, as documented in this post on his blog.  Basically Mr. Ormandy disclosed some bugs he found back in 2009 to Microsoft, privately.  But Microsoft never fixed the bugs.  To add insult to injury a Microsoft "expert" in Dec. 2012 posted that the scenario that Mr. Ormandy had privately outlined was "impossible" in Windows.  Mr. Ormandy posted a comment under the handle "Axxan" rebuking him.

Shortly after Microsoft patched the bug.  Mr. Ormandy explains why in his blog, writing:

I think I figured it out, here is the attack I think Microsoft realised before I did:
  • From a Low Integrity process, spawn a cmd.exe and wait for explorer to add it to the task list.
  • Use keybd_event to send Win+Shift+[1 ... 9]
  • Explorer will spawn a new cmd.exe, which will inherit Medium Integrity from explorer.
  • Use SendMessage with HWND_BROADCAST to send WM_CHAR messages.
  • Drive the command prompt to send any new command you want, along with some ASCII art skulls to make it look like a scene from a Hollywood movie.
Apparently Packetstorm are offering a reward for a working implementation of this, so be my guest if you want to practice your Win32 scripting skills.

Microsoft did not thank Mr. Ormandy or cite him in their patch post on that bug.

Say what you will about Mr. Ormandy's full disclosure, but it got a fast fix from Microsoft unlike his past private disclosures. [Image Source: unknown]

So say what you will about Mr. Ormandy, but when consider his last experience with Microsoft:
  • He asked them to patch something and three years later they still weren't even acknowledging there's a problem
  • They gave him no credit when a patch is published
  • His employer Google has been hacked in the past via unpatched flaws in Internet Explorer 
Given that kind of behavior is Mr. Ormandy's role in the IE bug scandal really worth condemnation?  After all, some people were attacked, but this time around Microsoft patched the flaw in under two months, rather than taking over three years.

Sources: Tavis Ormandy [blog], Reuters

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Prima donna
By OoklaTheMok on 7/10/2013 6:14:26 PM , Rating: 5
Gotta love the timing of this.

A security researcher delays publishing a complete exploit of Android for six months. Well beyond the usual and customary timeframe so that google can issue a fix. Yet this google security researcher goes all lone wolf, actual end-users are impacted by his carelessness and he ends up whining about it.

The thing that lots of people fail to understand is that no two security exploits are the same. Some may be easy quick fixes, while others require much more engineering time to ensure the implemented fixes do not have undesirable consequences for both users and third-party software.

Google got 6 months to fix their issue, and they don't even have to worry about negatively impacting paying customers.

RE: Prima donna
By andrewaggb on 7/10/2013 6:39:48 PM , Rating: 3
yeah the irony of the timing is pretty awesome.

I totally agree, disclose in private, give 6 weeks or a date with a similar timeline in their regular upgrade/patch cycle, then publicly disclose.

RE: Prima donna
By JasonMick on 7/10/13, Rating: 0
RE: Prima donna
By artemicion on 7/10/2013 7:52:58 PM , Rating: 2
Here is the major flaw in your defense of Mr. Ormandy:

Mr. Ormandy believes Microsoft will not take a private warning regarding the security flaw seriously.

If this were true, it stands to reason that Microsoft will not initially take a public warning about the security flaw seriously. In either case, Microsoft is given the same information and their response to that information, whether it be via private or public channels, will likely be the same. While I acknolwedge some room for debate here, I find it unlikely that the blog post itself would have triggered a different response from Microsoft.

So, most likely, the event that triggered Microsoft's acceleration of a patch is the point in time when hackers began to actively exploit the security flaw.

Accepting this premise, it is likely that Mr. Ormandy's actions did not produce a net benefit and in fact Mr. Ormandy's actions produced a likely detriment. If Mr. Ormandy privately disclosed the security flaw or even stayed silent, it is possible that (1) Microsoft slowly but surely patches the flaw before it is exploited, (2) the flaw is never exploited, or (3) Microsoft does not patch the flaw until it is actively exploited by hackers.

Two of those scenarios are superior to the scenario caused by Mr. Ormandy (public disclosure + active exploitation prior to the patch). The third scenario is roughly equal to the scenario caused by Mr. Ormandy, because in both cases, the security flaw is exploited which triggers acceleration of the patch.

In sum, I have a hard time believing Mr. Ormandy's actions were in the greater good in this case.

RE: Prima donna
By deeceefar2 on 7/10/2013 11:38:57 PM , Rating: 2
You missed a scenario which is the one ormandy is trying to protect against. (4) the flaw is already actively exploited by hackers, but Microsoft is unaware, assumes the flaw is not actively exploited and goes about doing nothing

They don't know if the flaw has been used, and if so it seems that if there is a hole someone could be using it, and it needs to be fixed.

I understand the frustration, you know there is a bug in a piece of closed source software, and there is nothing you can do to fix it, and the company responsible for the code isn't fixing it. When you disclose it other people using the software jump on the bandwagon and demand it gets fixed. If you suffer in silence then you're at the whim of the company alone.

RE: Prima donna
By annabelle101 on 7/18/2013 1:56:58 PM , Rating: 2
upto I looked at the paycheck 4 $6121, I have faith mother in law was like realey making money part time from there labtop.. there moms best frend has been doing this for less than twenty months and just now repaid the morgage on there house and got a gorgeous volvo. we looked here, www.Kep2.coM

RE: Prima donna
By althaz on 7/10/2013 10:34:49 PM , Rating: 1
Sure, but the exploits didn't land until about 7 weeks or so. It took Microsoft 9 weeks to patch. So keeping it private for 6 weeks wouldn't necessarily have helped.

By your own logic, that means that if 6 weeks were given to Microsoft, exploits would have been 4 weeks away by the time the patch came out.

It's straight-up immoral to publish exploits without giving the company who makes the software any time to fix it. You cannot defend his actions as he is squarely in the wrong.

btw, of course the flaw was old, they almost always are. For a couple of reasons: a) it can take a very long time to find flaws (this one, as you point out, took over a decade to find) and people used to be much worse at coding for security.

RE: Prima donna
By Fleeb on 7/11/2013 12:02:01 AM , Rating: 2
How come when Apple does stuff like this everyone jumps on the war wagon, but when Microsoft or Google is slow at patching they get a free pass from the loyal fans?

Because Apple is supposed to be perfect that all they do is well researched, well engineered, and well tested before going into the hands of the customers. That is why people do not mind paying a lot of premium for products that are so well done. I, for one, never heard about that for MS or GOOG.

RE: Prima donna
By Gurthang on 7/11/2013 9:39:24 AM , Rating: 2
It was a ego thing for this guy and thats it, if what you are interested in is protecting the public then whining about not getting credit and engaging in antics to get "your problem" priority unless you know the public is actually being attacked byt this is just theatre. I know MS often is not the easiest to work with but they do listen, the problem is that despite their size there is only so many people they have who can do this sort of "patch work" and a huge interdependant codebase to protect and maintain. Therefore they MUST priortize their efforts and cannot fix everything they hear about in just 6 weeks or sometimes 6 months. And by forcing them to address your issue which prior to your discovery and announcement had no known active exploits what other critical flaws are now not getting worked on which are just as dangerous if not moreso.

It is ethicaly bad and this researcher deserves to be slapped hard. Yea he had a hard time convincing MS to take an exploit of his seriously, so he then does soemthing irresponisble, he finds something in Sophos and bitches loud and hard about them. I am starting to see a pattern, I could be wrong but I think this guy needs to re-think how he works with the companies he is "helping".

As to the Apple patch bashing.. At least personally I feel that has got to do with all the years they trumpeted loud and in the public how "perfect" they are and how they "just work". So obviously when flaws are found and they do their best to repress discussion about them it comes off as being not entirely honest and a bit of a hyprocrite which people love to bash them for.

The google Android flaw needs to be fixed yesterday.. My long standing gripe with Android is how hard it is to get updates to the OS so I am not holding my breath on how long it'll be before my phone gets the "fix".

RE: Prima donna
By JasonMick on 7/10/2013 6:39:54 PM , Rating: 1
A security researcher delays publishing a complete exploit of Android for six months. Well beyond the usual and customary timeframe so that google can issue a fix. Yet this google security researcher goes all lone wolf, actual end-users are impacted by his carelessness and he ends up whining about it.
Point well made on the Android bug, but where do you get that he [Mr. Ormandy] was "whining about it"?

His criticism of Microsoft's policy towards sec researchers was a reiteration of a criticism he posted a few months before the publication of the current vulnerability in question. Even if you're referring to his most recent criticism, that was published before knew what impact the disclosure would have on people.

I assume he hoped that MSFT would patch the vulnerability on the June Patch Tuesday. If they had, no one would likely have been affected.

If anything he's been on the defensive regarding his actions -- a lot of other individuals are whining about what he did, he's been keeping pretty quiet.

I agree Google is no saint on security issues, but remember Google has a vested interest in pressuring Microsoft to patch quicker (and vice versa) as both companies command a large share in the respective markets and hence flaws in either's OS products represents a serious risk to the other's security efforts.

I feel that it'd be defensible for a Microsoft engineer to (on his own time) disclose vulnerabilities in Android. If Google failed to patch the known vulnerability of Android, the onus would primarily be on Google.

It's nice to advocate fully private disclosure, but history has shown that to be ineffective as companies are only moderately concerned about keeping their users' secure. You also have to consider that when it comes to some bugs a certain security manager may simply refuse to believe they're as dangerous as the outside party says until it smacks them in the face in the form of user exploits.

Full disclosure, or at least short notice then full disclosure, is in many cases the ONLY way to get companies to act in a timely fashion to take some threats seriously.

RE: Prima donna
By artemicion on 7/10/2013 7:09:04 PM , Rating: 2
The "inefficacy" argument is BS. If I think there are fire hazards in my office building, that doesn't mean I'm justified in setting the building on fire to get the owner to fix them faster. If I think a crosswalk is dangerous, that doesn't mean I can run over a few pedestrians to get the city to fix it faster. Doesn't matter if the owner/city doesn't believe my warnings. Causing mayhem to prove my point isn't justified.

RE: Prima donna
By zozzlhandler on 7/10/2013 7:37:34 PM , Rating: 2
Your argument is the real BS. Using your example, there are fire hazards in your office. Someone noticed and posted the problem publically. A local firebug said "Whee, I can hurt some people!" and set a fire.

The only guilty party here is the one who set the fire.

The only person to blame here is the cracker who released an exploit.

The person reporting a security issue does not "cause mayhem" by reporting publically.

Those who seek to exploit the flaw for their own purposes "cause mayhem".

It may be inadvisable to report a flaw in such a way, but it was also inadvisable for the software to be released with such a flaw in the first place, and certainly more culpable than reporting a flaw (after all, sooner or later, someone else would have discovered the flaw).

We need to make sure that all software companies put the highest priority on patching security flaws, which obviously has not been the case before. Enough of blaming the messenger.

RE: Prima donna
By flyingpants1 on 7/10/2013 7:49:59 PM , Rating: 1
Haha, what a stupid analogy.

No, finding and releasing an actual exploit with full disclosure is nowhere near the same thing as posting about a fire hazard. It's more akin to researching and creating full blueprints to a firebomb and posting them everywhere.

RE: Prima donna
By artemicion on 7/10/2013 7:57:02 PM , Rating: 2
It may be inadvisable to report a flaw in such a way...

Dude, you just agreed with my point. I fail to see why you are attacking my analogy. I never tried to defend Microsoft in any way. My only point was that it is inadvisable to make the problem worse by reporting the flaw in a manner that might trigger a malicious third party to exploit it.

Responsible disclosure is important
By Labotomizer on 7/10/2013 5:46:53 PM , Rating: 3
I think he handled this poorly BUT MS is certainly no saint either. They have improved over the years but it's still a problem at times. I'm all for, and sorry for being unable to recall the proper term (or search for it), the method of disclosure where you report it privately and after a certain amount of time you publicly disclose. Many are pushing for 3-6 weeks, although I think it should be 6 weeks due to regression testing, etc. So, you find a flaw in IE or Windows, you report it to MS. If they haven't fixed it in 6 weeks then you publicly disclose the flaw. It ultimately would serve the same result, only they would likely have the fix done or nearly finished at that point.

I know Google doesn't really seem to care about regression testing. Chrome updates so fast that our company has decided to no longer officially support it for users, even though it used to since so many IT people like it. One day it works fine with SalesForce, next day it doesn't. Same with numerous other business sites. Proper regression testing would prevent this but it's more important to meet some arbitrary cyclic update schedule than to properly test these updates.

Sad but true...

By kingmotley on 7/10/2013 7:17:33 PM , Rating: 2
Odd that you mention that considering that I just commited a change in the past hour to our codebase because Chrome version 28 just broke it. Worked fine in Chrome 27, Firefox, Safari, and IE. Just chrome, and just the latest version that was just released.

RE: Responsible disclosure is important
By Monkey's Uncle on 7/11/2013 8:44:12 AM , Rating: 3
There is a community called PSIRT (Product Security Incident Reporting Team) maintained by every major software or hardware company, whose entire existence is to be a reporting and management vehicle for security vulnerabilities in their products. Cisco has one, IBM has one, Adobe has one, Hauwei, Alcatel, Oracle and yes, Microsoft has one. The PSIRT teams for each of these companies routinely converse with the PSIRT teams of the other companies to ensure security vulnerabilities uncovered in products are efficiently and immediately addressed.

(speaking from professional experience here) Believe me anything that comes in via PSIRT gets executive level exposure and immediate attention. These PSIRT groups are accountable to their company executives and believe me, any vulnerability that is reported through that team gets top attention from everyone in that company from the CEO right on down. No software developer creating a SIRT fix wants to explain to the company's board why the product still has an unfixed vulnerability more than 30 days after it was publicly reported.

I have a feeling if this guy had approached Microsoft's PSIRT team, there would have been a patch published as soon as it could have been written and tested. It would not have waited for the monthly "Patch Tuesday".

RE: Responsible disclosure is important
By lexluthermiester on 7/12/2013 10:17:56 PM , Rating: 3
Interesting point of view. However, you are missing one key point. Vulnerabilities, such as the one discussed in this article, are likely to be deliberate on the part of MS, IE a backdoor left in place on purpose. This is also likely to be the reason that it was disclosed publicly. Microsoft didn't want to "fix" it's backdoor. So the discloser forced their hand on the matter.

When the heck are people going to learn to see the forest for the trees? I mean really, it doesn't take much more than the intellect of an earthworm to figure this one out folks. Things that make you go Hmmm, indeed!

RE: Responsible disclosure is important
By Piiman on 7/13/2013 1:17:57 PM , Rating: 2
You haven't figured anything out. You've just exposed your silly paranoia.

By lexluthermiester on 7/13/2013 8:06:07 PM , Rating: 2
And you have just revealed your woeful IQ. Good Luck with that.

By artemicion on 7/10/2013 6:33:55 PM , Rating: 5
Why does this unusually long-winded article bend over backwards to defend this guy? IMO none of the excuses are pursuasive. The guy should've notified Microsoft privately and should not have exposed the flaw publicly, end of story. Doesn't matter if Microsoft sits on the information for too long--that's a separate issue.

If my neighbor accidently leaves his garage door open, it doesn't matter if I warned him about it before and it doesn't matter how long he takes to close it. It's just plain wrong to publicize the vulnerability to the public. Doesn't matter if my neighbor didn't thank me in the past. Doesn't matter if my neighbor didn't acknowledge the problem. Doesn't matter if I've been attacked in the past due to my neighbor's carelessness (this justification doesn't even make sense--publicizing the exploit is only going to make Google more vulnerable to future IE hacks).

RE: Bias
By Monkey's Uncle on 7/11/2013 8:49:54 AM , Rating: 3
There are channels to use for reporting vulnerabilities outside of the public eye in every major tech company. This guy knew of the existence of those channels but chose to publicly disclose this vulnerability rather than use them.

Companies do not sit on vulnerabilities reported through the correct channels because they are not entirely private. All major tech companies will see vulnerabilities reported in this manner and will force the offender to act upon them at the executive level.

The only people that don't see vulnerabilities reported thias way is the general public -- as it should be.

RE: Bias
By Visual on 7/11/2013 9:20:58 AM , Rating: 3
Um. For your analogy to be correct, it needs a slight modification.

Your neighbor is a landlord for several apartments and has left the keys to all of them where anyone who notices may take them. Your claim is that you should tell only him and not his tenants, even if he refuses to do anything about it. Sensible people see it differently, and will warn the tenants, hoping that may force the landlord to correct the situation or give tenants the chance to come up with some protection by themselves, even though that may also allow one of them to rob some of the others.

By lexluthermiester on 7/11/2013 12:55:15 AM , Rating: 1
And it's an oddball point, but it must be said...


I haven't used any version of it in over 10 years. It is the very first thing that gets deleted[yes it can be done!] from every Windows installation I do. Never once had a problem. There is no shortage of secure, easy to use, vastly superior open source browsers available.

Why is this news? Why are people still using Microsoft's lame-duck browser?

By Monkey's Uncle on 7/11/2013 8:55:31 AM , Rating: 2
If you use any version of Windows, you are deluded if you think you are not using Internet Explorer. The parts of Internet explorer subject to vulnerabilities are embedded in the operating system itself. Do you use MS Office?

Why do you think you need to reboot Windows after applying IE fixes? You don't have to reboot after Firefox, Opera or Chrome fixes. Why then for IE?

By lexluthermiester on 7/12/2013 10:00:19 PM , Rating: 2
If you use any version of Windows, you are deluded if you think you are not using Internet Explorer. The parts of Internet explorer subject to vulnerabilities are embedded in the operating system itself. Do you use MS Office?

Really? Funny that, when I "take ownership" of and delete most of the contents of the folder named "Internet Explorer" none of them come back and, magically, windows keeps working... Hmmm... The only file you don't delete is "sqmapi.dll" because, yes "Windows Explorer" does use that dll for part of its functioning. You were saying? And no, I do not use MS Office. I use Libre Office, because I don't feel the need to pay $200+ for cumbersome, buggy, inefficient and inferior office apps.

Why do you think you need to reboot Windows after applying IE fixes? You don't have to reboot after Firefox, Opera or Chrome fixes. Why then for IE?

Windows has to reboot itself to update that folder because {TAA DAA!!} one of those files is in use. Imagine that. Not all of them, just one bloody file. And that's only if you are so innately lazy, uninformed or stupid to not remove IE from your system the moment you run it for the first time. Of course, if you are smart enough to remove it, and smart enough to screen the updates from MS, then you never need to worry about it. But hey what do I know, right? I've only been doing stuff like this for 31 years...

By lexluthermiester on 7/12/2013 10:07:26 PM , Rating: 2
Oh, and before you tell us all how "Windows Explorer" can be used as a web browser... Please whork that nonsense somewhere else. All Windows Explorer does is hand off the web address to the default browser installed on the system. It does nothing else...

msft os
By Mike Acker on 7/14/2013 7:20:43 AM , Rating: 3
msft os is fundamentally discredited. not suitable for use online.

RE: msft os
By ResStellarum on 7/15/2013 9:34:46 AM , Rating: 2
That's very true. I certainly wouldn't do my banking, or anything where I used passwords on a networked Windows OS. It's just not worth the risk. Who knows what rootkits, keyloggers, or malware might be hiding on it.

The only thing I use Windoze for these days is an odd game. I do my serious work on Linux, where I know without a shadow of a doubt that it's safe. Can't beat fully integrated and peer reviewed software repositories.

RE: msft os
By ResStellarum on 7/15/2013 9:35:54 AM , Rating: 2
Oh and that's without even mentioning the NSA backdoors in Windows.

secrecy is not the answer
By brucek2 on 7/10/2013 8:21:33 PM , Rating: 3
If a security researcher could find it, then so could a hacker. Most times one has already.

As a member of the public with no skin in this game other than as a user of the product, I think companies should have a duty to disclose hazards, not be able to keep them private for their own lack of embarrassment or not wanting to prioritize a solution (much less preventing the issue in the first place.)

If Microsoft knows about threats to my security and has done nothing for months, then I appreciate at least someone else giving me a heads up about it. This cycle should continue until public peer pressure or outright regulation compel a more timely response to the issues.

I don't care that the guy was working for a competitor, if both Microsoft and Google take to attacking each other over security flaws we'll all be safer for it. And certainly better off than if some gentlemen's agreement ensures that hackers can continue to benefit while the companies can continue underfunding the prevention and response, all while the unsuspecting public bears the costs.

By lexluthermiester on 7/12/2013 10:41:25 PM , Rating: 2
Well spoken. Yet as has been said, you could simply and easily solve this problem by NOT using and indeed removing Internet Explorer from your system.

You see, because Chrome, Firefox and whatnot are based mostly[if not entirely] on public source code. Thus when a problem is found, it is resolved quickly. But when the source is private, it is up to the holders of said source code to fix, in their own sweet time, if ever.

By kleinma on 7/10/2013 6:55:12 PM , Rating: 2
If they were hostile towards properly disclosed exploits before, they certainly don't see to be now.

RE: hostile
By rika13 on 7/10/2013 11:53:50 PM , Rating: 2
It is not a bounty program. This is MS thinking they have an Crystal Palace and is asking people to throw stones to prove it.

100% M$ fault
By rika13 on 7/10/13, Rating: 0
RE: 100% M$ fault
By Monkey's Uncle on 7/11/2013 9:05:58 AM , Rating: 2
No, I blame Ormandy who professes himself as being a "security expert" yet not knowing that he has to use PSIRT to report product vulnerabilities. Any security consultant is aware of this cross-industry committee and any security consultant knows the only way to safely report product vulnerabilities is via PSIRT. That Ormandy did not use this vehicle to report his vulnerabilities tells me that he is incompetent and Microsoft treated him that way.

Had he had the brains to use the correct reporting channels, not only Microsoft top executives, but the executives every company that has a PSIRT team will be apprised not only of the vulnerability but of the person reporting it. Not only would any vulnerabilities have been validated and acted upon, but he would have gotten his credit for discovering them.

RE: 100% M$ fault
By lexluthermiester on 7/12/2013 11:09:02 PM , Rating: 2
that he has to use PSIRT to report product vulnerabilities

Really? Where is the law that says he has to tell Microsoft a single solitary thing? The only thing ANYONE is lawfully required[depending on the nation you live in] to do is report it publicly, in full disclosure in a clear effort to fix the problem and not profit elicitly from it.

Had he had the brains to use the correct reporting channels, not only Microsoft top executives, but the executives every company that has a PSIRT team will be apprised not only of the vulnerability but of the person reporting it. Not only would any vulnerabilities have been validated and acted upon, but he would have gotten his credit for discovering them.

Again, you make the assumption that Microsoft didn't refuse to deal with the problem. This is not the problem of he who disclosed the backdoor, err... vulnerability. It is solely the fault of Microsoft for either refusing in defiance, or failing in complete incompetence to resolve the now disclosed issue. Microsoft is not the noble patrons of software arts you seem to think they are. They are little more than tyrants who's only goals are to serve you software that controls how you use your computing device and profit greatly from it. They use to be different[a little] in that they cared what the public thought. Google listens to it's users and now has the most dominant OS in operation on planet earth[Android]. This has Microsoft scared to death. And rightly so.

I don't even use Internet Explorer
By johnsmith9875 on 7/12/2013 5:00:39 PM , Rating: 2
Can a hack/vulnerability still affect me? I wished Microsoft allowed the ability to uninstall it but their business model is shoving it down your throat whether you like it or not, just like their .NET runtimes

By lexluthermiester on 7/15/2013 6:11:38 PM , Rating: 2
Oh, but you can. It's not as easy as simply uninstalling, but it can be done. Here are a couple of ways to do it. Google is very helpful in this area.

Good Article
By ResStellarum on 7/15/2013 9:26:42 AM , Rating: 2
Thanks for the good read Jason. I can always rely on your writing to present a balanced opinion, instead of the pro-M$ / anti-Google nonsense that's all too common on other sites infested with M$ reputation managers.

RE: Good Article
By lexluthermiester on 7/15/2013 5:07:37 PM , Rating: 2
Was that sarcasm? Because DT is often frequented by MS-Rep-mongers... I'm with you on the Linux thing mentioned above. My personal fav is Mint. Of course a good third-party firewall for Windows, competently configured, keeps those back-doors shut... Mostly...

News of The World
By Silma on 7/11/2013 3:31:08 AM , Rating: 2
What a bunch of horses..t, is this the News of the World of technology?

- There really aren't any excuses not to follow the standard security protocol, ie disclose privately, give the company adequate time to fix the bug, then in the extreme event where the company neither reacted nor explain why it did not react, disclose publicly.
- In this rare case, the disclosure you have to do should suffice to persuade your peers in the security business. You really don't need to go out of your way to facilitate active exploitation of the bug by thugs, just for the pleasure of self-fulfilling prophecy. Especially when you have to go out of your way to prove the viability of the attack vector.
- Is he 5 or what? Just because you had one bad interaction with a company you think anything is fair game? If this was the case nobody would work with anybody.
- He has probably way too much free time (do Google employees still have a day a week free?) as Android is the biggest malware fair on earth. But no man is a prophet in his own country right?
- Microsoft security team is nothing if not exemplary. I'm sure they make mistakes, sometimes are in the wrong and rarely do not fix security flaws in a timely manner. But in most cases, it is industry leading in its response to security flaw. Please care to compare to any other giant here such as Apple, Adobe or Oracle?
- Who else is so actively involved in taking botnets down?

By agon on 7/23/2013 8:40:52 AM , Rating: 2
Experience it yourself by requesting a beta key at

"This is from the It's a science website." -- Rush Limbaugh

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki