Print 32 comment(s) - last by Wombat_56.. on May 30 at 9:36 PM

Tavis Ormandy  (Source: flickr)
Tavis Ormandy said Microsoft is difficult to work with regarding these issues

A Google engineer has called Microsoft out on a recent security flaw in the Windows operating system, and even said that the Windows creator is hostile toward third-party vulnerability researchers.

Tavis Ormandy, a Google security engineer, exposed the flaw on Full Disclosure. The Microsoft vulnerability, which was in the Windows kernel driver "Win32k.sys," was featured in a Full Disclosure mailing list on May 17. 

Before that, Ormandy revealed the flaw on GitHub back in March in hopes of bringing other security researchers on board to investigate. 

Ormandy said on Full Disclosure, "I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation."

Ormandy posted on Full Disclosure yet again on Monday, saying "I have a working exploit that grants SYSTEM on all currently supported versions of Windows. Code is available on request to students from reputable schools."

Ormandy also insulted Microsoft on Full Disclosure, saying "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed ;-)."

Microsoft has been annoyed with Ormandy for publicly discussing vulnerabilities before they could be patched. Microsoft prefers "responsible disclosure," where security experts are asked to report flaws privately to the company.

"Note that Microsoft treat[s] vulnerability researchers with great hostility, and are often very difficult to work with," said Ormandy. "I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."

Source: ComputerWorld

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Ormandy
By AlphaVirus on 5/23/2013 11:57:01 AM , Rating: 5
I'm sure things would have gone smoother had he done the respectable thing and notified MS first like most other researchers of these matters do.

Yep, he acts very immature about this entire situation. Why would you release it to college students before sending it directly to Microsoft. It sounds like this kid is an attention whore.

RE: Ormandy
By Mitch101 on 5/23/2013 12:09:38 PM , Rating: 5
Dear Tavis Ormandy we apologize for for not responding sooner as the developer has a date with a girl.

We realize this may require additional explaining by your subsequent e-mails and your need to share this with others that are also not equally interested in the female species.

We highly recommend doing this sometime instead of staying home looking for code issues and thinking this is a higher priority than going outside once in a while.


RE: Ormandy
By Obujuwami on 5/23/2013 12:12:41 PM , Rating: 5
He's doing it for his Google can make MS look stupid. No big shock there as they are rivals and they want to make each other look inept or hostile.

RE: Ormandy
By Ammohunt on 5/23/2013 1:39:50 PM , Rating: 5
Well i would buy that if Google software was sooo perfect as to not have security flaws. There is a big Karma trap in running down a competitor in this fashion.

RE: Ormandy
By Stephen! on 5/23/2013 2:01:41 PM , Rating: 2
Google can make MS look stupid

Seems like Microsoft is perfectly capable of doing that on their own.

RE: Ormandy
By Reclaimer77 on 5/23/2013 2:19:54 PM , Rating: 1
I seem to remember a certain below the belt "Scroogled" smear campaign running first...

RE: Ormandy
By lanceredel on 5/24/2013 9:37:16 PM , Rating: 5
I think the salvo "don't be evil" was first in this relationship.

"And boy have we patented it!" -- Steve Jobs, Macworld 2007

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Snapchat’s New Sunglasses are a Spectacle – No Pun Intended
September 24, 2016, 9:02 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki