Googler criticized for disclosing Windows-related flaw
Critics say researcher should have given Microsoft more time before disclosing a hole affecting Windows XP and Windows Server 2003 and releasing code to exploit it.
Microsoft and outside security researchers accused a Google engineer of failing to follow the responsible disclosure etiquette his own company promotes by disclosing a Windows XP-related flaw on Thursday, publishing code to exploit it and giving Microsoft only five days to fix it.
Tavis Ormandy informed Microsoft about the vulnerability--located in the online Windows Help and Support Center feature that offers customers technical support--on Saturday. He then announced details of the hole and offered proof-of-concept attack code in a post to the Full Disclosure security e-mail list on Thursday.
"I would like to point out that if I had reported (the issue) without a working exploit, I would have been ignored," he wrote, before saying that he was operating on his own and not on Google's behalf. "This document contains my own opinions. I do not speak for or represent anyone but myself."
But Microsoft said that by releasing the exploit while going public with it before Microsoft had a chance to patch it was irresponsible and puts millions of computer users at risk.
"Responsible disclosure protects the computer ecosystem and individual computer users from harm," Microsoft's Jerry Bryant wrote in a Microsoft Security Response Center (MSRC) blog post.
The vulnerability allows for a white list filter to be bypassed and could enable an attacker to take control of a computer running Windows XP or Windows Server 2003 by luring a computer user to a malicious Web site designed to exploit the hole, according to the Microsoft advisory. "Broad attacks are likely," Microsoft said in a statement.
Meanwhile, all of the major browsers are affected, according to Ormandy.
Microsoft provided a workaround in its advisory and said it was working on a full patch. Ormandy had provided a hotfix tool in his announcement but Microsoft said that did not work properly.
"One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause," Mike Reavey, MSRC director, wrote on the blog. "While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems.
Microsoft wasn't the only one annoyed by the move.
It is not reasonable to expect Microsoft to be able to develop a patch in such a short period of time, Robert "Rsnake" Hansen, security researcher and chief executive at SecTheory, wrote in a guest post on security firm Kaspersky's ThreatPost blog.Ormandy also did not appear to be working on his own when he shared credit in the disclosure with other Google researchers, he said.
"Google has been the loudest proponent for responsible disclosure in the past," Hansen wrote. "Apparently, it's okay for Google to go full disclosure, but not for other researchers. The hypocrisy is amazing."
This isn't the first time Ormandy has been hasty in disclosing a Microsoft-related vulnerability, said Andrew Storms, director of security for nCircle.
"Tavis has been trying to separate his actions from his employer, but you have to wonder if he is adding fuel to the very public fire between Microsoft and Google by continuing to draw negative attention to Microsoft's security process," Storms said.
Google and Microsoft have a history of competition, but the rivalry heated up a notch with reports that Google is snubbing use of Windows internally, citing security concerns. That news was met with cynicism by security experts who see it as part of Google's public relations effort more than any sincere IT operations policy, despite the fact that Google was targeted in an attack that exploited a hole in Internet Explorer.
Asked for comment on Ormandy's disclosure activities, a Google spokesperson said: "Tavis acted independently using research conducted in his own time. Tavis' personal views on disclosure don't necessarily reflect the views of his colleagues at Google or Google as a whole."
The spokesperson said the company could not comment further on whether Ormandy's actions seemed to run counter to Google's disclosure policy.
The matter provoked intense debate among security researchers, some of whom took sides on private e-mail lists and forums, but who declined to comment publicly.
Not surprisingly, H.D. Moore, the chief architect of the open-source Metasploit exploit database, said the fastest way to get a problem addressed is releasing an exploit to the public.
"Whether that is the best thing for the end user depends on the situation," Moore said in an e-mail. "One of my MSFT bugs is about to turn four years old without being addressed. This is why I now work solely with CERT (Computer Emergency Response Team at Carnegie Mellon); they have a hard 45-day advisory rule."
Gordon "Fyodor" Lyon, a network security expert and a former president of Computer Professionals for Social Responsibility, praised Ormandy's research but did not address whether his releasing the exploit was a good thing or not.
"The net result of Tavis' research and disclosure is that my machines are now protected from this attack and all MS customers have the information to protect themselves by disabling HCP" protocol that can be used to execute URL links to open the Help and Support Center feature, Lyon wrote in an e-mail. "If Tavis hadn't done the research, or if he had kept it quiet while MS decided how to bury it in some Patch Tuesday months away, we'd all still be vulnerable as lambs."