Vulnerability Management

When a zero-day is less about the bug and more about the disclosure

While Microsoft would never go on the record and admit it, surely the software giant's ego was bruised when a report emerged last week that Google planned to phase out its internal use of Windows, apparently out of security concerns resulting from the coordinated Chinese-led attacks it suffered.

But as most anyone within the security community will tell you, Google seemed to be misplacing its rationale, especially when talking about smart, sophisticated, targeted hackers who just need one weak entry point (read: a naive user who likes to click on untrusted links) to start plundering intellectual property.

But fine, Google decided to abandon Windows. It still has to hurt, regardless of the reasons.

So when an information security engineer named Tavis Ormandy, who claimed he was acting independently, went public Thursday with exploit code for a Windows Help Center vulnerability five days after reporting it to Microsoft, one can't blame Redmond for dragging Ormandy's employer into the mix.

Because his employer just so happens to be Google, Microsoft's bitter rival.

Microsoft's Mike Reavey, who directs the company's Security Response Center, posted a blog describing the vulnerability, and he used some interesting wording at one point. See if you can catch it:

One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems.

Notice how Reavey didn't say "the actual workaround Ormandy suggested" but instead implied that Google, as a company, was responsible for this disclosure. Sounds like fightin' words to me.

A Google spokesman reportedly denied the company's involvement and stated that Ormandy's work was independent.

Some security bloggers, such as Alan Shimel, weren't buying it.

You can tell me that Ormandy did this without Google's knowledge and consent. If that is so, they should fire him tomorrow. If it is not true, shame, shame, shame on Google.

I don't think it's fair for Microsoft to officially imply that Google was totally aware of this whole thing, but I also don't think it's fair for Ormandy to alert Microsoft about the vulnerability — as if he was prepared to act in a so-called responsible way — only to change his mind five days later and go full disclosure.

I think he'd be better served if he picked a side and stuck with it.

In Ormandy's defense, though, it sounds like he feels sorta bad: "I believe in [full disclosure], but making enemies of people I truly respect may not have been my smartest decision ever," he tweeted Thursday.

This mess also brings to light the continual challenge researchers face when they receive their paychecks from software companies that make products that have holes. After all, Google surely wouldn't want a researcher from Microsoft to discover a vulnerability in Gmail, only to go public with the exploit a few days after reporting it.

Maybe the guy and gal researchers and consultants who stay independent are on to something.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.