Are people really thinking Google's Employee behaved responsibly? Really?

Reporting a vulnerability is responsible, waiting 4 days to do so is time enough for it to be patched, not doing microsoft any favors... are those expected? really? or returned to Google by MS lately?

Point is people are thinking the damage is caused by Google somehow when the fault is weak MS code. The responsibility for MS code belongs to MS. If some anonymous Joe wrote about it on his blog there would be no issue, since an ex Googler discovered it and wrote about it since 4 days had gone by without a patch somehow Google is being dragged into it.

are those expected? really?

Yes, 30 days is standard practice for reporting a bug to a company before making it public...
It's the industry standard, so yes, it's expected.

Of course, Google may have just set a new one WRT reporting bugs to them related to their new operating system, because as others have said, what goes around...

Google security researcher Tavis Ormandy has set the cat among the “responsible disclosure” pigeons with the release of technical details of a zero-day vulnerability affecting the Microsoft Windows Help and Support Center without giving Microsoft adequate time to prepare a patch.

He is STILL a Google employee AFAIK...
If you have a source that says he's left or been asked to leave, please cite it.

I think you may be confused, because there was speculation he may be leaving and that's why he disregarded standard practice and made the information public rather than adhering to the standards.

One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems.

Windows users are still the only ones he put at risk...
Google Phases Out Windows O/S Over Security Concerns [webmasterworld.com]

* Quotes from the linked article in this thread.

** Note / Correction on my preceding post:
Not all Windows Systems are vulnerable.

Following your same 'it's Microsoft's fault because it's their system' reasoning all the way through, IMO it could be reasonably concluded it's the end user's fault, because they're the ones who purchased the OS and they had a choice...

Would you agree the M$ users got (get) what they deserve for purchasing the system in the first place, so M$ is really absolved of the responsibility, because if the end user did not do their homework and bought a bug filled, security weak system it's really their own fault?

Interesting misconception: I really thought from your user name you would be about people adhering to standards, which is where the issue is with G in this thread... If they had followed the standard, then they would really have a M$ weakness to pick on, because if they gave the 30 days and it was not fixed, they could absolutely make M$ look like idiots, so to me, as in some other recent things G has done, it looks another G debacle. Not only did they get more bad press for not following standards, by 'blowing the whistle' too early they lost a great opportunity to make M$ look really bad... They gave M$ room to wiggle and turn the situation back on them, which they did. Or, maybe even more to the point, G turned the situation back on themselves...

I'd like to read this 30 day rule before reporting a security flaw, I can't seem to find it anywhere, all I can find is almost every internet related blog and site in the world repeating the story and/or flaw as quickly as they can copy paste it. I can also find freedom of speech laws that say nothing about hiding MS security issues.

30 days online equates to 30 seconds in reality and it's an accepted fact of life. I betcha twitter can cut that to 15 seconds these days.

I wish the guy worked for mom and pop mcguires barely used widget shop, it wouldn't be nearly as exciting a story.

themadscientist I am about adhering to orders and Google didn't order this guy to report this, did they?

I’ve concluded that there’s a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security

Sounds more like his own judgment call with the interests of security in mind, not a Google vs MS hammer. It's unfortunate, but the only real issue is the flaw.

new stuff happing...please someone check goog in newport beach ca

crackers from hell there...

The report of the issue, which contains the exact details of how to exploit it.
[archives.neohapsis.com...]

Presents both sides of the 'Full Disclosure' V 'Disclosure to the Source' argument fairly well... 'Full Disclosure' is the 'new thinking', not what the industry standard has been... [schneier.com...]

Another article on 'Full Disclosure' v 'Responsible Disclosure'
[csoonline.com...]

I don't have any issue with it being fully, publicly disclosed if the company is given time to fix it, but a bug that took, in the publisher of the bugs own words: 'Access to extremely smart colleagues', to find and exploit is buried somewhere in the middle of 15 (or so) Gigabites of program and software and tied into a bunch of systems, so it doesn't get fixed over night.

A bug like this, which took more than one person to find and exploit (it took a 'team' basically) is now exploitable by anyone who knows a bit about what they're doing, so IMO full disclosure this soon didn't do anyone any favors, except those who were not smart enough to be able to find and exploit it on their own... It gave them a way in.

Basically, before his findings were made public only elite hackers could possibly have found and exploited it, but now it's right there for any 'entry level, wanna be' hacker to use if they feel the urge.

From the actual published details of exactly how to exploit the bug, by the author. (Emphasis Mine.)

The current design is actually pretty sound, I'm sure Microsoft are
dissapointed they missed this flaw. In their defense, I think there's a good
chance I would have also missed this in code review.

Another Quote from the Author:

Without access to extremely smart colleagues, I would likely have given up,
leaving you vulnerable to attack from those who just want root on your network
and do not care about disclosure policies.

Now that he called on his extremely smart colleagues and fully disclosed the exact details of the exploit, anyone can... No one needs the team of people or the extremely smart colleagues to exploit this bug any more.

I don't know if you code or not, but I write PHP and until you dig through a framework library or something trying to find the cause of an intermittent issue you really don't know how long it can take to track back and find an issue in a program to fix it... It's a monsterous task and I think 30 days in the amount of code they are working with is them rushing to get it done personally.

I would guess Brett and the coders here could comment on how difficult it can be to find and fix a bug since there was an intermittent error with the software driving these forums and once in a while a 'random' forum would drop out and only show the header and footer... I'm sure they spent more than 4 days looking, they're the ones who coded it, and it's no where near as extensive as Windows, so the notion a bug like this could possibly be found and fixed in 4 days doesn't fly with me... I think 30 is pushing it, but that's at least somewhat reasonable.

[edited by: TheMadScientist at 10:44 pm (utc) on Jun 12, 2010]

3d party crackers doing all this I think

In case people here don't code and don't understand some of the challenges the Wikipedia Page actually gives some fairly good info on why it takes so much time sometimes.

Sometimes, a bug is not an isolated flaw, but represents an error of thinking or planning on the part of the programmer. Such logic errors require a section of the program to be overhauled or rewritten.

[en.wikipedia.org...]

I can honestly say, from experience, finding issues is sometimes relatively easy, but coding a fix can be extremely difficult, because when you have to rethink the logic of a system and make sure it still works with the other systems it needs to it can take quite a bit of time, because you can end up having to rethink multiple areas of logic which are very well thought through to begin with.

I'm not sure exactly where the 30 day number came from, but that's the number that's stuck in my mind from somewhere, and in code the size of what M$ is dealing with it's a 'short' amount of time to rethink and possibly have to recode or 'code around' an issue... I've spent 30 or 40 hours looking for a single bug I could make error (fairly easily) but not isolate in the source code for days, and that's in a relatively small amount of code to work with...

If you're a coder you'll know what I mean when I say I sat there looking at the source code thinking, 'How on Earth?!' I can make it do this, but the code here is right for what it should be doing, so where is the stinking bug and how is it getting past this section of code? Talk about a headache... It's always one of those things that seems like it should be easy to fix, too, isn't it? Someone said it's doing 'blah' and I thought, simple, should take a day at the most... LOL, yeah right!

I'm definitely FOR publicly disclosing these issues to hold software manufacturers accountable, but I'm for doing it reasonably and responsibly, which IMO is after they have had adequate time to fix it and then making it public so the pressure stays on them... I'm NOT for disclosing it when they haven't had time to fix it so those who don't know it exists, but wish it did so they could capitalize on it, have a way to do so, because that increases the risk for the end user, and is highly irresponsible, IMO of course.

I also think he 'involved' Google not only because he works there, but because he used his contacts there to exploit a bug he found and could not exploit on his own... He could not even do this by himself, but needed help from his 'extremely smart' colleagues (Google) to figure out how to create an exploit for what appeared to be a 'hole' he found.

Seriously, what are the chances of a hacker (or even team of hackers) coming up with an exploit for this bug when it basically took a 'team' of Google employees to figure out how to do it?

It was not easy to find or figure out before it was 'fully disclosed' publicly...

He is STILL a Google employee AFAIK...
If you have a source that says he's left or been asked to leave, please cite it.

He appears to have done this on his own time. Should Google interfere at all?

Would you agree the M$ users got (get) what they deserve for purchasing the system in the first place, so M$ is really absolved of the responsibility, because if the end user did not do their homework and bought a bug filled, security weak system it's really their own fault?

To an extent, both. People who fail to keep systems secure should be responsible for damage caused to third parties by their carelessness, but suppliers of insecure systems should be responsible to them.

If we could sue people whose zombied machines were sending us spam of DDOSing our sites, I bet the incidence of both would drop dramatically.

Perhaps Google doesn't care since Google recently banished Windows for vulnerability issues

Digging a little deeper - what about the users of MSN operating system? I suspect most users are unaware of this Google employee's action; however they potentially have to deal with a compromised computer.

THis is a lol at Google. Clearly a potshot at MS but as Brett noted, what goes around comes around.

Google's releasing an OS, and it's likely to get hammered hard. I'm reminded of that cartoon with two deer in it. One deer says to the other 'bummer of a birthmark Hal' (his birthmark was a bullseye on his chest).

Five days is more than long enough given the technical resources of Microsoft. If they can't put in at least a temporary fix to disable whatever the exploit uses until a more complete fix is available then they have serious problems at Microsoft.

As an occasional user of the Microsoft OS I am glad that this was released, because at least now I know not to boot up into Windows until I know a patch is available. If a googler found the exploit, odds are someone less trustworthy already knew about it.

Of course...

The Google employee needed to publish everything he did publicly rather than publishing there was a bug publicly and sending the details to M$ privately so people who have the luxury of not running Windows for a while could just not use it, never mind about those who don't have that luxury and have to keep running it, like people on IIS servers.

And, there's no way what he published was not the actual root cause of the issue, so there's no way it's something deeper in the system and M$ couldn't possibly have taken a look at it knowing the situation a bit better and gone, 'Hmmmm... If that gets you in what about blah... Oh, S***... Houston!?!', so they should obviously be able to publish a fix in well under 5 days.

You know I thought a company with the resources of BP should be able to stop a leaking pipe in a few days until I heard some of the people who know more about the situation start talking about doubled pipes, one 19" and another inner pipe of smaller, decreasing diameter sealed in concrete within the outer pipe, and the concrete and inner pipe blowing out in conditions with around 13,000 psi or something crazy like that being the reason they can't just put a cap on the stinking thing, because if they did it could blow out somewhere else and then they don't even have a hole to try and fill so they can get it stopped eventually...

The Moral of the Story: Sometimes there's more than meets the eye when your dealing with issues and unless you really know the situation there's no way to determine what the actual cause and fix are or how long they may take to find and implement, because things are not always as simple and straight forward as they may appear to be.

It is interesting that this can apparently be stopped by a few registry changes that remove support for htc://. This could have been rapidly rolled out by Microsoft with a popup warning "htc:// links will not work until further notice due to security concerns". Once a fix is ready, it could have been rolled out and the htc:// support reactivated.

If you read the quote from the Microsoft Rep, you would know it can't...
The 'fix' the Google Employee posted is NOT a 'fix' because he didn't know the situation well enough.
Or maybe he did, and posted a non-fix on purpose?

Here I'll post it again with emphasis, so other's are not mislead:

One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems.

Feel free to keep trying to say he was right to post the details he did, so if your assumption that others much worse knew about it was invalid it most likely became reality, and if one an elite few hackers knew about it, now it's in the hands of probably nearly everyone of them, because if a hacker didn't know and, even worse, your assumption was invalid and none knew, it's almost certainly not an invalid assumption any more, since the details are posted publicly.

It would really suck if you listened to the idea of someone who didn't know the situation well enough and went with their suggestion thinking you were now protected and weren't wouldn't it? Who's fault would that be, still M$? Or yours for listening to someone who doesn't know, or the person who did not know for publishing inaccurate information?

If M$ is responsible for their code as many keep trying to say (I agree), then how is the G rep not responsible for the non-fix he posted and even the exploit he posted too? M$ is the one with the issue. M$ is the one who needs the details of the exploit. M$ is the one who can actually fix the issue. NO ONE needed to know the details of this bug outside of M$ so soon. NO ONE. There's no need for it. There's no justification for it. You can keep trying to make one if you just don't like M$ or love G and all of their employees or something, even though what he did flies in the face of reason and responsibility, IMO...

The Google Employee found an exploit of a bug and posted the details...
It does not mean he posted the bug or the fix or even knows where the issue is in someone else's system. He found a single exploit and posted misinformation about fixing the actual bug, why, because he didn't know enough about the situation, and now people who run Windows, even only occasionally, are not only vulnerable and they're being mislead about a fix!

Do you really think his post was the best, most reasonable and responsible idea, because to me it almost seems like a circumventive way for some G reps to make sure M$ users have the security of their systems compromised... and G is launching an OS in the not too distant future aren't they?

Are you sure this was posted because he cares more about Windows security than furthering the goals of the company he works for... The one paying his bills?

Google Employee finds bug in M$.
Google Employee notifies M$.
M$ responds to Google Employee within 24 hours letting him know they are looking into it and will correct the situation.
Google Employee posts the details of the bug and a 'non-fix' within 4 days.
M$ users are led to thinking they're safe if they listen to the Google Employee.
Bug still exists and can still be exploited.
Google Employee can claim, but I tried to post a fix at the same time, even if he knew at the time of posting it would not work.
Google cares so much about your computer's security they even try to help fix M$ bugs.
M$ machines are still compromised.
If you're tired of M$ bugs try Google's new Operating System...

They're not smart enough to come up with something like that over at G are they? LOL... They're beyond smart enough to have the idea, and we'll probably never know if that's really what he did and why he posted what he did or not.

The more I think about this, the more I think it could have been a circumventive effort to make sure M$ systems were compromised and he sold it like a champ... He believes in full disclosure, but is that what he believes when it comes to Google products I wonder?

Seriously, if he really believes in full disclosure, then he should be posting G flaws publicly too, shouldn't he?

The guy is a security expert and should fully know the possible ramifications of his actions and how hard it would be to diagnose and fix someone else's system without actually reworking the system and the code. He should also know fixing it can take more time than he gave if it's a bigger issue than the exploit reveals, so IMO this could easily have just been a well crafted attempt to make sure people running Windows have their machines compromised to further the 'cause' of the company he works for rather than the sales pitch he presents about how it's all about your security... And if some machines are compromised because while M$ is scrambling for a fix it gets exploited, then it probably worked.

ADDED: I wonder how many bugs besides M$ bugs this full-disclosure advocate has ever fully disclosed? I haven't looked, but somehow I doubt there are very many, which seems to say either he doesn't find very many bugs, or he only believes in full-disclosure when it could really harm a competitor.

He did for your security...
Yeah, right, tell me another story.

I went looking for bug reports:
[kerneltrap.org...]

I wonder what his real motivation is? [seclists.org...]

Some very elite friends have started a consultancy called inverse path, you
should really hire them.

[h-online.com...]

I'm wondering: If full-public disclosure is really the best for the end user, then why can't I find a single Google Bug reported and fully disclosed by Ormandy?

You can't really have it both ways can you?

Either it's best to report and disclose bugs publicly, which would include the ones you find in the company you work for, or fully disclosing everyone else's is really just an attempt to harm your competitors under the guise of 'security for the masses by forcing a fix'...

Can't really have it both ways can you?
Either bugs should be fully, publicly disclosed all the time if you believe that's what's best for security, or it's really a BS story to try and harm your competitor(s).

IMO he didn't report this bug for the security of M$ users he did it to further his own agenda(s) and worded a great 'feel good' sales pitch to justify his actions.

Mad, does it really matter?

They are rival companies you don't need to investigate that hard to know that they are going to try and screw each other over from time to time.

The fact is he found a bug that he didn't create, he reported it and then made it public. I don't like how it put my xp boxes at risk as much as anyone but the fact remains other than being a pretty sleazy thing to do he didn't actually do anything wrong.

He was well within his rights to find an exploit and to make it public. It doesn't take an investigation to figure out his motives weren't pure.

Taking out your competitor is the way of the free marketplace and happens all the time. The motivations are rarely pure and almost always financial.

he didn't report this bug for the security of M$ users he did it to further his own agenda(s) and worded a great 'feel good' sales pitch to justify his actions.

Well duh, except he doesn't have to justify his actions, he didn't break any rules. Regardless of why he did it finding the bug still has the side effect of making the MS OS more secure.

I actually only went looking, because I figured I should follow up on my statements made previously, since I keep talking about responsibility and that seems to be the responsible thing to do, because earlier I made an assumption...

One of the interesting things in following the links I posted is not every bug he's reported is actually a bug... LOL.

Also, I was posting for the people defending his actions, and you're right what he did is legal and absolutely sleazy, which is what I was trying to make people, even those who don't like M$, see, because he really doesn't harm M$ or the companies his posts exploit as much as he does the end users of their products, which IMO is just plain BS on his part, and of the company employing him for allowing it to happen when they claim they are for responsible disclosure.

I don't use Windows, don't particularly care for M$, but absolutely despise the idea of this guy making their users (people who post here) susceptible to having their computer's and personal information compromised under the guise of doing them a favor... He didn't do anyone except his friends and his employer a favor, and I hope people see that before they defend his actions and those of people like him in the future, because I think his actions are borderline criminal...

He didn't give the person who wanted to rob a store the gun... He drew them a map to where it was and told them how to use it, but he didn't give it to them directly, he did it online so anyone can see to try and absolve himself of any legal responsibility, and he did it very effectively.

This work is my own, and all of the opinions expressed are mine, not my
employers or anybody elses (I added this for you, Dan. Thanks ;-)).

Interesting little note he left for / about someone on the Sun Bug Report linked above... Google obviously doesn't 'condone' his actions, but they don't seem discourage them either as long as he disclaims them as having any involvement. Nice setup they seem to have there... I wonder who Dan is and why Ormandy added that note to the Sun Bug Report for him?

Mad, I wasn't coming down on you, just saying your point is strong and obvious no investigation required.

don't particularly care for M$, but absolutely despise the idea of this guy making their users (people who post here) susceptible to having their computer's and personal information compromised under the guise of doing them a favor

I am less offended by the whole thing then you though, mostly becuase if they are running MS they have always been and always will be "susceptible to having their computer's and personal information compromised"

That is the inherent risk of Ms operating systems.

I am also not as offending because even though he opened a time frame that made MS users more at risk once it is all said and done his discovery will have the effect of making windows more secure.... because lets face it, MS wasn't going to find and patch it on their own.

Today, five days after disclosure, malware authors began attacking this exploit on XPs (report from zdnet security blog).

Well done, google security guy. Without you there would be at least one fewer attack vector known by hackers.

And well done to all his "clever" colleagues for helping him, too. :(

Today, five days after disclosure, malware authors began attacking this exploit on XPs (report from zdnet security blog).

Well done, google security guy. Without you there would be at least one fewer attack vector known by hackers.

And well done to all his "clever" colleagues for helping him, too. :(

ugh, nice going goog! like I thought before, this is probably exactly what they wanted to happen.

In reading more, it seems Ormandy does not even 'believe in full disclosure' unless the company he's trying to force to do something does not comply with his wishes and timeline for a fix, which AFAIK is illegal. He gave Microsoft a 'deadline' to agree to meet for fixing the issue and when they did not agree to meet the 'deadline' he made the exploit available publicly, for user's security, of course...

Who does he think he is?

I've actually changed my opinion on full disclosure because of this situation...

Isn't that sort of blackmail? Did he give MS a deadline in a note made up of single letters cut out of newspapers? :)

"don't go to the police...I'll be watching"

I can't believe everyone here is acting so high and mighty about this. Simple fact - he did it on his own time, reported it AND gave them 5 days to fix it before making an announcement. You guys are acting like Google can control their employees past their work hours... just insane to have that thought even enter your minds.

Hi brokenbynubs,

Welcome to WebmasterWorld!

I love a good discussion...
1.) I personally do not think pointing out what looks to me personally like coercion [en.wikipedia.org] is high and mighty, unless you think the pointing out possible violation of the law is high and mighty. What I'm not sure of is if it applies to forcing a business to do something.

From what I've read:
He made a 'demand'.
Microsoft refused to agree to meet the demand.
He made the information public to force them to meet the demand.

2.) To think a company as large as Google does not have contracts is pretty naive IMO, and some contracts will have a little clause written in to them which states if a person does something deemed to be detrimental to the brand a person can be terminated, and IMO this situation could easily be deemed to be detrimental to the Google brand...

It's how pro sports teams get away with not fulfilling contractual obligations to players or 'taking action against' them for off-field, off-season actions, and if a company as big and prominent as Google does not have a clause like this written in to their contracts, IMO they should.

They could definitely 'control' (or at least limit) his actions on his own time if they chose to, and to think otherwise seems a bit uninformed, IMO.