the issue was reported June 5th, 2010 (a Saturday) and then made public less than four days later. “Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk,” he said, stressing that the workaround suggested by Ormandy is inadequate.

It is one thing when someone in the general public does this, but when it is Google - that is fairly bad practice. They usually give them 30 days to fix it. With Google prepping a desktop Operating System, it would be wise to remember that old saying, "what goes around - comes around".

I'm sure Google will appreciate the same thing from the community of security researchers when a newly discovered vulnerability in one of their web apps (such as Gmail) is reported to the general public before Google fixes it (say in five days from being reported to Google).

[edited by: true_INFP at 1:18 pm (utc) on Jun 11, 2010]

that's brutal, hard to describe how bad that is, I hope it comes around fast

less scruples than hackers [webmasterworld.com]? no class

That's pretty low Google. Just how low can you go?

But...

Asked for comment on Ormandy's disclosure activities, a Google spokesperson said: "Tavis acted independently using research conducted in his own time. Tavis' personal views on disclosure don't necessarily reflect the views of his colleagues at Google or Google as a whole."

Googler criticized for disclosing Windows-related flaw
[News.CNET.com...]

Maybe Tavis Ormandy is getting ready to depart Google and this was their legacy?

According to information available online, this is not the first time Tavis have put Microsoft on the spot.

My opinions of Google have been radically changing this year.

Looks like he actually gave them five days to fix it and then he published it even though he knew it was still unpatched and thus exploitable.

In any case, by doing that, he knowingly made millions of Windows XP users vulnerable.

(The "Microsoft Windows Help and Support Center" isn't an MS website but a component of Windows XP.)

In any case, by doing that, he knowingly made millions of Windows XP users vulnerable

*ding*ding*ding

AND HE IS SUPPOSED TO BE ONE OF THE GOOD GUYS? doing worse then the bad guys?

TOTALLY irresponsible! so much so the guy should be FIRED, and NEVER allowed to get a job in the security field ever again!

YOU JUST DON'T DO THINGS LIKE THIS!

No need to get overly upset. This kind of things actually happens far more frequently than it might seem (see the Responsible Disclosure "philosophical" dispute).

What's surprising, though, is that this time it wasn't an immature amateur but a security researcher working for Google.

true_INFP, the point is that no program will ever be 100% secure so long as it's user facing especially with many programmers involved, millions of highly intelligent users specifically looking for flaws... idiots that click everywhere. etc.

Bottom line... he should have given them more time before making a public disclosure. Not cool...

without giving Microsoft adequate time to prepare a patch

Considering that Microsoft has several long standing known un-patched vulnerabilities that stretch years and years I don't blame Google for not having much faith in MS to act quickly if they just reported it to in the private.

That being said there is a high level of irresponsibility in how they went about this.

With Google prepping a desktop Operating System, it would be wise to remember that old saying, "what goes around - comes around".

So true, no OS is without flaws.

true_INFP, the point is that no program will ever be 100% secure so long as it's user facing especially with many programmers involved

Gomvents, I'm not sure why you're telling me that. What makes you think I don't know that?

so why does google have a security guy sitting around trying to find holes in windows?

so why does google have a security guy sitting around trying to find holes in windows?

To determine if it is a security risk for them to run, which they have decided it is.

true_INFP, it was a reply to your comment of "No need to get overly upset." I took your use of "upset" her to mean "excited" as I don't think anyone here is getting upset but it certainly got me a little excited as Google is the Emperor with no clothes, throwing rocks in his glass house... Also I would with what you'd call "whitehat" hackers and out of the box Mac OS and nearly every linux distro is actually much less secure. Windows when fully patched and using common sense is more secure than Mac or Linux as a desktop environment. The main issues with Windows are A) It's the biggest target B) IE is a nightmare C) the registry system is flawed.

Wow, if they keep doing stuff like this, or allowing their employees to do this (even on their own time) and they're going to have M$ and Apple working together or some other crazy partnerships to work against them.

They need to stop throwing their weight around and get their house in a bit of order IMO, because the way they step on everyone is going to bite them eventually...

Really, don't they get the idea privacy and security are things people actually take seriously and from a business perspective it can be a bad plan to exploit both of those to the extent they do?

They send an e-mail on Sat (weekend) and on Thurs they tell everyone about the flaw? The stinking e-mail likely sat in an inbox until Mon AM, so they effectively gave 3 working days to fix the issue. Nice!

[edited by: TheMadScientist at 6:11 pm (utc) on Jun 11, 2010]

true_INFP, it was a reply to your comment of "No need to get overly upset."

Well, that was in response to J_RaD's series of upper-case sentences (which I considered "overly upset"). The point was that irresponsible disclosure is actually quite common (more than the average Joe suspects). The only thing that is extraordinary in this case is that the irresponsible disclosure was done not by an immature amateur, but by a professional paid by Google.

Irresponsible disclosure is normally tolerated only if the vendor is taking some unreasonably long time to fix the vulnerability (eg. years when it should take several days). In this case, there was no reason to choose irresponsible disclosure.

Glad this guy wasn't in charge of the wifi sniffing he probably would have started 'claim-your-credit-card.com' the only place online you can re-claim your own credit card... Simply enter your full name, address and phone number and we'll remove your credit card number from public view... You know, because that would really teach people a lesson.

To determine if it is a security risk for them to run, which they have decided it is.

yes but EVERY system has security risks if you like at it hard enough. If enough security guys sit around and noodle they will find flaws in every system google runs from the inside out.

If enough security guys sit around and noodle they will find flaws in every system google runs from the inside out.

Well of course, but that is their job after all, to know the security issues of hardware and software on their networks and to minimize their potential negative effects.

I am by no means defending how they went about this but you can't criticize a security guy for looking for security flaws on his network.

When I worked for a development house we had a guy who's job was exactly that. He mostly looked at PHP at the time there were lots of vulnerabilities in it back then, but sometimes he would show up at your workstation and declare that he was uninstalling something until they made it more secure.

He was the same guy that forbid us from using FTP because it was not secure enough a protocol for him.

Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk

What a CROCK ms. Your vulnerability issue(s!) put customers at risk. Don't blame anyone else for how risky your product(s!) are, you've got too long of a bad record with security for that now. The fact it took a Googler to spot problems with your own software speaks volumes.

If blame is being passed down to the techies who write the code at MS I offer this bad management decision to pass the blame instead of taking responsibility for YOUR own product as a sign the issues are probably leadership related.

Just saying it like it is, spin doctor press release free.

[edited by: Sgt_Kickaxe at 7:14 pm (utc) on Jun 11, 2010]

what if one of your neighbours told all her mates that the lock on your back door was broken, so you got burgled, and then blamed you for not fixing it. you wouldn't be too happy about that. but that is what this google guy has done.

he's basically told everyone how to commit a crime. you can't get away with that in other walks of life. imagine if he told everyone how to bypass a bank's security system. would that be justified too? there's not much difference.

[edited by: londrum at 7:16 pm (utc) on Jun 11, 2010]

Bad week for MS

Looks like a someone is going after servers running IIS using a specific malicious script to exploit a vulnerability contained within IIS.

It allows for mass SQL injections and reportedly 10s of thousands of sites are already effected.

It looks like a large scale attack.

Too bad someone at Google didn't catch this and give MS 3 days to fix it.

I am by no means defending how they went about this but you can't criticize a security guy for looking for security flaws on his network

if windows is banned why look any farther? This seems like they did it just to create bad PR for MS, and maybe to get the info into the hands of the wrong people which could make it issue explode causing MS more bad PR.

Too bad someone at Google didn't catch this and give MS 3 days to fix it.

oops.

threatpost.com only this site reported the incident, cannot re-confirm anywhere yet ?

they are not exploiting IIS, 3rd party scripts.

This seems like they did it just to create bad PR for MS, and maybe to get the info into the hands of the wrong people

More crock, they reported a weakness to webmasters 4 days after they discovered it. The weakness is MS's problem, there isn't any reason to say otherwise just because a Googler spotted it. The issue would be the same no matter who spotted it and that is MS's problem.

edit: I don't know why I'm defending Google, as if they need defending, but the sheer volume of "pile on Google cuz they are the devil" baseless crap spreads like a smelly cloud and I'm tired of breathing it in everywhere, including here.

Add you own punchline to that.

Looks like a someone is going after servers running IIS using a specific malicious script to exploit a vulnerability contained within IIS.

It allows for mass SQL injections and reportedly 10s of thousands of sites are already effected.

So is it IIS or SQL Injection? They're pretty mutually exclusive as SQL injections come down to programming not platform.

I bet they fix it now. Nothing like a good kick in the butt to get the wheels rolling.

Instead of releasing statements about Google, they should be fixing the problem.

Looks like MS uses the same PR company as BP. ;-)

Is there anyone here posting about how this is solely a M$ issue and Google is perfectly fine not adhering to generally accepted practice who would not be absolutely up in arms, screaming 'lawsuit' at the top of their lungs if someone found a security flaw in your site and posted it here rather than letting you have a reasonable chance to fix it first, because it's your site and you're responsible for the security of it?

I doubt it...

Also, if Google wants to be respected as the leader, the company that follows their 'don't be evil' motto, and standard setter, then they need to do just that and follow standard and generally accepted industry practices, otherwise they're going to get what's going on here, because we all know if M$ did the same thing to them they'd be the ones lashing out in the press.

Someone from Google went deliberately looking for a hole and when they found one they only gave M$ days to fix it... If they had waited 30 days as is standard practice for a fix we probably wouldn't have anything negative to say about them making it public.

All Google had to do was follow the standards and accepted practices, but it seems even that is asking too much of them. Maybe because it's not their system or computer at risk, it's yours...

ADDED: Think about it this way for a minute:
Google's not going to lose anything from this.
Microsoft is not going to lose anything from this.

It's You, Your Mom, Your Kids, Your Friends, Your Family making this public without a fix puts at risk...
Are people really thinking Google's Employee behaved responsibly? Really?

They didn't put M$ or G at risk... G doesn't use it (AFAIK) and you need M$ to run all your software, so they're not going to lose anything, so who's at risk? Everyone who could have the hole Google's Employee found exploited, which happens to be everyone who run Windows...

[edited by: TheMadScientist at 7:01 pm (utc) on Jun 12, 2010]