Welcome to WebmasterWorld Guest from 54.196.224.166

Forum Moderators: goodroi

Message Too Old, No Replies

Googler Exposes Windows Vulnerability

Microsoft is not amused

     

incrediBILL

3:07 am on Jun 11, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



The Google and MS saga heats up as a Google security guy blows the whistle before allowing MS time to produce a patch [threatpost.com]

Google security researcher Tavis Ormandy has set the cat among the “responsible disclosure” pigeons with the release of technical details of a zero-day vulnerability affecting the Microsoft Windows Help and Support Center without giving Microsoft adequate time to prepare a patch.


Perhaps Google doesn't care since Google recently banished Windows for vulnerability issues [webmasterworld.com].

Almost smells like someone is grinding a vulnerability axe here ;)

Brett_Tabke

12:27 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



the issue was reported June 5th, 2010 (a Saturday) and then made public less than four days later. “Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk,” he said, stressing that the workaround suggested by Ormandy is inadequate.


It is one thing when someone in the general public does this, but when it is Google - that is fairly bad practice. They usually give them 30 days to fix it. With Google prepping a desktop Operating System, it would be wise to remember that old saying, "what goes around - comes around".

true_INFP

12:47 pm on Jun 11, 2010 (gmt 0)

5+ Year Member



I'm sure Google will appreciate the same thing from the community of security researchers when a newly discovered vulnerability in one of their web apps (such as Gmail) is reported to the general public before Google fixes it (say in five days from being reported to Google).

[edited by: true_INFP at 1:18 pm (utc) on Jun 11, 2010]

jatar_k

12:48 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member



that's brutal, hard to describe how bad that is, I hope it comes around fast

less scruples than hackers [webmasterworld.com]? no class

pageoneresults

12:52 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



That's pretty low Google. Just how low can you go?

But...

Asked for comment on Ormandy's disclosure activities, a Google spokesperson said: "Tavis acted independently using research conducted in his own time. Tavis' personal views on disclosure don't necessarily reflect the views of his colleagues at Google or Google as a whole."


Googler criticized for disclosing Windows-related flaw
[News.CNET.com...]

Maybe Tavis Ormandy is getting ready to depart Google and this was their legacy?

According to information available online, this is not the first time Tavis have put Microsoft on the spot.

My opinions of Google have been radically changing this year.

true_INFP

1:16 pm on Jun 11, 2010 (gmt 0)

5+ Year Member



Looks like he actually gave them five days to fix it and then he published it even though he knew it was still unpatched and thus exploitable.

In any case, by doing that, he knowingly made millions of Windows XP users vulnerable.

(The "Microsoft Windows Help and Support Center" isn't an MS website but a component of Windows XP.)

J_RaD

2:15 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member




In any case, by doing that, he knowingly made millions of Windows XP users vulnerable


*ding*ding*ding

AND HE IS SUPPOSED TO BE ONE OF THE GOOD GUYS? doing worse then the bad guys?

TOTALLY irresponsible! so much so the guy should be FIRED, and NEVER allowed to get a job in the security field ever again!

YOU JUST DON'T DO THINGS LIKE THIS!

true_INFP

2:24 pm on Jun 11, 2010 (gmt 0)

5+ Year Member



No need to get overly upset. This kind of things actually happens far more frequently than it might seem (see the Responsible Disclosure "philosophical" dispute).

What's surprising, though, is that this time it wasn't an immature amateur but a security researcher working for Google.

Gomvents

3:34 pm on Jun 11, 2010 (gmt 0)

10+ Year Member



true_INFP, the point is that no program will ever be 100% secure so long as it's user facing especially with many programmers involved, millions of highly intelligent users specifically looking for flaws... idiots that click everywhere. etc.

Bottom line... he should have given them more time before making a public disclosure. Not cool...

Demaestro

4:13 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member demaestro is a WebmasterWorld Top Contributor of All Time 10+ Year Member



without giving Microsoft adequate time to prepare a patch


Considering that Microsoft has several long standing known un-patched vulnerabilities that stretch years and years I don't blame Google for not having much faith in MS to act quickly if they just reported it to in the private.

That being said there is a high level of irresponsibility in how they went about this.

With Google prepping a desktop Operating System, it would be wise to remember that old saying, "what goes around - comes around".


So true, no OS is without flaws.

true_INFP

4:19 pm on Jun 11, 2010 (gmt 0)

5+ Year Member



true_INFP, the point is that no program will ever be 100% secure so long as it's user facing especially with many programmers involved

Gomvents, I'm not sure why you're telling me that. What makes you think I don't know that?

J_RaD

5:23 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



so why does google have a security guy sitting around trying to find holes in windows?

Demaestro

5:42 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member demaestro is a WebmasterWorld Top Contributor of All Time 10+ Year Member



so why does google have a security guy sitting around trying to find holes in windows?


To determine if it is a security risk for them to run, which they have decided it is.

Gomvents

5:47 pm on Jun 11, 2010 (gmt 0)

10+ Year Member



true_INFP, it was a reply to your comment of "No need to get overly upset." I took your use of "upset" her to mean "excited" as I don't think anyone here is getting upset but it certainly got me a little excited as Google is the Emperor with no clothes, throwing rocks in his glass house... Also I would with what you'd call "whitehat" hackers and out of the box Mac OS and nearly every linux distro is actually much less secure. Windows when fully patched and using common sense is more secure than Mac or Linux as a desktop environment. The main issues with Windows are A) It's the biggest target B) IE is a nightmare C) the registry system is flawed.

TheMadScientist

5:59 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member themadscientist is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Wow, if they keep doing stuff like this, or allowing their employees to do this (even on their own time) and they're going to have M$ and Apple working together or some other crazy partnerships to work against them.

They need to stop throwing their weight around and get their house in a bit of order IMO, because the way they step on everyone is going to bite them eventually...

Really, don't they get the idea privacy and security are things people actually take seriously and from a business perspective it can be a bad plan to exploit both of those to the extent they do?

They send an e-mail on Sat (weekend) and on Thurs they tell everyone about the flaw? The stinking e-mail likely sat in an inbox until Mon AM, so they effectively gave 3 working days to fix the issue. Nice!

[edited by: TheMadScientist at 6:11 pm (utc) on Jun 11, 2010]

true_INFP

6:00 pm on Jun 11, 2010 (gmt 0)

5+ Year Member



true_INFP, it was a reply to your comment of "No need to get overly upset."

Well, that was in response to J_RaD's series of upper-case sentences (which I considered "overly upset"). The point was that irresponsible disclosure is actually quite common (more than the average Joe suspects). The only thing that is extraordinary in this case is that the irresponsible disclosure was done not by an immature amateur, but by a professional paid by Google.

Irresponsible disclosure is normally tolerated only if the vendor is taking some unreasonably long time to fix the vulnerability (eg. years when it should take several days). In this case, there was no reason to choose irresponsible disclosure.

TheMadScientist

6:16 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member themadscientist is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Glad this guy wasn't in charge of the wifi sniffing he probably would have started 'claim-your-credit-card.com' the only place online you can re-claim your own credit card... Simply enter your full name, address and phone number and we'll remove your credit card number from public view... You know, because that would really teach people a lesson.

J_RaD

6:28 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member




To determine if it is a security risk for them to run, which they have decided it is.


yes but EVERY system has security risks if you like at it hard enough. If enough security guys sit around and noodle they will find flaws in every system google runs from the inside out.

Demaestro

6:55 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member demaestro is a WebmasterWorld Top Contributor of All Time 10+ Year Member



If enough security guys sit around and noodle they will find flaws in every system google runs from the inside out.


Well of course, but that is their job after all, to know the security issues of hardware and software on their networks and to minimize their potential negative effects.

I am by no means defending how they went about this but you can't criticize a security guy for looking for security flaws on his network.

When I worked for a development house we had a guy who's job was exactly that. He mostly looked at PHP at the time there were lots of vulnerabilities in it back then, but sometimes he would show up at your workstation and declare that he was uninstalling something until they made it more secure.

He was the same guy that forbid us from using FTP because it was not secure enough a protocol for him.

Sgt_Kickaxe

7:06 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk


What a CROCK ms. Your vulnerability issue(s!) put customers at risk. Don't blame anyone else for how risky your product(s!) are, you've got too long of a bad record with security for that now. The fact it took a Googler to spot problems with your own software speaks volumes.

If blame is being passed down to the techies who write the code at MS I offer this bad management decision to pass the blame instead of taking responsibility for YOUR own product as a sign the issues are probably leadership related.

Just saying it like it is, spin doctor press release free.

[edited by: Sgt_Kickaxe at 7:14 pm (utc) on Jun 11, 2010]

londrum

7:14 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



what if one of your neighbours told all her mates that the lock on your back door was broken, so you got burgled, and then blamed you for not fixing it. you wouldn't be too happy about that. but that is what this google guy has done.

he's basically told everyone how to commit a crime. you can't get away with that in other walks of life. imagine if he told everyone how to bypass a bank's security system. would that be justified too? there's not much difference.

[edited by: londrum at 7:16 pm (utc) on Jun 11, 2010]

Demaestro

7:14 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member demaestro is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Bad week for MS

Looks like a someone is going after servers running IIS using a specific malicious script to exploit a vulnerability contained within IIS.

It allows for mass SQL injections and reportedly 10s of thousands of sites are already effected.

It looks like a large scale attack.

Too bad someone at Google didn't catch this and give MS 3 days to fix it.

J_RaD

8:09 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member




I am by no means defending how they went about this but you can't criticize a security guy for looking for security flaws on his network

if windows is banned why look any farther? This seems like they did it just to create bad PR for MS, and maybe to get the info into the hands of the wrong people which could make it issue explode causing MS more bad PR.

Future

8:20 pm on Jun 11, 2010 (gmt 0)

5+ Year Member



Too bad someone at Google didn't catch this and give MS 3 days to fix it.

oops.

Future

8:24 pm on Jun 11, 2010 (gmt 0)

5+ Year Member



threatpost.com only this site reported the incident, cannot re-confirm anywhere yet ?

J_RaD

8:26 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



they are not exploiting IIS, 3rd party scripts.

Sgt_Kickaxe

10:37 pm on Jun 11, 2010 (gmt 0)

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member



This seems like they did it just to create bad PR for MS, and maybe to get the info into the hands of the wrong people


More crock, they reported a weakness to webmasters 4 days after they discovered it. The weakness is MS's problem, there isn't any reason to say otherwise just because a Googler spotted it. The issue would be the same no matter who spotted it and that is MS's problem.

edit: I don't know why I'm defending Google, as if they need defending, but the sheer volume of "pile on Google cuz they are the devil" baseless crap spreads like a smelly cloud and I'm tired of breathing it in everywhere, including here.

Add you own punchline to that.

carguy84

6:42 am on Jun 12, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Looks like a someone is going after servers running IIS using a specific malicious script to exploit a vulnerability contained within IIS.

It allows for mass SQL injections and reportedly 10s of thousands of sites are already effected.


So is it IIS or SQL Injection? They're pretty mutually exclusive as SQL injections come down to programming not platform.

maximillianos

3:16 pm on Jun 12, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I bet they fix it now. Nothing like a good kick in the butt to get the wheels rolling.

Instead of releasing statements about Google, they should be fixing the problem.

Looks like MS uses the same PR company as BP. ;-)

TheMadScientist

6:11 pm on Jun 12, 2010 (gmt 0)

WebmasterWorld Senior Member themadscientist is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Is there anyone here posting about how this is solely a M$ issue and Google is perfectly fine not adhering to generally accepted practice who would not be absolutely up in arms, screaming 'lawsuit' at the top of their lungs if someone found a security flaw in your site and posted it here rather than letting you have a reasonable chance to fix it first, because it's your site and you're responsible for the security of it?

I doubt it...

Also, if Google wants to be respected as the leader, the company that follows their 'don't be evil' motto, and standard setter, then they need to do just that and follow standard and generally accepted industry practices, otherwise they're going to get what's going on here, because we all know if M$ did the same thing to them they'd be the ones lashing out in the press.

Someone from Google went deliberately looking for a hole and when they found one they only gave M$ days to fix it... If they had waited 30 days as is standard practice for a fix we probably wouldn't have anything negative to say about them making it public.

All Google had to do was follow the standards and accepted practices, but it seems even that is asking too much of them. Maybe because it's not their system or computer at risk, it's yours...

ADDED: Think about it this way for a minute:
Google's not going to lose anything from this.
Microsoft is not going to lose anything from this.

It's You, Your Mom, Your Kids, Your Friends, Your Family making this public without a fix puts at risk...
Are people really thinking Google's Employee behaved responsibly? Really?

They didn't put M$ or G at risk... G doesn't use it (AFAIK) and you need M$ to run all your software, so they're not going to lose anything, so who's at risk? Everyone who could have the hole Google's Employee found exploited, which happens to be everyone who run Windows...

[edited by: TheMadScientist at 7:01 pm (utc) on Jun 12, 2010]

This 57 message thread spans 2 pages: 57
 

Featured Threads

Hot Threads This Week

Hot Threads This Month