Google engineer bashes Microsoft's handling of security researchers, discloses Windows zero-day

Microsoft confirms probe of vulnerability hackers could use to gain additional privileges on targeted PCs

By , Computerworld |  Windows

"Note that one person responded to his [Full Disclosure message] requesting some code in hopes of adding it to Metasploit," Storms continued, referring to the popular open-source penetration testing framework used by security professionals as well as by cyber criminals. "So it might not be a big remote code bug, but it could be useful for attackers nonetheless."

Ormandy has released information and demonstration code before for Windows vulnerabilities, notably in a pair of disclosures in 2010. In one such unveiling, Ormandy acknowledged that he reported a critical bug to Microsoft only five days before going public, saying he decided to take that tack -- rather than report it privately, and give Microsoft time to patch it -- because of its severity, and because he believed Microsoft would have otherwise dismissed his analysis.

Microsoft and some other security researchers criticized Ormandy for publicly discussing the vulnerability before it was patched, a practice known as "full disclosure" and one at odds with Microsoft's preference, called "responsible disclosure," that asks experts to report bugs privately.

Earlier in 2010, Ormandy had published information about a different Windows kernel vulnerability, pointing out that the bug had been tucked inside the operating system for at least 17 years.

Last week, Ormandy took a similar jab at Microsoft over the newest vulnerability.

"As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed ;-)," Ormandy said on Full Disclosure.

SDL, for Security Development Lifecycle, is a process and practice that Microsoft adopted to reduce the number of bugs in its software. Other vendors, including Adobe, also rely on SDL-like processes.

In a May 15 entry to his personal blog, where he also laid out some of his research, Ormandy was even more blunt in his criticism of Microsoft.

"If you solve the mystery and determine this is a security issue, send me an email and I'll update this post," Ormandy said. "If you confirm it is exploitable, feel free to send your work to Microsoft if you feel so compelled. [I]f this is your first time researching a potential vulnerability it might be an interesting experience.

"Note that Microsoft treat[s] vulnerability researchers with great hostility, and are often very difficult to work with," he said. "I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."

Originally published on Computerworld |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

Ask a Question