Microsoft Lashes Out at Googler for Making Windows Vulnerability Public

9

Comments

+ Add a Comment
avatar

k11k

Man with all the hate google throwing at MS, it sure is hard not to see the fact that they are working on a OS also and is probaly a prehype for them to make it seems that MS is less secure and everybody should move to thier OS once it out(Same as Apple attack at MS).

avatar

Neon Samurai

Because of your responsible public disclosure, I and a much wider range of users can be aware of the issue and mitigate it's risk until Microsoft eventually gets around to providing a patch. With out it, all we would have it Microsoft's quiet information release and a greater majority of users left wide open to this threat.

To all the other security researchers out there; Thank You. It's far better that you find and publicize exploitable bugs in products rather those with criminal intent (there is a word for them.. but it's not the one that starts with H).

(now I gotta go update my Metasploit and see if it's in there yet ;) )

avatar

nHeroGo

"To be evil" or "Not to be evil" That is the question?

avatar

I Jedi

Yeah, I have to admit that Google's recent attitude towards Microsoft is beginning to piss me off. Not only have they bashed Windows for having security flaws, which was just a basic coverup story for wanting to switch to Linux/Mac, but now they're trying to discredit Microsoft's advances towards protecting users by publicly showing this zero-day exploit. Google's motto is obviously "Don't be evil."; however, I'm really getting a weird vibe from them lately, that I normally never feel...

avatar

Keith E. Whisman

I'm all for free speech and freedom of the press but there should be laws with guidelines for when an entity can divulge security sensitive information to the public. If an entity discovers a flaw that is a potential software or hardware security threat, and that entity wishes to make it public, it should be law that, that entity must be prepared to prove that they made ever effort to notify the effected party(s) and there should be a set period of time from initial notification before the security threat is made public. Violators of this law should be held accountable to the affected party and all the customers that were harmed be the security vulnerabilities being divulged earlier that what the law allows.

By looking at what I just wrote I can tell that such a law would consist of some 10,000 pages like the health care reform law and Obamas initial economic stimulus bill.   

avatar

Vano

Well said.

avatar

I Jedi

I have to admit that the Google engineer in question should honestly have waited. Four whole days is sometimes not enough to come up with a patch for something as serious as a zero-day vulnerability problem. Google has had a recent string of outlashes, that quite frankly are making me more and more upset with them as the weeks go by.

avatar

Vernak

It wasnt just a "Google engineer," Jedi.  It was a Google security engineer.  They should know better.  Period.  If they were reporting this vulnerability as professional courtesy or for the good of the End-Users, they would have sent Microsoft their code as an addendum to their initial description.  I agree with you, Jedi, in regards to the recent chain of outlashes and missteps by Google.

avatar

Neon Samurai

I didn't see where it said that proof of concept was intentionally withheld from the initial report to Microsoft. If the POC was developed after the report then Microsoft had access too it just like everyone else did with the announcement.

In terms of security, the problem with what product developers call "responsible disclosure" is usually "don't tell no body 'till we get around to it.. if we decide it's embarrassing enough to fit fixing it into our budget". The end users are most at risk in general and are always last to be made aware of those risks. You can bet that Google's researcher was not the only person to discover this. If it's not in active use, it's definitely sitting in some criminal's 0day collection and now less effective only because of the public disclosure. Consider GSM which has been easily broken for half a decade. The phone companies knew. The criminals knew. The mobile phone consumers didn't have a chance of finding out until a security researcher went public with it (after several attempts to get phone companies to fix the issue).

Public disclosure reduces the number of exploitable targets by informing end users so they can mitigate it until a patch is available.

(The clock started June 5th... tic tic tic tic Microsoft)

(edit) I meant to add that what's good for the goose is good for the gander. Google, Apple and the rest should equally be held publicly accountable for patches when vulnerabilities are discovered. It's not about sticking it to eveeil Microsoft but about informed end users.

Log in to MaximumPC directly or log in using Facebook

Forgot your username or password?
Click here for help.

Login with Facebook
Log in using Facebook to share comments and articles easily with your Facebook feed.