

Googler Drops Windows Zero-Day, Microsoft Unhappy - ukdm
http://threatpost.com/en_us/blogs/googler-drops-windows-zero-day-microsoft-unhappy-061010

======
tptacek
Before anyone starts talking about full disclosure or Microsoft or whatnot,
just know that whether you agree with Tavis' logic or not, not giving
Microsoft a couple weeks to patch a remote _is_ a breach of protocol.

Tavis is one of my favorite researchers to watch and I'm not going to say
anything negative about him or how he played this. But if I was Google, I'd be
treading very, very, very carefully here. Google's gotten a lot of talent
lately, but Microsoft has them way outgunned. We don't need these two
companies setting up opposition labs because of a document that ends with
"greetz".

Or, maybe we do. Depends on your politics.

(For what it's worth: <http://twitter.com/taviso/status/15887290335S>)

~~~
staunch
The idea that Microsoft or Google would create "opposition labs" to attack
each other is pretty far out there. You may have been in the jungle of
security just a wee bit too long.

~~~
jerf
Man, that would be _awesome_. Companies aren't doing a very good job of
policing themselves, if they policed _each other_ customers would win big
time.

~~~
Groxx
I dunno, sounds like an _ideal_ anti-competitive tool to kill off potential
competitors before they get too big. It'd also encourage behavior similar to
patent trolls, let them get big enough to royally screw for big monies.

~~~
khafra
If we proceed on the assumption that the blackhats will find holes the white
hats don't find first, it'd still be a good thing. At the limit of this
behavior, the only software producer left would be Daniel J. Bernstein, which
would be sort of awkward, but if you want things built secure you want them
built secure.

~~~
jerf
I think that while the transition would be rocky, there would be a lot more
work done on languages, libraries, and frameworks that are secure by default,
rather than insecure by default, and in the end people would end up a lot
better trained.

We get insecure software for a variety of reasons, including lack of
incentives to produce secure software (or equivalently lack of penalties for
failing), ignorance, lack of sufficient talent or intelligence to deal with
the issues of security, and so on. At least taking care of the first one would
have some sort of effect. It would probably also drum some people out of
software development, at least professionally, but one could fruitfully argue
that anyone intellectual incapable of writing secure software would probably
be better employed elsewhere anyhow.

------
epochwolf
I hardly think 5 days is enough time for Microsoft to patch this. The guy
could have given them two weeks before releasing the exploit.

~~~
davidcuddeback
The article says "Ormandy said protocol handlers are a popular source of
vulnerabilities and argued that 'hcp://' itself has been the target of attacks
multiple times in the past."

I'm not defending his actions, but I think he's arguing that it's likely that
black-hats already know about the vulnerability because it occurs in a heavily
targeted attack vector. Therefor, releasing details gives IT professionals the
knowledge they need to setup firewalls or do whatever they have to do to
protect against the vulnerability while waiting for an official patch from
Microsoft.

With that said, perhaps there's a better way to accomplish that goal.

~~~
kenjackson
That's an absurd excuse for Ormandy. As, I'm sure Ormandy knows, IT pros are a
LOT less likely to implement a workaround to this problem than are hackers
likely to exploit it.

Furthermore, MS stated that the provided workaround is insufficient and easily
circumvented.

And, he provides no evidence that any blackhats know about this at all.

To me this clearly looked like a way for Google to try to attack MS's security
-- this goes hand in hand with their PR stunt of moving Google employees off
of Windows due to security.

~~~
d4rt
How do you know that IT pros are less likely to implement a workaround than
hackers are to exploit it?

How prevalent is deploying workarounds and mitigations versus deploying
patches? I don't know of any research in this area; it would be very
interesting to know.

~~~
kenjackson
Based on history. There have been several known exploits that have been
exploited where a Windows Update patch has been available for months, and
admins didn't update.

Now, take it a step further and now you have an exploit where is no Windows
Update package, but each server has to be manually updated following a
procedure from a webpage.

This is a no-brainer to me. Of course if you're looking for double-blind
randomized control studies to prove this, well I'm afraid you're in the wrong
field.

------
ww8520
That was a dick move. 5 days are not enough to go through debugging, coding,
reviewing, testing, and deployment of a complicate software like Windows. 2
weeks to 4 weeks are more reasonable.

~~~
count
Or, 5 days is enough time, because people need to know it's out there, and the
developers have had years to get this particular type of bug right.

------
btilly
The article links to [http://threatpost.com/en_us/blogs/does-google-have-
double-st...](http://threatpost.com/en_us/blogs/does-google-have-double-
standard-full-disclosure-061010) which discusses the ethics of this situation,
and makes unspecified allegations that Google does "all sorts of hinky things
behind your back" that justifies doing full disclosure against them.

Does anyone have any idea of what their beef is with Google?

~~~
tptacek
Tavis works for Google. He's one of their best-known security researchers.

Tavis published a Microsoft remote. Without waiting for a patch. That is
unusual. Most researchers, Tavis included in other situations, don't do that.

Not at all surprising Microsoft took it personally. That doesn't mean it's
constructive for MSFT to complain. But, there you go.

~~~
btilly
You gave an excellent answer to the question I didn't ask. I don't need to be
told why MSFT is unhappy. I want to know why Robert Hansen is upset enough at
Google's practices that he wants full disclosure used against them.

~~~
tptacek
Things to know about Robert Hanson:

* He's a web guy (a very, very good web guy)

* He's had issues with G in the past

* He's doubtless reported things to G in the past

* Tavis is operating in an entirely different universe from him (one in which "lock.cmpxchg8b.com" is clever, not sketchy).

Don't read too much into this.

~~~
btilly
_He's had issues with G in the past_

That's what I wanted to know more about. Do you have links where he discusses
what he doesn't like about Google?

~~~
tptacek
At this point in the conversation I think you should just ask him. He's a good
guy.

~~~
btilly
I posted a reply on his blog asking him the question. It is currently awaiting
moderation.

------
metamemetics
_Reavey confirmed that the issue affects Windows XP and Windows Server 2003
only._

It's 2010, no one should willingly still be using windows XP unless they like
hosting botnets. Can't say windows is the most intelligent choice for a server
platform either.

~~~
hboon
Some server software only runs on Windows.

