

Vulnerability outed by Google engineer already being exploited. - angrycoder
http://www.sophos.com/blogs/gc/g/2010/06/15/tavis-ormandy-pleased-website-exploits-microsoft-zeroday/

======
jrockway
This article contains no content except a decades-old rant against full
disclosure.

Two things to remember: the person who discovered the hole didn't put it
there, nor is it likely he is the first person to see it. He is, however, the
first person that was thoughtful enough to tell you about it so you could take
mitigating action. The crackers wouldn't do that, nor would Microsoft.

As for the exploit code, well, he's a programmer. People don't believe you
unless you prove it. He proved he was right by writing exploit code.

Bottom line: don't shoot the messenger. He is helping you! It's Microsoft that
added a security hole to their product and hoped nobody would notice.

~~~
fname
_It's Microsoft that added a security hole to their product and hoped nobody
would notice_

This excerpt contains no content except a decades-old rant against how
Microsoft doesn't care about security. I mean, really?

It's unfortunate people still believe that Microsoft would add a security hole
to their product and hope no one figured it out so they don't have to fix it.

~~~
btilly
Nobody thinks that Microsoft deliberately added this security hole.

However once you find out about a hole like this in the wild,a natural
response is to hope nobody finds out because you're busy and it is a hassle to
try to fix it. And many, many companies, Microsoft included, have done exactly
this. That's why the full disclosure movement arose in the first place.

From remarks he has made, it seems that Tavis attempted to get them agree to a
60 day fix turn around. This is evidence that, in fact, Microsoft would have
just sat on this bug report and hoped that nobody would notice.

------
andreyf
If I remember correctly, the vulnerability already being exploited at the time
of the announcement was the reason Tavis gave for faster-than-usual
disclosure.

Edit: the exact quote was "I've concluded that there's a significant
possibility that attackers have studied this component, and releasing this
information rapidly is in the best interest of security", from
[http://threatpost.com/en_us/blogs/googler-drops-windows-
zero...](http://threatpost.com/en_us/blogs/googler-drops-windows-zero-day-
microsoft-unhappy-061010)

~~~
btilly
More than that, if you read <http://twitter.com/taviso> you'll find the
comment

 _I'm getting pretty tired of all the "5 days" hate mail. Those five days were
spent trying to negotiate a fix within 60 days._

The fact that Microsoft knew about the problem and was unwilling to release a
fix inside of 60 days when pushed is good reason to disclose. That way the
NEXT time he reports a bug to them, there is a better chance that they'll
actually act.

~~~
InclinedPlane
There's a particularly pervasive anti-pattern in development of focusing on
treating the symptom instead of the root-cause. The worst cases of this extend
all the way to developing an adversarial relationship with testers and bug-
filers (adopting a "shoot the messenger" stance).

This usually happens gradually enough so that people don't realize they are
doing it. Camaraderie devolves into tribalism and groupthink, criticism from
outsiders is denigrated and ignored. And then cold, harsh reality intervenes
resulting in disaster that should have come as a surprise to no one.

------
cmelbye
Didn't he announce publicly like a week ago? And he told Microsoft about it a
few days prior to that. Maybe it was a little shady at first, but Microsoft
seriously hasn't fixed it yet?

~~~
mattmcknight
The way the original article repeatedly labels it a zero-day is totally
inaccurate, it was at least a five-day.

------
getonit
Cluley ignores obvious; sees vanity as only motive shocker!

Anyone want to club together and buy that guy a great big mirror to hang on
the wall behind his desk?

