GoogleWars! Is the Phoney War now over?
Well, now. Things just get interestinger and interestinger.
Tavis Ormandy recently disclosed an MS zero-day bug on the Full Disclosure mailing list. This caused a bit of a stir. Much of the anti-malware industry was aghast. The anti-malware industry, in general, is not overkeen on what is called ‘full disclosure’. It prefers what it terms ‘responsible disclosure’, cleverly implying that anything that does not fall within the definition of ‘responsible disclosure’ is ‘irresponsible disclosure’.
Tavis was criticised on two counts: firstly that he was irresponsible, and secondly that he was Google trying to score points against Microsoft. Let’s look at these.
From Kurt Wismer
i’m a little too late to the party to bother with vilifying him, but the arguments used to support him could stand and be reused in the future and those need to be addressed…
full disclosure as disarmament
and from Graham Cluley:
In my opinion, Ormandy irresponsibly disclosed the vulnerability before Microsoft had a chance to fix the problem, making it easy for cybercriminals to exploit the flaw and infect innocent users.
The good news is that now Microsoft has now issued a fix for the problem. But I bet they (and countless other internet users and industry observers) wish that the first that they had heard of this problem was when the patch was rolled-out, rather than when Ormandy acted petulantly.
Patch Tavis Day
I am yet to be convinced that ‘full’ equates to ‘irresponsible’, or that Ormandy is petulant. He claimed that he chose the full disclosure route because Microsoft declined to commit to a patch within 60 days. ‘Responsible’ disclosure is often taken to mean giving the vendor 30 days to fix the problem before going public. Ormandy ‘offered’ 60 days; but because MS couldn’t/wouldn’t commit to the patch within that time, Ormandy disclosed within five days rather than waiting the 30 days.
As it happens, MS rolled out the patch in approximately 40 days – and probably had it ready in less than that but waited until its next ‘Patch Tuesday’. (Notice that it has not waited until the next Patch Tuesday to respond to the LNK 0-day flaw of its own making; although we must wait to see when the actual patch is rolled out.) So if we ask, ‘why did Tavis Ormandy not wait 30 days?’ we should equally ask ‘why did Microsoft not accept the 60 days offered?’ This leads us inexorably to the second issue: Tavis Ormandy’s employment orientation.
Many of the early commentators who thought Ormandy was irresponsible dwelt somewhat on his employer, Google, suggesting that here was an attempt by Google to embarrass Microsoft. My own initial thoughts were that there was no evidence to support this. Now I am beginning to wonder. On 2 June I posted: Google dumps Windows: the first shot in the coming war
There is a battle looming. While many pundits see a contest between Google and Facebook for control of the internet, and Google and Apple for control of the airwaves, I suspect Google is aiming higher. Google is getting ready to take on Windows, head-on. Chrome and the Cloud beats Windows in almost every way: cost, agility, security, you name it.
So Google dumping Windows has little to do with security. It says to the big corporates, hey guys, we can live without Windows. You can too.
Now Ormandy has added his name, along with Chris Evans, Eric Grosse, Neel Mehta, Matt Moore, Julien Tinnes, Michal Zalewski; Google Security Team to a new post on the Google Online Security Blog: Rebooting Responsible Disclosure: a focus on protecting end users.
The article nowhere mentions Ormandy by name (other than in the credits), but comments:
So, is the current take on responsible disclosure working to best protect end users in 2010? Not in all cases, no. The emotionally loaded name suggests that it is the most responsible way to conduct vulnerability research – but if we define being responsible as doing whatever it best takes to make end users safer, we will find a disconnect. We’ve seen an increase in vendors invoking the principles of “responsible” disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers. The important implication of referring to this process as “responsible” is that researchers who do not comply are seen as behaving improperly. However, the inverse situation is often true: it can be irresponsible to permit a flaw to remain live for such an extended period of time.
It goes on to “suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software.” The article is clearly a statement of Google’s disclosure policy while at the same time defending Ormandy’s disclosure. They are one and the same thing.
In the light of all this I have to revisit my initial thoughts. Was Ormandy irresponsible? Absolutely not: he offered 60 days to Microsoft. Was it a set-up to embarrass Microsoft? I don’t think it was a set-up. Did Ormandy/Google hope to embarrass Microsoft? Absolutely. Did Microsoft hope to embarrass Google? Absolutely. The war has started.