Why should this guy required to do MS's job? What would he get for it? NOTHING. You can't pay your bills with self satisfaction. He (and the rest) have every right to throw MS, Apple, Linux under the bus because users are expecting the O/S to do it's job.
There is no reward (that I am aware of) to help MS out. it's why Google pays people for reporting
Maybe it does push M$ to fix problems, however, it also potentially a lot of computers at risk. For highly technical people like those of us at this site, a risk like this is something that we are able to easily mitigate.
However, there are many people out there who simply do not possess the technical skills to either ward off or remove a threat from their PC - whether we like it or not.
I am not defending M$. Personally, I think they are an exceptionally arrogant company - maybe equally arrogant as crApple.
If anyone exploited a hack made public, it really would not be M$ that suffered, it would be those people who had their computers attacked, and we all know that due to EULAs, there would be no recompense for those owning attacked computers. However, I could see someone suing anyone who made an exploit public knowledge.
To me, its common sense - let M$ know privately regardless of whether you are treated like a terd or not. Wait a month or two - then make it public. As I see it, the burden would then be on M$ if they had not fixed it yet as they were informed of the exploit.
While I understand that communication for these Security Researchers to Microsoft should be easier to do, He shouldn't have released it to the public unless Microsoft absolutely refused to listen to him.
Really what he did was take a vulnerability that he found that at the very most was being used in rare cases but probably not at all in the wild, then he gave it our for people to everyone then people could take his work to attack the public with.
What he did was dangerous to the public for whatever his reasoning it doesn't change that.
I will give Ormandy the benefit of the doubt and say there was no malicious intent intended at any level. However, a basic professional courtesy would dictate that you tell someone that you came across a problem with their tech. Google and MSFT have cooperated in this area in the past. There was no good reason to release the full details about a security vulnerability to the public before the relevant party has a chance to fix it, when a decent number of users of your own products are going to be exposed to that vulnerability. He shouldn't lose his job over something like this, but some form of reprimand is appropriate I would think.
Tavis Ormandy sounds like an arrogant jerk who just wanted to make microsoft look bad and get some of their boxes hacked. Patch is out now we can move along and hopefully Tavis will be a little more diplomatic in the future.
So because this guy felt intimidated by MS, he decided to endanger public safety? Sorry but if it was Visa and not Microsoft not a single one of you would be siding with the security guy, especially if someone gimped your PC because of his recklessness. Put your obvious anti-MS fanboy hatred aside, because it looks ignorant.
The thing that puzzles me is that Windows XP for example has been around for a long time now and that you would have thought that over time as the bugs have been found that the number of possible security breaches would be reduced. But Microsoft issues about the same number of bug fixes a month as it did ten years ago. It is not following the normal curve of complex software that most of the problems are found shortly after release and the number of reported problems reduces over time.
They must be patching the patches many times over. Perhaps they should get it right the first time,
On top of sending the exploit to M$ and waiting. He should give M$ a deadline, say he'll release the exploit to public in 2 weeks. That should give M$ sufficient pressure to release a hot fix (if M$ decides that it's important enough), plus it'll show good professionalism and integrity.
He shouldn't wait for ever for M$ to release a fix, at the same time, he should not just announce it to the public without giving M$ a head start. That's just not professional, unless he has other motives.
I have a few friends that have worked with Microsoft on vulnerability's in the past and they have always found Microsoft very easy to work with. As far as I can see this guy is a nut job. His actions have put every one that uses a Windows based system at risk. And as far as I can tell only because he does not like Microsoft I see no other reason.
Many of you need to get off your high horse. I have submitted bug reports to microsoft back when XP SP3 came out related to "run as" with the task manager and ending/relaunching the explorer.exe process. This bug is still in effect now and what I got back from Microsoft was "Try Vista"
The human factor plays a large role in this. The people that work the positions to screen this information at Microsoft probably hate their job, and the researches just want to let them know they found a problem. The researchers don't get paid to follow Microsoft requests for a bug. That would leave me with very little incentive to deal with bull shit.