Google Researcher Discovery Led to Windows Hackings

Status
Not open for further replies.

antilycus

Distinguished
Jun 1, 2006
397
0
18,930
Why should this guy required to do MS's job? What would he get for it? NOTHING. You can't pay your bills with self satisfaction. He (and the rest) have every right to throw MS, Apple, Linux under the bus because users are expecting the O/S to do it's job.

There is no reward (that I am aware of) to help MS out. it's why Google pays people for reporting
 

weierstrass

Honorable
Aug 2, 2012
12
0
10,560
Making it public was probably the best way to put high pressure an MS to fix it. Remember how long it took Oracle to fix some Java vulnerability?
 

wiyosaya

Distinguished
Apr 12, 2006
396
0
18,930
Maybe it does push M$ to fix problems, however, it also potentially a lot of computers at risk. For highly technical people like those of us at this site, a risk like this is something that we are able to easily mitigate.

However, there are many people out there who simply do not possess the technical skills to either ward off or remove a threat from their PC - whether we like it or not.

I am not defending M$. Personally, I think they are an exceptionally arrogant company - maybe equally arrogant as crApple.

If anyone exploited a hack made public, it really would not be M$ that suffered, it would be those people who had their computers attacked, and we all know that due to EULAs, there would be no recompense for those owning attacked computers. However, I could see someone suing anyone who made an exploit public knowledge.

To me, its common sense - let M$ know privately regardless of whether you are treated like a terd or not. Wait a month or two - then make it public. As I see it, the burden would then be on M$ if they had not fixed it yet as they were informed of the exploit.
 

ninjustin

Honorable
Apr 3, 2013
9
0
10,510
While I understand that communication for these Security Researchers to Microsoft should be easier to do, He shouldn't have released it to the public unless Microsoft absolutely refused to listen to him.

Really what he did was take a vulnerability that he found that at the very most was being used in rare cases but probably not at all in the wild, then he gave it our for people to everyone then people could take his work to attack the public with.

What he did was dangerous to the public for whatever his reasoning it doesn't change that.
 

DRosencraft

Distinguished
Aug 26, 2011
96
0
18,590
I will give Ormandy the benefit of the doubt and say there was no malicious intent intended at any level. However, a basic professional courtesy would dictate that you tell someone that you came across a problem with their tech. Google and MSFT have cooperated in this area in the past. There was no good reason to release the full details about a security vulnerability to the public before the relevant party has a chance to fix it, when a decent number of users of your own products are going to be exposed to that vulnerability. He shouldn't lose his job over something like this, but some form of reprimand is appropriate I would think.
 

Pailin

Distinguished
Dec 1, 2007
231
0
18,830
I got from that article that He Did try to tell M$ who did not respond as expected & hoped.

To force their hand in closing the vulnerability he himself was forced to publicly declare the details.

Still better than this going on long term and such attacks going on unheard of.
- How many Chinese hoping for a big break to make it rich etc are looking for similar things to exploit on the quiet...?
 

agentbb007

Distinguished
Jul 27, 2006
27
0
18,590
Tavis Ormandy sounds like an arrogant jerk who just wanted to make microsoft look bad and get some of their boxes hacked. Patch is out now we can move along and hopefully Tavis will be a little more diplomatic in the future.
 

back_by_demand

Distinguished
Jul 16, 2009
1,599
0
19,730
So because this guy felt intimidated by MS, he decided to endanger public safety? Sorry but if it was Visa and not Microsoft not a single one of you would be siding with the security guy, especially if someone gimped your PC because of his recklessness. Put your obvious anti-MS fanboy hatred aside, because it looks ignorant.
 

pjmelect

Distinguished
Jul 14, 2006
178
0
18,640
The thing that puzzles me is that Windows XP for example has been around for a long time now and that you would have thought that over time as the bugs have been found that the number of possible security breaches would be reduced. But Microsoft issues about the same number of bug fixes a month as it did ten years ago. It is not following the normal curve of complex software that most of the problems are found shortly after release and the number of reported problems reduces over time.
They must be patching the patches many times over. Perhaps they should get it right the first time,
 

milktea

Distinguished
Dec 16, 2009
344
0
18,930
On top of sending the exploit to M$ and waiting. He should give M$ a deadline, say he'll release the exploit to public in 2 weeks. That should give M$ sufficient pressure to release a hot fix (if M$ decides that it's important enough), plus it'll show good professionalism and integrity.

He shouldn't wait for ever for M$ to release a fix, at the same time, he should not just announce it to the public without giving M$ a head start. That's just not professional, unless he has other motives.
 

bryonhowley

Distinguished
Oct 24, 2011
136
0
18,660
I have a few friends that have worked with Microsoft on vulnerability's in the past and they have always found Microsoft very easy to work with. As far as I can see this guy is a nut job. His actions have put every one that uses a Windows based system at risk. And as far as I can tell only because he does not like Microsoft I see no other reason.
 

Pailin

Distinguished
Dec 1, 2007
231
0
18,830
Hmm, seems he tried to give M$ a chance to respond:

" (he released the exploit)...a month after Ormandy gave the software company five days to respond to a zero-day he published back then."

and

"Despite Microsoft's approach, Metasploit founder and CTO of security firm Rapid7, HD Moore says Ormandy's release of the exploit in this case was fair enough."
 

dalethepcman

Distinguished
Jul 1, 2010
541
0
18,940
Many of you need to get off your high horse. I have submitted bug reports to microsoft back when XP SP3 came out related to "run as" with the task manager and ending/relaunching the explorer.exe process. This bug is still in effect now and what I got back from Microsoft was "Try Vista"

The human factor plays a large role in this. The people that work the positions to screen this information at Microsoft probably hate their job, and the researches just want to let them know they found a problem. The researchers don't get paid to follow Microsoft requests for a bug. That would leave me with very little incentive to deal with bull shit.
 
Status
Not open for further replies.