| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Googler criticized for disclosing Windows-related flaw | |
|
||
| Time: 09:50 EST/14:50 GMT | News Source: CNET | Posted By: Robert Stein | ||
|
Microsoft and outside security researchers accused a Google engineer of failing to follow the responsible disclosure etiquette his own company promotes by disclosing a Windows XP-related flaw on Thursday, publishing code to exploit it and giving Microsoft only five days to fix it. Tavis Ormandy informed Microsoft about the vulnerability--located in the online Windows Help and Support Center feature that offers customers technical support--on Saturday. He then announced details of the hole and offered proof-of-concept attack code in a post to the Full Disclosure security e-mail list on Thursday. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 219 Last | Next |
The time now is
1:48:04 AM
ET.
Any comment problems? E-mail us |
| #1 By 8556 (173.27.246.50) at 6/11/2010 11:18:27 AM |
|
"Not surprisingly, H.D. Moore, the chief architect of the open-source Metasploit exploit database, said the fastest way to get a problem addressed is releasing an exploit to the public."
Microsoft had five days to address the issue and did nothing until the proof of concept was released at which point they criticized the person that supplied them the information they needed. This reactive approach to patching security flaws is part of MS culture, sad to say. Cry babies. Just git 'er done and stop bellyaching. |
| #2 By 28801 (65.90.202.10) at 6/11/2010 3:07:53 PM |
|
#1: What do you work at a 3 person shop? A Fortune 500 company isn't quite so agile. Besides isn't this a little strange that it came out of Google? I thought they didn't use Microsoft software anymore?
|
| #3 By 1896 (68.153.171.248) at 6/11/2010 3:34:13 PM |
|
#2: It depends: AV companies act immediately upon discovery of a new virus. Granted we do not know all the details and the two companies here are not in the most amicable relations; for example we do not know if MS acknowledged the issue and replayed "we are working to fix it but we need time" etc. etc. so it is hard to determine who is to blame if any at all.
Granted if Google had released everything to the public without warning MS that would have been flat wrong but , again, as it is...... |
| #4 By 15406 (216.191.227.68) at 6/11/2010 3:41:35 PM |
| #2: Considering their staggeringly large amount of resources, their attempts to rebuild their tattered security reputation, and their dedicated Security Response Centre of Ninjas, you would think they would be a little more nimble than your average F500 that isn't the world's largest IT behemoth. MS wants to use PR techniques to manage these security issues and public disclosure spoils that, so they need to demonize anyone who doesn't tell MS first and then sit on it until MS gets around to caring. It's hilarious that they call it 'responsible disclosure' when all it does is allow the vendor to pretend the problem doesn't exist. Public disclosure embarrasses the company into acting quickly, hopefully to the benefit of users. Having Google do it to them is just icing on the cake. Too bad MS doesn't seem to have the means for finding these problems like outside companies do. Perhaps MS should send their people to get trained at Google and other places for tips on how to find bugs in their software. |
| #5 By 95132 (96.25.183.211) at 6/11/2010 4:15:58 PM |
|
That's crap.
Either give Microsoft time to fix the issue, and given the platform and testing that's at least 30-45 days to make into the next monthly patch release, or just release the darn exploit. This pretending "hey I warned them a few days ago" or "if I didn't release it they would have ignored it (which clearly they weren't) is just an excuse for doing what he wanted to do all alone which is to make it public and get and draw attention. The turds that release exploit code off the bat don't bother me as much as those that find bug, have code ready and only give the vendor a heads up days before they release the code, but then claim responsible release. |
| #6 By 16302 (24.72.70.37) at 6/12/2010 12:07:53 AM |
|
#1, I would disagree with this advice, and here is why - the exploit may take some time to fix and to fix without breaking other things, so if the exploit is pushed out to the public before a vendor can fix it, I would not be happy with the person who is equiping the hackers to exploit it on my network before it can get addressed.
#3, it is significantly easier for an antivirus vendor to update their detection patterns than to close most exploits because most exploits are bugs or undesired behaviors and it is important to fix them properly. |
| #7 By 8556 (173.27.246.50) at 6/12/2010 4:04:47 PM |
| I understand all the differing points of view. However, MS has shown that they respond to pressure quite nicely. How many vulnerabilities went unpatched because MS stated that there hasn't been a significant enough impact to merit the effort? Internal politics has much to do with what is worked on at MS. If Ballmer, or other upper level manager, becomes embarrassed by bad press, the issue involved suddenly gets attention. |
| #8 By 3653 (65.80.181.153) at 6/13/2010 2:26:13 PM |
|
using bobsireno's SOP... we should all hope that the US gets a call from China telling us that nukes are "already in the air" so that our defensive efforts can come together seamlessly all due to the magic of PRESSURE.
lets all be serious. |
| #9 By 8556 (173.27.246.50) at 6/13/2010 3:41:47 PM |
| #8: You bet. Nuclear war is very similar to patching buggy software. |
| #10 By 8556 (173.27.246.50) at 6/13/2010 3:46:38 PM |
| #8: a less frivolous retort is that the cold war is a loose analogy to MS fixing publicized bugs. When the Soviets launched Sputnik how quickly did the US respond? When intelligence reports came in, on either side, of what the other was planning in weapons development the response of the other side generally was swift. Would there be cruise missles if there was not threat? Would MS patch bugs if they didn't believe users were being hit by them? |
| #11 By 28801 (65.90.202.10) at 6/14/2010 8:08:28 AM |
|
Hmm, I'm surprised that people like this don't get sued by individuals whose systems get compromised because of information disclosed outside of normal channels. Sure Microsoft would be the more obvious target because of their big pockets, and the software flaws are ultimately in their lap. But I would think this person could face some legal consequences as well.
It’s like telling China how to breach our national security… This guy sounds like a real Gaius Baltar |
| #12 By 95132 (96.25.183.211) at 6/14/2010 1:38:34 PM |
|
Baltar. ha ha Good one.
|
| #13 By 8556 (173.27.246.50) at 6/14/2010 7:51:40 PM |
| #11. A nice BG analogy that leads me to rethink my stubborn original position. I still believe that politics at Microsoft, not just technical difficulties, lead them to move in a slow reactive manner that only accelerates with bad press that the brass want to see dissapear. Still, no one wants to see the colonies get nuked. |
| #14 By 28801 (65.90.202.10) at 6/16/2010 9:40:41 AM |
| So say we all... |
| #15 By 3653 (65.80.181.153) at 6/17/2010 9:37:19 PM |
|
Maybe I'm just jaded from years of working with incompetent fools... but I sort of view "swift" and "quality" as mutually exclusive. And when patching millions of if-it-goes-down-we-die systems, I don't really want them (edit: Microsoft) to focus on "swift". This post was edited by mooresa56 on Thursday, June 17, 2010 at 21:37. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 219 Last | Next |
The time now is
1:48:04 AM
ET.
Any comment problems? E-mail us |
