Early this morning Google’s Tavis Ormandy published a vulnerability in the hcp protocol handler. It allows the attacker to run arbitrary commands as the user. In practice it created a lot of alerts and warnings for me – but the XP install I was using is somewhat locked down. So I’m not sure how practical this attack would be over any other attack that causes an alert, as the article mentions. Later his reports says it works around the alerts (I couldn’t reproduce that, but that was his intention). Either way, though, this is some pretty amazing research. However, there are some odd things about this that really struck me the wrong way.

Google has been the loudest proponent for responsible disclosure in the past. But if you look at the dates in his post, he says he reported it to Microsoft on the 5th of June (a Saturday), who responded the same day. He sent the advisory early in the morning today the 10th of June – meaning Google gave Microsoft less than 5 days to fix it. Even Mozilla backed down from 10 day turn around, and they’re only running a single software suite. How is that possibly reasonable to expect a company like MS to turn around a patch in 4-5 days and then get so upset that then you must go full disclosure? And it’s not like Tavis was acting on his own – he credits other security researchers inside of Google for their help. So apparently it’s okay for Google to go full disclosure, but not for other researchers. The hypocrisy is amazing.

See, here’s the big problem. Either you are all about full disclosure (which is happening less and less these days), you use it only when you know the company won’t react otherwise or has all kinds of other hinky things they do behind your back (the same reason I advocate full disclosure against Google), or you use responsible disclosure. Google says it adheres to responsible disclosure, but at the same time they give Microsoft 5 days to fix their 0day that Google’s researchers themselves created! From Google’s own website:

“This process of notifying a vendor before publicly releasing information is an industry standard best practice known as responsible disclosure. Responsible disclosure is important to the ecology of the Internet. It allows companies like Google to better protect our users by fixing vulnerabilities and resolving security concerns before they are brought to the attention of the bad guys. We strongly encourage anyone who is interested in researching and reporting security issues to observe the simple courtesies and protocols of responsible disclosure. Our Security team follows the same procedure when we discover and report security vulnerabilities to other companies.”

… except when you don’t. Then Tavis puts a patch up on a domain that, no offense to Tavis, is more sketchy sounding than a lot of malware sites out there (http://lock.cmpxchg8b.com). Do you really expect a billion XP users to download and run that? I hear some rumors that it doesn’t even work in some cases, but it does appear to work against the one PoC Tavis put up in the test I ran. I don’t know, the whole thing just rubbed me the wrong way. But at least now no one has to pretend to do responsible disclosure with Google just because it’s the right thing to do – they don’t use it themselves. Even when MS finds a vuln in Google they do so responsibly. I don’t mean to say anything bad about Tavis, because he’s probably a good guy, with a lot of skill. But let’s stop pretending Google’s team is chivalrous, shall we?

Robert “Rsnake” Hansen is a security researcher and CEO of SecTheory.

Categories: Vulnerabilities, Web Security

Comments (33)

  1. Wladimir Palant
    1

    Robert, while I agree that the ethics of this disclosure are very questionable – you started this post with the wrong premise. Google is a company employing thousands of people. Why would you assume that the company policy is accepted by each and every employee? From what I can see there is no indication that Google endorsed this disclosure. Quite the opposite – Ormandy isn’t even using a Google email address which IMO indicates that he isn’t acting on behalf of his employer. The word “Google” is found twice in the text – once where he mentions Google Chrome along with Firefox and another time in a link where he thanks Michal Zalewski for his excellent Browser Security Handbook.

  2. Ken Jackson
    2

    @Wladimir, are you suggesting that Ormandy did this all on his own time with no company resources (computers, files, network, people, email, etc…)?  If so, you may have a case.  Otherwise, Google shares responsibility, unless they openly come out and condemn his action, and probably terminate him.

  3. Josh
    3

    @Wladimir, an enterprise at all well managed has employees agree to company policy to work at the company (and most of them make you review policy each year and renew your agreement).  Much of the policy reflects conduct both while on company and time and while not, as your actions reflect on the company regardless. 

    I can certainly vouch that all of the enterprises that I have been salaried at in a security position would consider it a breach of policy for me to publish vulnerabilities in competitor’s products even if it was on my own time.  This was well spelled out to me.  So either Travis is disregarding company policy without triggering a public company response or his company does not have such a policy.  Either way it looks bad for Google.

  4. Peter Kasting
    5

    I think it’s disingenuous to discuss whether Ormandy or Google believe in “responsible disclosure” without even mentioning Ormandy’s stated reason as to why he’s giving less time for this vulnerability to be handled.  If all you read was this blog post, you’d think that Ormandy randomly disclosed some vulnerability after a short period of time for absolutely no reason.

    Now, whether the reason is sound is a different matter, but come on, in a post that says Google “has all kinds of other hinky things they do behind your back” this is pretty hypocritical.

  5. rei
    6

    @Peter “Now, whether the reason is sound is a different matter, but come on, in a post that says Google “has all kinds of other hinky things they do behind your back” this is pretty hypocritical.” — and by that exact same reasoning, it matters somehow that Robert’s post is quite jaded and possibly hypocritical?

    Let’s not play red herring here.

  6. Anonymouse
    7

    At first i found myself agreeing with you while i read this article. Then i actually took the time to read the full text of the disclosure on seclist that Ormandy posted, and your article just plain seems ridiculous. As far as i can tell its a boiler-plate attention junkie post, where the only goal is to target emotional reactions of readers (yea! the hypocrite! i hate hypocrites! i always did have a suspicion of google!) and get some more hits (RT @D0ucheB4g GOOGLE BASHES MS BIIIIG TIME, BUNCH OF HYPOCRITES!! bit.ly/zhh41).

    I guess what im trying to say is – well done. It worked on me when i first read it.

  7. Anonymous
    8

    After reading his actual post, I’m sorry I gave you a hit.  For anyone too lazy or busy to read through it, he goes into explanations of how to avoid the situation, offers a hotfix you can download released under the GNU with the full source code and explanation of what it does,  and this is his reason for posting it only five days after notifying Microsoft:

    “Protocol handlers are a popular source of vulnerabilities, and hcp:// itself has been the target of attacks multiple times in the past. I’ve concluded that there’s a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security.”

     

  8. Anonymous
    9

    Here’s what those of you who read his article and decided his actions are somehow responsible are missing- his “fix” is easily circumvented and offers no real protection. So go forth and feel protected, but you aren’t. Maybe you should read a more neutral source than either the person who published the exploit irresponsibly or the company that has to REALLY fix the issue. http://secunia.com/blog/103/

  9. Anonymous
    10

    Here’s what those of you who read his article and decided his actions are somehow responsible are missing- his “fix” is easily circumvented and offers no real protection. So go forth and feel protected, but you aren’t. Maybe you should read a more neutral source than either the person who published the exploit irresponsibly or the company that has to REALLY fix the issue. Go to Secunia’s web site and read blog number 103

  10. Anonymous
    11

    That would be dubdubdub dot secunia dot com slash blogs slash 103, btw. Hyperlink triggered spam filter.

  11. CNE
    12

     Eric Schmidt still was soundly defeated by Microsoft back in the 80s and 90s in the network OS wars when he was head of Novell.I wonder if that colors any of his thoughts as CEO of Google?

    Just sayin.

  12. nat
    13

    Robert Hansen–

    If I’m correctly understanding your post — and I’m by no means certain that I do — then you’re falsely implying that it was Google that created this 0-day exploit.  I read (as best as I could — I’m not a programmer) Tavis Ormandy’s post, and as best as I can determine he does not claim to be speaking for Google.  So exactly what are your reasons for falsely implying that he is?  Or am I missing something(s) here?  Please enlighten me.

    –n.

  13. Anonymous
    14

    nat,

    finding such complex bugs is hard, takes a lot of time, and is generally unrewarding (unless you sell it for money instead of public disclosure). It is entirely possible, of course, that Tavis found this bug in his own free time. Either way, as a security researcher and one of the “good guys”, he should respect the informal rules by which other researchers abide — that is, to provide a minimal amount of time for the vulnerable company to react (also known as “responsible disclosure”). In this case, five days is extremely short, he might as well have published the vulnerability immediately.

    Publishing vulnerabilities before the vendor has a patch sometimes makes sense, for example when the vendor takes months to react. But Microsoft has been usually very quick to respond, often offering a patch one or two months after a vulnerability is found.

    The fact that Google is currently at odds with Microsoft may suggest that Tavis’ finding did not happen by chance, but was part of a larger picture; it may be seen as an act of agression, as an attempt by Google to assert the superiority of its software offering when compared to the competition. If I were Microsoft, I would be tempted to hire highly qualified hackers in order to find flaws in Google’s software offerings.

     

  14. Anonymous
    15

    The Googler in questions motives can be found in his Full Disclosure posting:

    “Those of you with large support contracts are encouraged to tell your support
    representatives that you would like to see Microsoft invest in developing
    processes for faster responses to external security reports.”

     

    This guy was just trying to give MS some crap, or rather get their customers to do so. Less than 5 days is BS and he should be fired, regardless of whether this was done on Google time or not.

    Your posting is spot on.

  15. Anonymous
    16

    In fact my guess is that he got an automated response to his submission on June 5th, a Saturday. I would guess that he did that on purpose as well.  This was nothing less than a drive-by attack on MS. He has no idea what is in the queue to be patched, which I assume is done by priority. Heck, he barely left them time to triage it, let alone patch, test and release it.

    He describes his motivations in followup mails. He doesn’t believe in responsible disclosure.

    I’m also a bit puzzled at where he gets off putting millions of users at risk, since he can’t actually show us that the vulnerability has been found by black hats, he just *believes* it has.

    Personally I think he should be getting prosecuted for this.

  16. Faqir
    17

    Robert “RSnake” Hansen is just as big a publicity whore as any other self titled “security researcher”; last decade’s skiddies turned into corporate monkeys.

  17. Scotty
    18

    It looks to me like the guy who published the exploit code is just as bad as a hacker, only worse, as he created the exploit, then presented it to the public – under the guise of “doing us all a big favor.” Thanks a lot, jerk. I think I already have enough security vulnerabilities on my computer already.

  18. Anonymous
    20

    @Scotty
    Your computer already has/had the vulnerability, whether someone disclosed it fully, responsibly, or not at all.

  19. Corrector
    21

    “Personally I think he should be getting prosecuted for this.”

    Personally I think every vuln discovered should be publicly reported immediately until you – and your kind – shut up for real.

    That’s what *I* call responsible behavior.

    More seriously : this “responsible” (lol) thing is clearly going way too far. To say that responsible people (in the true meaning of the word) always do this “responsible (lol) disclosure” thing is not only silly, it is not very responsible.

    You all : the guy explained his motives. You can disagree with his analysis, but that doesn’t allow you to treat him like you do.

    This is pathetic.

  20. Corrector
    22

    “Personally I think he should be getting prosecuted for this.”

    Personally I think every vuln discovered should be publicly reported immediately until you – and your kind – shut up for real. That’s what *I* call responsible behavior.

    More seriously : this “responsible” (lol) thing is clearly going way too far. To say that responsible people (in the true meaning of the word) always do this “responsible (lol) disclosure” thing is not only silly, it is not very responsible.

    You all : the guy explained his motives. You can disagree with his analysis, but that doesn’t allow you to treat him like you do.

    This is pathetic.

  21. Anonymous
    23

    His post said, essentially, “I think this may be being exploited.”  He gave no evidence that it was.  Given the resources of Google, and the fact that (it seems) the exploit is going to involve an hcp:// string embedded in a webpage, you’d think he’d have been easily able to give some evidence to back up his contention.  

    I haven’t seen him produce that evidence yet.  And expecting a real response inside 5 days – even if you are “one of the top 15″ in the field – seems arrogant at best (as did the tone of his response to someone relatively new to this who questioned the responsibility of the disclosure.) 

  22. Corrector
    24

    His post said, essentially, “I think this may be being exploited.” 

    Indeed. Nothing else to be said. (You may want to check up the definitions of “I think” and “may be”.)

    He
    gave no evidence that it was.  Given the resources of Google, and the
    fact that (it seems) the exploit is going to involve an hcp:// string
    embedded in a webpage, you’d think he’d have been easily able to give
    some evidence to back up his contention.  

    What kind of evidence do you expect for the fact he thinks so??? Mind-reading?

    Come on, you don’t have to be a native English speaker to understand what he explains. He says that his discovery is NOT extraordinary.

    Anyway, if you are not happy with the way he handled it, then YOU should have reported this problem “responsibly” yourself.

    Conclusion : Whatever. Leave him alone.

     

     

  23. Corrector
    26

    What happened to Google’s Do No Evil? 

    It’s not Google, it’s a guy working for Google, and he explained why I think doing things differentely would indeed be evil.

  24. Anonymous
    27

    @Wladimir, are you suggesting that Ormandy did this all on his own time
    with no company resources (computers, files, network, people, email,
    etc…)?  If so, you may have a case.  Otherwise, Google shares
    responsibility, unless they openly come out and condemn his action, and
    probably terminate him.

    That’s crazy talk.

  25. Anonymous
    28

    Screw putting him in jail. Let’s hack google. :) They can’t complain anymore.

  26. z
    29

    1. Tavis proposed mitigation didn’t work. So he put all the users at risk with no mitigation/fix instead of giving them more secure as his statement in the advisory.

    2. While I agree that Microsoft is in many case took too long to fix the bug. But giving them just five days (including the communication time) for a big company like Microsoft with multiple products at multiple countries/sites to verify, fix, test and released the patch for a complex bug like this case is crazy.

    3. If you have been working for any big company, you will see that anything you do (professional related work) needs to comply with company policy (it would be written in your employee agreement/contract) regardless if it’s done using company office time or your personal freee time. For example, I found a security bug of one of competitor product during my free time but I can’t just simply release it because it would violate the policy. Switching email to personal email to send out the bug doesn’t mean it’s right way to do. He’s still a Google security researcher regardless what email he’s using.

     

  27. Anonymous
    31

    Avoid using microsoft’s product and everybody’s happy and let Bill Gates working on his Non Profit Foundation. Enough said.

  28. Anonymous
    32

    Let’s see…

    1/ Buy a car from a well known company, say Microsoft

    2/ The car has a big flaw, say it explodes when you reach 50 mph

    3/ Then someone publishes the information, say Tavis Ormandy from Google.

    Question: Who’s fault is it ?

    Microsoft, Tavis or Google ?

     

  29. Anonymous
    33

    Josh and Z,

    Not all companies claim everything you do as their property under ‘work for hire’ rules. I maintain a couple of security packages, and do some security-related writing. I was able to specify exceptions when I came on board. I have to take extra care to not let anything from my free software creep into what I do at work, which isn’t free. It’s a bit of a pain, but workable. The company gets the benefit of some ‘free time’ research and experience that they otherwise wouldn’t, and doesn’t seem to have a problem.

     

    Not every company is so draconian as to claim every thought you have as their own. It’s something that’s best worked out up front, though I think I could probably go to HR and discuss something. I’m arguing for either side of this argument; I only want it out there that there are some companies which display a bit of flexibility, as it’s something to be encouraged.

     

     

Comments are closed.