Had you gone to sleep in 2004 and woken up three days ago, you’d be forgiven for thinking you’d only slept a few hours instead of a few years. This week saw the inglorious return of not just the full disclosure debate, but also of the heated rhetoric that usually accompanies it. Had you awoken to a mix of Maroon 5 and Hoobastank on your iPod, the illusion would’ve been complete. Read on for the full week in review.
The news this week was dominated by two main stories: the critical flaw in Adobe Reader, Adobe Flash and Adobe Acrobat and the zero-day vulnerability in Windows Help and Support Center disclosed by a security researcher who works for Google. Both were messy and both created quite a bit of discussion in the security community.
Worst things first: the Google-Microsoft tete-a-tete. The story, which may or may not actually be about Google and Microsoft, is the result of work done by Tavis Ormandy, a security researcher who discovered a serious vulnerability in the Windows Help and Support Center. Ormandy notified Microsoft of the flaw late last week, and then posted full details of the problem, along with working exploit code, on the Full Disclosure mailing list five days later. Not much new there; a flaw, a notification and a disclosure, if a quick one.
The problematic bit is that Ormandy happens to work for Google. Needless to say, this chain of events did not sit well with Microsoft, whose security response team went on the offensive in a blog post.
This issue was reported to us on June 5, 2010 by a
Google security researcher and then made public less than four days
later, on June 9, 2010. Public disclosure of the details
of this vulnerability and how to exploit it, without giving us time to
resolve the issue for our potentially affected customers, makes broad
attacks more likely and puts customers at risk.
One of the main reasons we and many others across the industry
advocate for responsible disclosure is that the software vendor who
wrote the code is in the best position to fully understand the root
cause. While this was a good find by the Google researcher, it turns out
that the analysis is incomplete and the actual workaround Google
suggested is easily circumvented. In some cases, more time is required
for a comprehensive update that cannot be bypassed, and does not cause
Ormandy, like other researchers in similar positions, was careful in his advisory to say that this work was his own and that he was not speaking as a Google employee. But, the folks in Redmond know who he is and where he works, as do his peers in the research community. Robert Hansen took Ormandy and Google to task for the quick disclosure. “Google says it adheres to responsible disclosure, but at the same time
they give Microsoft 5 days to fix their 0day that Google’s researchers
themselves created!” he wrote. Other researchers had little patience for the criticisms of Ormandy or Google.
In the end, the mess likely is less about Microsoft and Google’s unfriendly rivalry than it is about the continued disagreement among reasonable people about the ethics of full disclosure. I have absolutely no comment on that. But, like they say, a man’s got to have a code.
The other major story this week was the critical flaw affecting Adobe’s Flash, Reader and Acrobat. The vulnerability was made public at the end of last week and Adobe said on Tuesday that it would be releasing a fix for Flash later in the week, but would not have patches ready for the other products until a later date. The quick action on Flash was brought about by the news that there were active attacks already ongoing against the vulnerability. Adobe also took the opportunity to patch 31 other Flash vulnerabilities, an enormous load of fixes, many of which were for code-execution vulnerabilities.
Others receiving votes: