Microsoft Re-ignites the Ormandy Full Disclosure Issue

This debate has been re-ignited over the last few days following a fix this week (in the Microsoft Patch Tuesday bulletins) for a vulnerability discovered and disclosed by Tavis Ormandy (a Google engineer who researches vulnerabilities in his own time) back in May. Apart from the technical details, Ormandy made his personal views very clear: "I don't have much free time to work on silly Microsoft code," he wrote.

In a separate blog, he added, "Note that Microsoft treat vulnerability researchers with great hostility, and are often very difficult to work with. I would advise only speaking to them under a pseudonym, using tor and anonymous email to protect yourself."

Personal issues aside, however, Ormandy's disclosure effectively created a zero-day exploit that has been around for at least two months, until fixed by Microsoft on Tuesday. He has been much criticized for this. Graham Cluley, who is an ardent 'responsible' rather than 'full' disclosure supporter, commented on his blog: "It leaves a slightly bad taste in the mouth to see somebody who is a Google security researcher have a pop at Microsoft." (Reuters). Ormandy had earlier criticized Sophos (Cluley's former employer) for "poor development practices and coding standards." Cluley has since told Infosecurity: "my criticism of Ormandy's approach to vulnerability disclosure isn't related to the attention he showed to Sophos's products.  In fact, my criticism of him predates his interest in Sophos, as I was critical of him back in 2009 when malware authors exploited another MS security hole that he had gone public about."

Dwayne Melancon, CTO at Tripwire, has added his thoughts. “In today's environment, organizations are hyper-concerned with responsible disclosure of vulnerabilities and sharing of threat-related information.  I am surprised that someone associated with Google would disclose flaws like this in such a reckless manner. Obviously, it is possible that some people were aware of this flaw before it was disclosed, but now it is 'generally available' before Microsoft has a chance to deal with it.  That will undoubtedly harm some number of Microsoft customers, including large enterprises and governments.”

It had been thought that Ormandy's exploit would be difficult to achieve; and there had been no reports of its use. Now that it is fixed, Microsoft is saying that actually it had been aware of targeted attacks; but not to worry because now it's fixed. It updated its July Security Bulletin: "Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8."

And it published a separate blog posting claiming, "we received a report from our partners about a possible unpatched Internet Explorer vulnerability being exploited in the wild... The good news," it added, "is that the memory corruption vulnerability used in this attack – CVE-2013-3163 – has been already addressed by yesterday’s Microsoft Security Bulletin MS13-055." 

The full versus responsible disclosure debate goes on.

What’s Hot on Infosecurity Magazine?