Oh, it is ON between Google and Microsoft. A Google security engineer in Switzerland warned Microsoft of a vulnerability in Windows XP, but after they didn’t fix it within five days, he went public with the hacker’s wet dream.
Tavis Ormandy was the Google engineer who discovered the XP hole in the Help and Support centre of Windows, which normally allows people to download help documents from the internet if needed. The hole though (if you know what you’re doing), actually lets you download more than just the help files – you could actually “execute arbitrary commands with the privileges of the current user,” according to the engineer, with PCs running Windows XP SP2 and SP3, and IE7 or IE8.
While going public before the flaw was fixed might not have been the smartest move, Ormandy believes it was the only way to make Microsoft sit up and pay attention, rather than shelve the problem for a later day: “If I had reported the…issue without a working exploit, I would have been ignored,” he wrote in a blog post. Microsoft understandably hit back, with Jeff Bryant, the group manager at the Microsoft Security Response centre writing of his concern “about the public disclosure of this issue given we were only notified about it by this researcher on the 5th of June”.
Security experts are now calling for a public hanging (well, dismissal) of Ormandy, with the CEO of SecTheory, Robert Hansen, wading in and saying that he should be fired. I think that’s a little harsh personally, but what do you feel about Google publicly admonishing Microsoft about their security flaws – especially in light of ditching Windows as their HQ OS of choice? [ComputerWorld]
The Joker
Saturday, June 12, 2010 at 8:11 PMIdiotic….Surely Microsoft should have been given more time and even then to go public seems reckless as some poor people find themselves on the receiving end of this exploit before a fix is available. What then Mr smarty pants engineer. Your intentions were admirable, but how are you going to fix things for them..??
Anon
Saturday, June 12, 2010 at 8:46 PMThey could have given them a little more time to respond. 5 days isn’t a reasonable time to expect a patch. 5 days isn’t even a reasonable amount of time to expect the information to reach the right people.
The guy was just impatient to show off how clever he was and didn’t feel like waiting around for the problem to be fixed.
obsidian 351
Sunday, June 13, 2010 at 11:29 PMwould be interesting to see if the shoe was on the other foot, if a microsoft security engineer found somthing wrong with google chrome the went public after 5 days people would go nuts “microsoft is evil” and so on.
Jay
Tuesday, June 15, 2010 at 3:03 PMWhy is 5 days not a considerable amount of time to respond back and say, we are in receipt of your email and it has/will be escalated and we shall get back to you soon.
In a world where people watch twitter channels, RSS feeds, and emails for instant information, why do they need more than 5 days to respond or maybe just acknowledge the email?
Paul
Thursday, June 17, 2010 at 10:43 AMMicrosoft IE 8 SUCKS!!! When I first purchased my computer I set everything up and signed into Facebook to check my mail. The next time I tried to sign in nothing happens. It stays on the sign in page and after several attempts notifies you that numerous attempts to sign in to your account have been made and requires you to go through the security words then when you do it starts all over again. So, I say again Microsoft and IE8 suck!! Give me Mozilla any day!! It’s free, works perfectly and best of all doesn’t put one nickel in Gates pocket!!!