Google to Microsoft: Patch faster, you slowpokes

Google's researchers have become a major force in uncovering Microsoft's vulnerabilities -- not always to Microsoft's liking

Don't look now, but Google and Microsoft are at each other's throats again. This time it's over something more serious than whether users are being "Scroogled" or if Bing is stealing Google search results. It concerns the disclosure of critical security vulnerabilities that could affect us all.

In an extremely terse statement in its latest security advisory, Microsoft acknowledged that "targeted attacks" had occurred in the wild due to a vulnerability in Internet Explorer. According to Reuters, this security hole was made public last May by Google security researcher Tavis Ormandy, who skipped the usual protocol of notifying Microsoft first before telling the world -- or at least, the extremely geeky world of security wonks and hackers.

[ For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]

(Full disclosure: I've been unable to independently verify whether the "targeted attacks" referred to in the advisory are in fact due to the flaws revealed by Ormandy. The holes he revealed do not allow for remote attacks, which makes the scenario for a "targeted attack" hard to visualize. Perhaps readers with more gray matter than I can locate the links.)

In his posts, Ormandy noted that he was fed up with how Microsoft treated researchers like himself and that he didn't have "the free time to work on silly Microsoft code," so he was opening the hole to anyone who wanted to explore it further.

How long does it take Microsoft to get around to patching its products, minus any external pressure to do so? Try 17 years. That's how long it took to fix a hole in its Virtual DOS Machine made public in January 2010 by -- wait for it -- Tavis Ormandy.

Ormandy strikes again

Ormondy has become such a force in the Microsoft bug hunt that security blogger Graham Cluley renamed Patch Tuesday "Patch Tavis Day." That was back in 2010, around the time Ormondy revealed a zero-day exploit in Windows XP only five days after notifying Microsoft. Ormandy's maneuver ignited a raging debate in security wonk circles over what is or isn't "responsible disclosure," a debate that is only getting more heated.

In May 2013, shortly after Ormandy revealed the latest flaw in Windows, Google's Online Security Blog declared its new get-tough-on-security-slackers policy: Companies with critical vulnerabilities in their products would have seven days to patch the holes and/or notify customers before Google went public with the information.

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies