Software developers should never take reports of security vulnerabilities lightly. But to ignore a vulnerability to the extent that you won't even commit to a timeframe to fix it is utterly irresponsible.
That's how Google information security engineer Tavis Ormandy saw it, at least. So when Microsoft hemmed and hawed at the critical security bug he discovered in the Windows XP help system, Ormandy took matters into his own hands. He published a full description of the vulnerability to the Full Disclosure security mailing list, including proof-of-concept attack code.
[ Stay up to date on key software development trends in InfoWorld's Developer World newsletter. ]
The result, predictably, was a firestorm. Microsoft publicly condemned Ormandy's actions, claiming the disclosure "makes broad attacks more likely and puts customers at risk." Since then, real-world exploits of the bug have begun to appear. In a blog post last week, Graham Cluley, a senior technology consultant for security vendor Sophos, again berated Ormandy, asking, "Do you feel proud of your behavior?"
Microsoft has since published a fix for the vulnerability, but the incident has left the security community deeply divided. Moreover, it raises important questions for software developers. How should developers handle security vulnerabilities when they are reported by customers? What's reasonable procedure for addressing them? And how should they react when their own customers seemingly become their worst enemies?
When researchers attack
Ormandy maintains that his actions were not only justified, but necessary. When he first approached Microsoft regarding the vulnerability, he hoped the software vendor would agree to produce a patch within 60 days. But when his negotiations with Microsoft employees dragged on for five days and Microsoft still had not committed to any kind of patch schedule, he became frustrated with what he saw as dangerous negligence on the Redmond-based vendor's part. Only then did he make the decision to go public.
That wasn't fair, say Microsoft reps. Had Ormandy waited, Microsoft would have been able to commit to a formal schedule the following Friday, just six days after learning of the vulnerability. Instead Ormandy jumped the gun, rendering any further discussion moot.
But while Microsoft and critics like Cluley want to hold Ormandy personally responsible for the exploits that have appeared since he made his disclosure, that's not really fair, either. It's true that security researchers weren't aware of any exploits of this particular vulnerability until now, but then why would they be? They weren't even aware of the vulnerability until now. That's no guarantee that malicious hackers hadn't already added it to their arsenals.
Nor was this the first time Ormandy took the controversial step of disclosing a security flaw publicly. He's well-known in the security community, and earlier this year he used a similar tactic to pressure Oracle into fixing a dangerous Java vulnerability. Oracle patched that flaw in just six days. It seems unlikely that Microsoft would have issued a patch for this latest vulnerability as soon as it did had it not been under similar pressure.