The 60-day patch guarantee
For its part, Google seems to approve of Ormandy's actions. In a blog post this week -- co-signed by Ormandy and six other researchers -- the Google security team reiterates its belief that 60 days is a "reasonable upper bound" for fixing "genuinely critical" vulnerabilities, claiming, "We of course expect to be held to the same standards ourselves." The post stops short of recommending rapid disclosure if a vendor seems to be dragging its feet, but encourages the industry as a whole to "[create] pressure toward more reasonably-timed fixes."
For many software developers, however, 60 days might seem too ambitious, particularly when it comes to fixing vulnerabilities in complex, server-based software. Security patches must be designed, implemented, rigorously tested, and then packaged for deployment. Occasionally they may need text localized into multiple languages before they can be distributed. A company as large as Microsoft might reasonably be expected to have the staff and resources necessary to guarantee a 60-day patch window, but not every software vendor is so fortunate.
Still, developers should beware complacency. Many customers are likely to think 60 days is far too generous. After all, they are the ones who are at risk when vulnerabilities go unpatched. What's more, companies typically must follow their own testing and validation procedures for new patches before deploying them, which adds to the time it takes to fix a vulnerability once a patch has been issued. The sooner a software vendor is seen to respond to a security issue, the more confidence its customers will have that their interests are genuinely being addressed.
Raising the alarm or simple blackmail?
The more troubling issue for many developers is the manner in which Ormandy made his disclosure. He could have waited the full 60 days -- a "reasonable" period of time, by his own admission -- before publishing the exploit. Instead he went ahead and made his disclosure, seemingly out of frustration that Microsoft wasn't paying enough attention to him. That raises legitimate questions as to how much input customers should reasonably expect to have regarding software vendors' procedures and practices. Some critics have gone as far as to describe Ormandy's actions as "blackmail" -- and it surely doesn't help matters that Google and Microsoft are bitter rivals.
The Windows XP Help vulnerability is now closed, but within the security community the Battle of Ormandy has only just begun. The issue of what constitutes "reasonable" disclosure will resurface again and again in the coming months as new vulnerabilities are discovered. But whatever your own opinion of Ormandy's approach, there's no escaping that security vulnerabilities are a fact of life in the software business. Developers would be wise to take heed of this incident and plan accordingly.
While Ormandy was perhaps overeager in disclosing this vulnerability, Microsoft also made mistakes. It failed to appreciate the seriousness of the bug in Ormandy's view and it failed to keep the lines of communication open as it decided upon a course of action. Perhaps it simply thought it was too big a company to have to listen to one lowly customer. But if that attitude backfired for Microsoft, smaller software vendors certainly can't afford to make the same mistake.
This article, "Google vs. Microsoft: The battle of Ormandy," originally appeared at InfoWorld.com. Read more of Neil McAllister's Fatal Exception blog and follow the latest news in programming at InfoWorld.com.