Microsoft admitted this week that hackers had launched "targeted attacks" against its customers by exploiting a bug publicly disclosed by a Google engineer in June.?The disclosure was?relegated to a footnote in its monthly memo about security flaws.
"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8," the software giant wrote on Patch Tuesday.
The sentence is a subtle dig at Google researcher Tavis Ormandy, who disclosed the bug?? but not privately to Microsoft. Instead, he published it to a public disclosure list, a breach of white hat hacker etiquette. Ormandy defended his decision by stating that Microsoft was difficult to work with.
Three weeks after his initial disclosure (with no apparent action taken by Microsoft), Ormandy?released the full exploit of the kernel vulnerability. The move kickstarted cyber attacks on affected companies and businesses that found themselves unable to mitigate the damage because Microsoft hadn't patched the flaw.
Upon Ormandy's release of the full exploit, Microsoft acknowledged that there was "an issue" that affected all versions of Windows XP and above, using Internet Explorer 6 and above.
In fairness, the software giant had a fairly short runway to make the fix available: just six days before it was scheduled to issue its monthly security update. But instead of making an off-schedule fix, the company waited for the following month's update, on July 9, prompting Ormandy to take matters into his own hands.
Both parties are at fault.
Ormandy should not have disclosed the issue publicly, putting real businesses and people at risk by accelerating hackers' ability to exploit the flaw. He put his ego above the safety of the people he sought to protect, and there's little to defend that.
Microsoft should have moved more swiftly to patch the hole, or at the very least been?less "difficult to work with," in the words of the Google engineer, in addressing the issue. Ormandy was graciously helping Microsoft; the company took that relationship for granted, and it backfired.
So who benefits from this snafu? No one.?
Though Ormandy's disclosure was made on his own behalf, and not on that of his employer's, Google has recently urged its own research community to blow the lid on flaws in as little as seven days ??so long as its victim was informed first.?
"Each day [that] an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised,"?Google engineers?Chris Evans and Drew Hintz wrote on a company blog.?
The new policy puts Google culturally at odds with Microsoft (more than it already is, anyway) and bucks industry convention. But the key underlying issue is that these large software companies are acting unilaterally, instead of working together to establish new norms. It doesn't help Microsoft when Google suddenly resets expectations for flaw disclosures, and it doesn't help either of them when Microsoft fails to meet that new standard.
ZDNet contacted Microsoft to ask why the update took so long to release, but Microsoft security manager Dustin Childs conceded little. He told us: "Microsoft carefully investigates newly discovered vulnerabilities and rigorously tests security updates on the affected operating systems and applications, and delivers solutions once they are ready."
If Google's recommendations are heeded, it is clear that the company's definition of "ready" may no longer be suitable.
Source: http://feedproxy.google.com/~r/zdnetaustralia/~3/4Xp042hAFBE/
joe avezzano kanye west theraflu joey votto the masters live mega millions winner holy thursday chris stewart
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.