Google engineer bashes Microsoft's handling of security researchers, discloses Windows zero-day

Microsoft confirms probe of vulnerability hackers could use to gain additional privileges on targeted PCs

1 2 Page 2
Page 2 of 2

SDL, for Security Development Lifecycle, is a process and practice that Microsoft adopted to reduce the number of bugs in its software. Other vendors, including Adobe, also rely on SDL-like processes.

In a May 15 entry to his personal blog, where he also laid out some of his research, Ormandy was even more blunt in his criticism of Microsoft.

"If you solve the mystery and determine this is a security issue, send me an email and I'll update this post," Ormandy said. "If you confirm it is exploitable, feel free to send your work to Microsoft if you feel so compelled. [I]f this is your first time researching a potential vulnerability it might be an interesting experience.

"Note that Microsoft treat[s] vulnerability researchers with great hostility, and are often very difficult to work with," he said. "I would advise only speaking to them under a pseudonym, using Tor and anonymous email to protect yourself."

Ormandy also accused journalists of abusing his disclosures. In a Monday tweet, he said, "You can't distribute exploit code to everyone, because journalists will abuse it."

When another researcher pointed out that, "But dropping write-what-where PoC [proof-of-concept] is almost the same as dropping 100% reliable exploit," Ormandy replied: "No journalist knows what that means, but the people who need this information do."

According to Vulnerapedia, a "write-what-where" condition is "Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow." Such conditions "almost invariably can be used to execute arbitrary code," the entry continued.

In other words, a write-what-where condition can be exploited to run attack, or exploit, code.

Ormandy has had dust-ups with other vendors over vulnerabilities. In mid-2011, he accused Adobe of "trying to bury" an "embarrassing number" -- he said more than 400 -- of bugs in Flash Player.

Microsoft will probably not rush to patch the vulnerability Ormandy disclosed, said Storms, even though it might be usable by astute hackers. "At this point, it's difficult to imagine that Microsoft will do much of anything outside of their usual incident response that begins with confirming the bug and possibly issuing an advisory," Storms said.

Microsoft's next regularly-scheduled Patch Tuesday is June 11, or just under three weeks from today.

This article, Google engineer bashes Microsoft's handling of security researchers, discloses Windows zero-day, was originally published at Computerworld.com.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon