1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

[WINXP] Vulnerability exposed by google employee

Discussion in 'Windows Operating Systems' started by Davo1111, Jun 14, 2010.

?

Did the employee do the right thing by publicly releasing the vulnerability?

Poll closed Jun 17, 2010.
  1. yes - the public has a right to know

    66.7%
  2. no - he should have waited longer

    8.3%
  3. no - he should wait until MS tells him its fixed

    8.3%
  4. candy / unsure.

    16.7%
  1. Davo1111

    Davo1111 Member

    Joined:
    Mar 5, 2009
    Messages:
    3,017
    Location:
    Sydney
    http://www.pcmag.com/article2/0,2817,2364988,00.asp

    Summary
    • Google employee finds security vulnerability with XP
    • Lets microsoft know via email (receives return receipt)
    • 5 days later releases his findings publicly (with a possible fix) when nothing is done about the issue
    • Microsoft getting angry at employee for letting everyone know
    • Google employee claims "responsible disclosure"

    So what do you think? should he have told everyone? apparently companies can drag this out for months saying "we're working on it". How long would you wait before letting it go public?

    MODs: thought this would be most appropiate to be in windows, rather than current events. Could you please move it across if you disagree?



    UPDATE: a security patch has been provided, however it won't be "auto downloaded" until next month :/ http://support.microsoft.com/kb/2219475 Click the "fix button" on the link provided the close the hole
     
    Last edited: Jun 19, 2010
  2. Menthu_Rae

    Menthu_Rae Member

    Joined:
    Mar 19, 2002
    Messages:
    7,039
    Location:
    Northern Beaches, Sydney
    You can argue the dude is wrong for publishing the exploit etc etc- but at the end of the day - if one guy discovered it, someone else could discover it - the "someone else" could then use it maliciously without giving Microsoft any info whatsoever.

    At the end of the day, Microsoft need to get their act together and respond to urgent security threats quicker. I mean how many exploits are out that they only fix once a month on the 2nd Tuesday?

    On top of this they find it necessary to push out unwanted updates like this one here.

    I'm sure I'll come some flak from the MS fanbois, but seriously MS have a long way to go in the security department. I'm glad I don't have such a long patch cycle with the OS I run.
     
  3. OP
    OP
    Davo1111

    Davo1111 Member

    Joined:
    Mar 5, 2009
    Messages:
    3,017
    Location:
    Sydney
    I agree. Personally i would have given them a week (assuming the update was after that). Also i probably would have not posted the the vulnerability through my work email address.

    MS seem to be quite quick at attacking him, but not very quick at addressing the problem. /grumbles.
     
  4. Maelstrom

    Maelstrom Member

    Joined:
    Jul 10, 2001
    Messages:
    1,652
    Location:
    Canberra
    Notice that the fact that the guy is a Google employee is part of the headline?

    Keep in mind that Google has an incentive to undermine confidence in Microsoft's OS security history since it is competing via AndroidOS and ChromeOS. Microsoft likewise has an incentive to paint Google as selfish and exposing others to risk by being impatient.
     
  5. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,422
    Location:
    Narrabri NSW
    5 days is plenty for a security issue to be fixed by a company like MS. They should have it fixed within 1 business day, and tested within the next.

    This has been done before. MS gets real upset, but reality is they should fix the problem. As someone else mentioned, if a "good guy" can find it, so can the "bad guys".
     
  6. Long Haired Git

    Long Haired Git Member

    Joined:
    Jul 26, 2001
    Messages:
    2,667
    Location:
    Hornsby, Sydney
    A "read receipt" is one thing, a confirmation or acceptance in another.
    I imagine a good process is:

    1) Email received by MS email system
    2) Automated Email response processes a reply to this email stating they acknowledge its receipt and are looking at it. They humbly request the sender keep the exact details of the possible exploit secret until MS acknowledge it is a real exploit and prioritise it and provide a fix. They commit to following up via email within in N days.
    3) Within N days, some person has at least read the email and checked if a real exploit. Write another email stating what MS are going to do about it, and by when
    4) Repeat step three and beg for more time until you've coded, tested and made available a fix. Communicate, communicate, communicate.

    Turning around a bug fix for an operating system deployed across the variety of hardware XP is deployed on, and running the business critical processes it runs, and promises compatibility with software like XP's application base, is not a "hack it up in a day and bang it out" sort of thing. I'd guess MS have automated regression test suites and a huge set of hardware for automated deployment and testing, but it will be days, and week's isn't unreasonable if its a core component IMHO.
     
  7. choppol

    choppol Member

    Joined:
    Jun 13, 2010
    Messages:
    47
    I know that everyone complain about MS but I for one have to admit that after working for them for 2 yrs I see that it is very hard to get things fix straight because of different hardware combinations and also softwares.

    The OS hotfix team will have to code a fix up and then it goes to the testers. The testing work virtually 24hrs to get a critical fix on all combination of hardware and software configuration before signing it off.
     
  8. Swathe

    Swathe (Banned or Deleted)

    Joined:
    Mar 23, 2007
    Messages:
    2,508
    Location:
    Rockhampton
    I am for full disclosure of exploits for any operating system.
     
  9. phreeky82

    phreeky82 Member

    Joined:
    Dec 10, 2002
    Messages:
    9,863
    Location:
    Qld
    5 days, 1 day, 1 hour - some might consider it irresponsible I guess. But lets not forget this person discovered the vulnerability, not caused it. That would be Microsoft's fault.
     
  10. James086

    James086 Member

    Joined:
    Mar 25, 2010
    Messages:
    3,160
    Location:
    Perth
    Not the way I would have done it but it's not like he caused the problem. I think the reason he exposed it so quickly is because Google wants to be the dominant OS company soon. I probably would have waited 2 update cycles and then gone public.
     
  11. alvarez

    alvarez Member

    Joined:
    Jun 25, 2006
    Messages:
    2,626
    Location:
    Geelong 3218
    I too am in support of full disclosure, for a number of reasons both ethical and technical. More so after an exploit is exploited i.e. what happened when ocau was hacked? rather than this sort of issue. Sure there are people who will take advantage of an exploit but it will get MS to patch it faster and increase security awareness.

    At the end of the day my understanding of this attack (from the laymans version on pc mag) is that it is no different from any other web based attack just that it is launched via the help and support center rather than a traditional browser. As such its not a big deal (touchwood), there are many other huge security holes in XP and is MS still even supporting XP?
     
  12. thebrad

    thebrad Member

    Joined:
    Jan 5, 2009
    Messages:
    168
    Location:
    Adelaide, Australia
    Yeah I think they are until 2014 or something. As XP is still heavily used in the corporate environment. And since it is still supported MS should be doing everything possible to get the problems fixed still. +1 the Google engineer.
     
  13. HUMMER

    HUMMER Member

    Joined:
    Dec 1, 2002
    Messages:
    8,786
    Location:
    sydney
    microsoft can suck donkeys salty nutsacks. they where informed about it. they did nothing. serves them right.
     
  14. LiNERROR

    LiNERROR Member

    Joined:
    Apr 20, 2004
    Messages:
    129
    Location:
    US
    responsible disclosure -- report to the company that they have a problem. report to the world they have a problem.

    If the company doesn't like getting exploited maybe they should either get to work on the fix, or write better code...


    so surprise that MS is jumping and screaming -- they'd still be complaining if it was made public 30, 60 or even 90+ days in the future... as they've demonstrated in the past if it's not public why patch it...

    +1 to the engineer who found it, and probably already patched it.
     
  15. bumography

    bumography Member

    Joined:
    Mar 8, 2006
    Messages:
    1,547
    Location:
    Adel
    Anyone know the patch that fixed this?
     
  16. dalien

    dalien Member

    Joined:
    Dec 24, 2001
    Messages:
    1,717
    Location:
    Some where in Aus
    not really sure why anyone cares about xp now...win 7 is the new xp but miles better...
     
  17. bumography

    bumography Member

    Joined:
    Mar 8, 2006
    Messages:
    1,547
    Location:
    Adel
    A lot of workplaces still use XP, as theres really no need for them to migrate to 7
     
  18. SHRUÐE

    SHRUÐE Member

    Joined:
    Sep 5, 2006
    Messages:
    222
    Location:
    Sydney

    Miles better...
    Win 7 is supposed to be the largest breakthrough in an OS since Win 95


    However...
     
  19. OP
    OP
    Davo1111

    Davo1111 Member

    Joined:
    Mar 5, 2009
    Messages:
    3,017
    Location:
    Sydney

Share This Page

Advertisement: