Security

Responsible disclosure and its irresponsible advocates

Tavis Ormandy's public full disclosure of a Microsoft Help Center vulnerability has stirred up a storm of controversy, in which he has been burned at the stake by Microsoft and his own peers.

Tavis Ormandy's public full disclosure of a Microsoft Help Center vulnerability has stirred up a storm of controversy, in which he has been burned at the stake by Microsoft and his own peers.


The Full-Disclosure Mailing List is hosted by Secunia to facilitate discussion of security issues. Archives of the list are mirrored by SecLists.org, which describes the Full-Disclosure list thusly:

An unmoderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately 80% of the posts are worthless drivel, so finding the gems takes patience.

One such gem was Tavis Ormandy's disclosure of a Microsoft Windows Help Center vulnerability on the 10th of June. Given the nature of the Full-Disclosure list and Microsoft's security record, the only thing I initially found surprising about this vulnerability report was the depth of detail of the analysis, covering such issues as the merits and flaws of the Microsoft Help Center architecture as well as the educational tone of the report.

Over the next couple of weeks, however, a drama has proceeded to unfold that I found somewhat more surprising than that. The obvious, and expected, response from Microsoft came as no shock -- a scathing attack on the character of the security researcher who discovered the vulnerability.

Microsoft, like many vendors, advocates a policy such vendors call "responsible disclosure." This policy involves informing the vendor as quickly as possible, and informing anyone else effectively never, letting the vendor do the job of giving credit where it is due, and leaving users in the dark about the vulnerabilities that may affect them until the vendor gets around to patching them . . . some day. Given Microsoft's record for vulnerability response, I am sure you will forgive me for lacking faith and confidence in the diligence and timeliness of corporate software vendors when it comes to vulnerability fixes.

As I previously pointed out when I asked How should we handle security notifications?, it may even be far more important to inform people they are vulnerable than to get the vulnerability patched. After all, given a poor track record for vulnerability handling, it should not take long for users to come to the conclusion that the best way to "patch" a given application's vulnerabilities is to stop using it in favor of competing software that has a more secure design and gets more timely attention from the people whose job it is to keep the application secure. Specifically, I said:

Corporations have no right to hide behind any grace period. The customers -- the software users and the people whose personally identifying information was accessed by malicious security crackers -- have a right to know when their software is defective, when their finances are at risk, and so on. They need this information if they are to effectively limit the damage to themselves.

There are legitimate difference of opinion in the security community about how vulnerability notification should be handled. The two polar extremes are "responsible disclosure", explained above, and "full disclosure," wherein a security researcher publishes all information (often including proof-of-concept exploit code) for all the world to see. Within reasonable limits, I personally do not feel I can fault anyone along that spectrum between full and "responsible" disclosure; by reasonable limits, I mean limits like, "I will not wait eight years while you do nothing before disclosing this to the public."

In fact, I see little reason to wait more than a couple weeks, if a security researcher wishes to give a vendor a reasonable amount of time to develop a patch. Whether disclosing proof-of-concept exploits before a patch has been developed (within reasonable time constraints) is really advisable is certainly debatable, but there are arguments for it based on a genuine concern for security, and demonizing researchers for doing so is entirely uncalled-for.

Still, Microsoft's wholly unreasonable (and even childishly spiteful) response did not surprise me. At first glance, it may appear a very polished, professional piece of writing -- and in fact it is, but its underlying motivation is clearly one of misdirection, casting blame, and generally behaving in a manner unbecoming to someone who pretends to adulthood.

The first sign of this is Microsoft representative Mike Reavey insisting on referring to Tavis Ormandy only by the phrase "Google researcher", despite Tavis' clear statements to the effect that while he is a Google employee, the Microsoft competitor itself had nothing to do with the discovery and disclosure of this vulnerability. Tavis Ormandy analyzed the vulnerability and developed a report for it on his own time, and credited a few other individuals for their aid when he asked for it.

Reavey goes so far as to call the work-around presented by the Full-Disclosure list report "the actual workaround Google suggested", for a moment dropping any pretense of recognizing that it was Tavis Ormandy's work, instead casting Google itself in as negative a light as possible. Rather than focus on the vulnerability and how to fix it, Mike Reavey chose to take the opportunity to try to create bad press for a competitor that was largely irrelevant to the entire episode.

Still . . . not surprising. It is unethical, spiteful, and dishonest, but hardly surprising.

The fact of the matter is that, like any extremely responsible security researcher should, Tavis Ormandy wanted Microsoft to agree to a deadline for development and deployment of a patch for the vulnerability he reported, and of course Microsoft would not agree to any reasonable deadlines after which Tavis would be free to tell the victims of Microsoft's tardiness in addressing the matter that they were vulnerable to attack. As a result of Microsoft's refusal, Tavis Ormandy elected to take Microsoft at its word (that there would be no timely response to the vulnerability) and inform the public himself so that people could at least attempt to protect themselves for however long Microsoft remained AWOL on the matter.

Microsoft's response, in the person of Mike Reavey, paints a picture of someone acting on behalf of Google to give Microsoft a grand total of less than four days to produce a patch, when the truth of the matter was that an independent researcher who happens to be employed by Google (and clearly dissociated himself from his employer in his notification) gave Microsoft five days of his life trying to convince the corporation to agree to fix the vulnerability in under two months.

So . . . what do I find surprising?

What I find surprising is the manner in which supposedly independent security researchers parrot Microsoft's character assassinations, resorting to casting aspersions on Tavis Ormandy, disingenuously linking Google to the entire fracas as if its founders were themselves responsible for the report to the Full-Disclosure mailing list, and completely inappropriate name-calling:

Yes, Tavis is a terrorist!

Really? Is this how far we have gotten from reasonable discussion? Do we really call people who disagree with us about vulnerability disclosure "terrorists"? Never mind the fact that Tavis Ormandy tried the "responsible disclosure" route before and waited seven whole months before giving up on Microsoft doing the right thing. When they flat-out refused to agree to any kind of reasonable timetable this time around, he only took the corporation's representatives at their word and cut to the chase. For this, he is labeled a terrorist.

I am a strong believer in the importance of a community to keep the security profession honest. That community is necessary for peer review, development of ideas through discussion, and connecting people with complementary skill sets in ways that corporate software vendors would really rather never occurred.

Right now, I am sorely disappointed in the maturity, honesty, and fair-mindedness (to say nothing of the grammar skills) of the security community. There are some members of the community who defended Tavis Ormandy, and others who simply took a reasonable approach to deconstructing the falsehoods and misdirections of those who have jumped on Microsoft's bandwagon, but even a sizable minority of members of that community taking a nearly point-for-point duplication of Microsoft's approach to assaulting Tavis Ormandy's and Google's reputations is enough to make me question how long such a "community" can survive its own membership.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

23 comments
tinyang
tinyang

I think it is Microsoft being irresponsible in this case.

tinyang
tinyang

"Tavis is a terrorist" is pretty much the same attitude as the "Linux advocates are commies.." comment or some such that Steve Ballmer made... Their attitude has not changed at all.

micheldufrenoy
micheldufrenoy

Finally, we have a breath of fresh air. It fills me with joy that a reporter in the field is not cowed by these corporations. Let's just hope TechRepublic feels the same.

Jaqui
Jaqui

how long did he try to convince MS to produce the patch in a 2 month time frame? 5 days? from my reading of the article, the 7 month thing was a different exploit. personally, I would hold MS to the EXACT SAME TIME FRAME AS OPEN SOURCE PROJECTS USE. 24 hours from notice to public disclosure. they get 24 hours to have a patch ready, just like any open source project.

pjboyles
pjboyles

So far as I see we have spoiled brats screaming NOW! NOW! NOW! instead of responsible adults 1. Inform the party responsible for the applications / OS about the issue. 2. Let them know you will wait 60 days to publish the details. 3. Hold exploit code 120 days or until 30 days after the patch release if the patch is released within the 120 days. Give those responsible time to work and test then the end users time to patch and test! This is responsible and reasonable. It has a carrot and stick. Demanding the party responsible for the application / OS give you some kind of time line up front is petty and really unrealistic. There are many moving parts to a corporation and often they cannot give time lines or even specific acknowledgments due to legal issues. So to Travis, quit being a spoiled brat and grow up. To Microsoft, take the high road. It is a better place to be. To the others, stop adding to the fire. As to a workaround which disable functionality, they are rarely useful in the real world. People use that functionality to do their jobs and disabling is not an option. (Pet peeve of mine!)

andy.kitzke
andy.kitzke

Good points and great thoughts. I'm glad you looked at the side that wasn't getting a majority of press. The only thing I want to say is that I completely disagree with the primary point of your thoughts. Five days regardless of past experiences is extremely irresponsible. This vulnerability was a system tied closely to the core of the OS that as far as I know can't just be shut off. Saying that by alerting the general mass to this vulnerability allows them to move to a different platform/application is a fallacy. What are the general masses options? Linux/Mac/Novell?? The general mass neither has the time, nor money, nor expertise to convert their entire digital life to a different operating system in the blink of an eye. In addition would you recommend the same thing when they discover a critical vulnerability in Mac OS X or a Linux Kernel? Did you know Apple just patches 65 iOS vulnerabilities with version 4. Does that mean I should move to Windows mobile 7 or Android? I get what you're saying, but man it's just not realistic. What's realistic is for a security researcher to give a company at least a month or two to start the gears rolling. Five days is just as childish as the remarks Microsoft made about the said researcher. If after a month or two the company continues to drag their feet, give a date where you will release full disclosure that's a week or two out. The point is not to hide it, but instead to show the company you won't be pushed around, you've found a serious vulnerability, and people are at risk. Microsoft is just like any other company, they have priorities, and sometimes their priorities aren't yours or mine. Doesn't make them right any more than it makes the security researcher right, but giving them no time to try to start coding a fix is just plain ignorant.

seanferd
seanferd

There is an archive full of them here. His articles also have many other points of excellence.

RipVan
RipVan

They have bigger things to worry about. Like the timeline on their next revenue stream...

apotheon
apotheon

So far as I see we have spoiled brats screaming NOW! NOW! NOW! instead of responsible adults You're off to a great start. I guess you aren't interested in reasoned discussion -- you, just like "rsnake" and the rest of those yahoos, just want to offend someone. Who, exactly, do you think people will identify as acting like a child under those circumstances? Do you remember (in the article) when I mentioned "wholly inappropriate name-calling"? Yeah. You're doing it. Good job, proving the general trend -- that people who support Microsoft's "responsible disclosure" spiel are immature, abrasive, and uninterested in actually discussing the matter like adults. Demanding the party responsible for the application / OS give you some kind of time line up front is petty and really unrealistic. There are many moving parts to a corporation and often they cannot give time lines or even specific acknowledgments due to legal issues. There's a simple, easy answer to that: It's not my fault Microsoft's business model sucks. I don't see why customers should suffer if Microsoft can't do things in a timely manner because of its overly complex, lumbering, bureaucratic corporate structure. How does Microsoft's inefficiency equate to justification for people out here in the Real World being vulnerable for months at a time? As to a workaround which disable functionality, they are rarely useful in the real world. People use that functionality to do their jobs and disabling is not an option. Getting your box owned by some malicious security cracker is usually not "useful in the real world" either. There are other ways to work around the vulnerability -- stuff that'll work for basically *any* similar vulnerability, and only requires some tightening of controls temporarily (rather than wholesale deactivation of critical business functions) -- but one only knows to use such work arounds if one knows about the vulnerability. If Microsoft isn't going to fix the problem in two damned months, the sooner we know about the vulnerability so we can do something about it, the better. Anyway . . . this particular piece of functionality affected by the vulnerability shouldn't be part of anyone's critical business process, so it's no big deal if you shut it off. That's especially the case when one considers that online forum discussion is far better help than Microsoft Windows' Help system. (Pet peeve of mine!) People who think shutting down some piece of software for security's sake is such a terrible imposition that they refuse to shut down something utterly useless like Microsoft Help Center, or to give up Flash they use to watch videos of cute kittens on YouTube, or something asinine like that, constitute one of my pet peeves.

apotheon
apotheon

Saying that by alerting the general mass to this vulnerability allows them to move to a different platform/application is a fallacy. That's not what I said. I'll quote myself: After all, given a poor track record for vulnerability handling, it should not take long for users to come to the conclusion that the best way to "patch" a given application's vulnerabilities is to stop using it in favor of competing software that has a more secure design and gets more timely attention from the people whose job it is to keep the application secure. That sets a context for discussion of a track record of vulnerabilities -- and not of a specific, perhaps temporary, response to a single vulnerability in a manner intended to address a distinct, "right now" kind of work-around. If you're wearing body armor that fails to protect you fifteen times, switching to different body armor with a better protective record might seem like a good idea. It won't protect you from the bullet that already hit you, serving as the last straw, however. Thus, I'm not saying "stop using it in favor of competing [body armor]" to prevent the last bullet that already hit you -- I'm saying you might want to "stop using it in favor of competing [body armor]" to protect yourself against future bullets. What are the general masses options? Linux/Mac/Novell?? Those are some options. There are more, as well. In addition to a plethora of very different Linux distributions (including Novell's SUSE Linux), there are also several BSD Unix OSes, Plan 9, MacOS X, Haiku, ReactOS, and many more. The general mass neither has the time, nor money, nor expertise to convert their entire digital life to a different operating system in the blink of an eye. Who said anything about "the blink of an eye" (other than you)? See above, re: choosing soemthing different to hedge against the troubles of the future, as opposed to choosing something different to try to undo the troubles of the past. In addition would you recommend the same thing when they discover a critical vulnerability in Mac OS X or a Linux Kernel? Not just for that. I might recommend the same thing if, say, a FreeBSD user is griping about FreeBSD's maintainers routinely taking many months to fix critical vulnerabilities, though. Luckily, FreeBSD's maintainers don't do that because, unlike MS Windows' maintainers, they actually care about the quality of their work enough to do a good job of maintaining it. Did you know Apple just patches 65 iOS vulnerabilities with version 4. Does that mean I should move to Windows mobile 7 or Android? Nope. There's a big difference between a vendor that patches a bunch of vulnerabilities and a vendor that doesn't patch a bunch of vulnerabilities for a period of months or years. If Apple's developers sat on those vulnerabilities for months or years before finally patching them with v4, then maybe you should consider switching. Remember, there's more to security than counting vulnerabilities. Of course, there are reasons to switch from Apple's mobile OS to other mobile OSes -- some of which are among the reasons I chose an Android smartphone rather than an Apple smartphone when I got mine. Some of them are even security reasons. The simple fact that Apple patched a bunch of vulnerabilities isn't one of them, though, and I'm in no way advocating anyone drop MS Windows just because it has had some vulnerabilities patched. If you're going to argue against me, I'd appreciate it if you argued against positions I've actually taken. What's realistic is for a security researcher to give a company at least a month or two to start the gears rolling. "Realistic"? I guess that's realistic, in that it really happens all the time. It's not reasonable, though. It's downright nuts, in my considered opinion. If you had bothered to read the linked article, How should we handle security notifications?, you would have noticed that there's nothing at all unrealistic about expecting quick turn-around times on patch development and deployment. From that article: A week is more than enough in most cases. Major open source software projects routinely turn out security fixes in less than a day; there's no reason a software vendor shouldn't be able to achieve the same record. The fact they're allowed to take months, or even years in some cases, to fix a glaring problem with security is the reason they often take months or even years to fix such problems. The tighter the schedule under which they must operate, the higher the priority security issues will become. Does that make it the situation any clearer? How about the fact that Microsoft has actually developed and released a patch in ten days -- a patch it described as very complex and challenging? Does the fact that Microsoft developers have demonstrated that they can develop and release patches that are very complex and challenging in a reasonable amount of time change your opinion about whether completely unreasonable amounts of time should be allowed for them to dither about it while the company's customers are at risk? Does the fact that many open source software projects' average patch development and testing times are lower than Microsoft's best to date change your perspective any? In short -- does actually knowing anything at all about the subject change your opinion? I can only assume that your opinions on the matter are based on ignorance, because I really don't have reason at this point to believe you're actively malevolent. Five days is just as childish as the remarks Microsoft made about the said researcher. You seem to be making the same mistake the people I mentioned who parroted Microsoft's spiel: assuming that he basically only gave Microsoft five days to fix it. Instead, what happened was that he argued with Microsoft about the urgency of the fix, and tried to get them to commit to doing something about sooner rather than later. He tried for a deadline of sixty friggin' days. Sixty! Two months! That's how long you suggested he give them in the first place -- far more time than anyone in Microsoft's position should have to fix a privilege escalation bug, particularly in software that is so widespread and so prone to getting unprivileged accounts compromised. The idea of giving them two months seems, to me, insane -- and the idea of mistaking him giving up on Microsoft when the corporation's representatives wouldn't even say they'd try to get out a patch in two months for him only giving them five days is equally nuts. Microsoft is just like any other company, they have priorities, and sometimes their priorities aren't yours or mine. This is obvious -- and it is, in fact, the crux of the issue. Microsoft's priorities have nothing to do with protecting its customers. That is a problem. We should force Microsoft's hand as much as we reasonably can, making it pay more attention to its customers' priorities, or ditch Microsoft in favor of someone else who will. If you just acquiesce to Microsoft's priorities, you're in effect saying that Microsoft's priorities are the same as yours, which is kind of stupid, frankly. Doesn't make them right any more than it makes the security researcher right, but giving them no time to try to start coding a fix is just plain ignorant. Basically, Tavis Ormandy was trying to give them more time -- but Microsoft didn't want it. Microsoft didn't want "more time", because it wanted "infinite time". Screw that.

ultimitloozer
ultimitloozer

The issue originates with improper parsing & validation of the URI passed to the HCP protocol which is used in the help system. The HCP protocol is easily disabled by removing a registry key. The way they should have handled this one is to issue an advisory with instructions on how to disable the HCP protocol (or create one of their FixIt solutions for it for the general masses), then start working on a real fix for the issue. Granted, this solution also breaks parts of the help system, but it also keeps the user safer than if they don't do it. But then again, publishing POC exploit code for this after such a short period was an idiotic stunt as well. Yes, MS has a miserable track record in responding to reported vulnerabilities and they need to do a lot more work in this area, but they still need time to verify the researcher's claims, check for other vulnerable products (since the researcher only tested on XP), produce a working patch and perform regression testing. A month or two seems reasonable. Less than a week before releasing POC code is entirely unreasonable.

apotheon
apotheon

I appreciate the compliments. I maintain a mostly-up-to-date list of my TR articles in the IT Security column at http://apotheon.com/pub. (My other TR articles, from before it switched to this Weblog/column format, are not listed on that page.)

Jaqui
Jaqui

if there was full public disclosure 24 hours for every exploit, MS would be getting raked over the coals in public opinion, like every other operating system does. might speed up MS in getting patches out. edit : typo

ctaylor
ctaylor

I do find it amusing that you complain about people using terms such as immature and abrasive. Pot, meet kettle.

seanferd
seanferd

that you mentioned rsnake as one of the people on the "responsible disclosure"* front. I say that I am just a bit disappointed with that. Too bad, really. I haven't been following security as deeply as I had in the past. I guess I'm out of the loop. * Yeah, those are scare quotes. Fear the contents.

Jeff744
Jeff744

"Never mind the fact that Tavis Ormandy tried the ?responsible disclosure? route before and waited seven whole months before giving up on Microsoft doing the right thing"

Paymeister
Paymeister

You wrote, "A month or two seems reasonable. Less than a week before releasing POC code is entirely unreasonable." ...but the original article said, "He] gave Microsoft five days of his life trying to convince the corporation to agree to fix the vulnerability in under two months." Looks to me like you actually support what he was trying to do: he wanted Microsoft to commit to fixing the problem within two months. They said, "we won't", and so he published. As reported, he did NOT give them five days to fix the problem, rather he gave them five days to commit to fixing it within two months. Certainly seems he started down the right path, but Microsoft kicked him off of it.

seanferd
seanferd

Sometimes it can be a bit of a pain to even search by author for articles here. I used to have some luck using advanced searches from Google other other engines, but I get far too many irrelevant results any more. So I appreciate your index.

santeewelding
santeewelding

And original phrasing serve here only for you to be set upon by Africanized bees.

seanferd
seanferd

Don't be so hard on yourself. You may simply have a slight reading comprehension issue.

apotheon
apotheon

Are you actually going to say something meaningful that adds to the discussion, or at least tells a first-offender to shut up, or are you just going to further decrease the signal:noise ratio? As useless as peter.j.boyle's commentary was, at least it was on-topic. Here's a hint: What do you think of the matter of "responsible" versus "full" disclosure -- and what do you think of people claiming that everybody who disagrees with them should be labeled "children" or "terrorists"? Maybe if you answer one of those discussion points, your presence here will not be a complete waste. You didn't even say anything to suggest that people discuss something useful, as I did; you just threw fuel on the fire by slinging completely empty insults, placing your comment about three notches below both peter.j.boyle's and mine. edit: omission

seanferd
seanferd

for the commenters with attitudes and no reading skills. Seven months. Seven. 7>2>0.6 Wow. Reactionary.

Editor's Picks