Researcher burned at the stake for vulnerability disclosure

For Tavis Ormandy, the witch hunt is on. Based on the reaction from the media, security companies, and pundits online, shouts of “burn him” are being subliminally echoed from one end of the globe to the other. Is it a fair call though?

If ever there was a way to initiate a heated argument in the InfoSec community, it is the topic of Full vs. Responsible Disclosure. For years, lines have been drawn on both sides when it comes to this debate, and there are valid reasons for both options. However, for the last week, one researcher has been hit from all sides on this topic, all because of a post to the Full Disclosure mailing list.

Tavis Ormandy, a security researcher and Google employee, detailed a vulnerability in the Help and Support Center on Windows XP and Server 2003, which if exploited, would lead to a system compromise.

[The vulnerability is being targeted by criminals, but there is a fix from Microsoft, head here to read more.]

In the disclosure, it was revealed that Microsoft had a five day window to address and fix this issue. Given the disclosure, the five day window, the fact Ormandy works for Google, and example code to pull off an attack, it quickly became open season on the researcher.

It’s interesting to see how fickle the press and InfoSec community can be. No disrespect to either side, but Ormandy has been given praise by the media and his peers before, and with a single post, his past work was tossed aside and suddenly he is seen as an irresponsible person. How does that make sense?

Starting with the Google aspect to the story, early reports on Ormandy’s disclosure centered on a Microsoft vs. Google aspect. Blaming Google for his post serves no purpose at all. While the two companies are rivals in many areas, Ormandy’s disclosure isn’t the latest volley in a war between the two giants.

Google is his employer, sure, and you can argue that - like it or not - his actions represent them at all times. Yet, Google claims his research when it suits them. As is the case with his latest disclosure, where Google said Ormandy was not acting on their behalf, they will distance themselves at will too.

Ormandy said that the concept code was released with the disclosure because “…without a working exploit, I would have been ignored.”

“This is another example of the problems with bug secrecy (or in PR speak, ‘responsible disclosure’), those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers that we need, especially in complex cases like this, where creative thinking and input from experts in multiple disciplines is required to join the dots.”

He’s correct. Microsoft and the community at large would have ignored him and likely said that by disclosing the issue, he was simply looking to spread fear. One concept of disclosure is that you have to prove what you say.

Disclosure is painful, both to the researcher and to the vendor. In many cases, vendors have been embarrassed by vulnerabilities disclosed to the public, and often use Responsible Disclosure as a defense mechanism, instead of the tool that it is.

Researchers have to choose. Is the vulnerability serious enough to tell everyone, or could it be disclosed to the vendor where it can be patched later? Should a public advisory be issued in conjunction with notice to the vendor? Should the vendor learn about the flaw at the same time the public does?

No matter what option they take, the researcher will catch flack. However, lately it appears that Full Disclosure and Responsible Disclosure are simple black and white options. That isn’t the case, and Ormandy’s advisory is a perfect example of that.

Another hot topic with Ormandy’s disclosure is the time frame. Five days, according to almost every report on the topic, wasn’t enough time for Microsoft to address the issue.

Aside from the fact that those five days were used to negotiate a fix within 60-days, and communication obviously broke down causing a public release, Microsoft responded quickly with both an advisory and FixIt solution. So it seems as if five days was plenty of time.

Yet, Ormandy is buried alive with the brand of "irresponsible" because he allowed only five days.

That is five days more than other researchers have allowed Microsoft in the past. There are plenty of examples where notification to the vendor has been null and void, and details of a vulnerability were made public.

If Ormandy had said nothing, and this was attacked anyway, would he be called irresponsible because he remained silent, should others have discovered he was sitting on the issue?

I find myself wondering if Ormandy was replaced with another researcher, would the issues be the same and the hype just as big, or is all of this simply because Ormandy works for a company who is seen as one of Microsoft’s top rivals? Adobe’s security patch this month credited Ormandy with nine of the flaws patched. Yet, there has been hardly a mention of this in the coverage over his single disclosure.

In the past, Microsoft-based vulnerability disclosures have been released, followed by the Responsible Disclosure issue being raised by Redmond, while the press covers the issue, Metasploit modules are released, and often criminals target the issue and launch attacks.

Again, Ormandy’s post caused the same cycle. Now suddenly this issue is different than those from the past. Why? I can only imagine that it is all due to the fact he works for Google.

Disclosure, no matter how it is done, will always cause issues and expose someone to risk. Ultimately, the researcher has to use their own gut feeling and make a call. Once that call is made, there is no turning back. However, the flagrant disregard to his previous security efforts is concerning.

What if he stopped and simply walked away, never working on security research again?

Ormandy has done a lot of work to help secure both common users and businesses by focusing on software vulnerabilities. To lose his insight and knowledge would seem like a small loss in the short term, but in the long run you can never replace an individual with insight and critical thought. It isn’t like there are millions of researchers to choose from who can do the work needed.

No matter where a person stands on disclosure issue, most professionals agree that there is no simple answer. Disclosure will never be as simple as right and wrong as long as different personalities are working the field.

No two researchers think or work alike, which is why the security community as a whole benefits from the different people living within it. Legit researchers learn from criminal researchers, and vice versa.

To some, Tavis Ormandy was wrong. Others think he made the right call. All that matters in the end is that he acted. He made a call from the gut based on the information he had. You can’t really judge him unless you’ve been there yourself. Give some credit for the fact he researched that vector of attack at all, and followed-up by taking action of some kind.  
Disclosure has been made. Microsoft has issued an advisory and even a FixIt solution, and the average Jane or Joe is no less secure today then they were before Ormandy’s fateful post.    

This is because for every vulnerability made public, hundreds if not thousands more are tucked away and never mentioned. Sometimes this hoarding is done by legit professionals, other times it is the vendor. More often than not, the criminals do the most hoarding. That should be where everyone’s negative energies are directed, at the criminals, not at a researcher who might or might not have made a bad call.

No matter what, this issue has been blown completely out of proportion and it’s time to let it go.

[This editorial is the opinion of Steve Ragan, placing him firmly in what appears to be the minority, and not necessarily those of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below or sent to [email protected]]

Like this article? Please share on Facebook and give The Tech Herald a Like too!