Researcher burned at the stake for vulnerability disclosure

For Tavis Ormandy, the witch hunt is on. Based on the reaction from the media, security companies, and pundits online, shouts of “burn him” are being subliminally echoed from one end of the globe to the other. Is it a fair call though?

If ever there was a way to initiate a heated argument in the InfoSec community, it is the topic of Full vs. Responsible Disclosure. For years, lines have been drawn on both sides when it comes to this debate, and there are valid reasons for both options. However, for the last week, one researcher has been hit from all sides on this topic, all because of a post to the Full Disclosure mailing list.

Tavis Ormandy, a security researcher and Google employee, detailed a vulnerability in the Help and Support Center on Windows XP and Server 2003, which if exploited, would lead to a system compromise.

[The vulnerability is being targeted by criminals, but there is a fix from Microsoft, head here to read more.]

In the disclosure, it was revealed that Microsoft had a five day window to address and fix this issue. Given the disclosure, the five day window, the fact Ormandy works for Google, and example code to pull off an attack, it quickly became open season on the researcher.

It’s interesting to see how fickle the press and InfoSec community can be. No disrespect to either side, but Ormandy has been given praise by the media and his peers before, and with a single post, his past work was tossed aside and suddenly he is seen as an irresponsible person. How does that make sense?

Starting with the Google aspect to the story, early reports on Ormandy’s disclosure centered on a Microsoft vs. Google aspect. Blaming Google for his post serves no purpose at all. While the two companies are rivals in many areas, Ormandy’s disclosure isn’t the latest volley in a war between the two giants.

Google is his employer, sure, and you can argue that - like it or not - his actions represent them at all times. Yet, Google claims his research when it suits them. As is the case with his latest disclosure, where Google said Ormandy was not acting on their behalf, they will distance themselves at will too.

Ormandy said that the concept code was released with the disclosure because “…without a working exploit, I would have been ignored.”

“This is another example of the problems with bug secrecy (or in PR speak, ‘responsible disclosure’), those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers that we need, especially in complex cases like this, where creative thinking and input from experts in multiple disciplines is required to join the dots.”

He’s correct. Microsoft and the community at large would have ignored him and likely said that by disclosing the issue, he was simply looking to spread fear. One concept of disclosure is that you have to prove what you say.

Disclosure is painful, both to the researcher and to the vendor. In many cases, vendors have been embarrassed by vulnerabilities disclosed to the public, and often use Responsible Disclosure as a defense mechanism, instead of the tool that it is.

Researchers have to choose. Is the vulnerability serious enough to tell everyone, or could it be disclosed to the vendor where it can be patched later? Should a public advisory be issued in conjunction with notice to the vendor? Should the vendor learn about the flaw at the same time the public does?

No matter what option they take, the researcher will catch flack. However, lately it appears that Full Disclosure and Responsible Disclosure are simple black and white options. That isn’t the case, and Ormandy’s advisory is a perfect example of that.

Another hot topic with Ormandy’s disclosure is the time frame. Five days, according to almost every report on the topic, wasn’t enough time for Microsoft to address the issue.

Aside from the fact that those five days were used to negotiate a fix within 60-days, and communication obviously broke down causing a public release, Microsoft responded quickly with both an advisory and FixIt solution. So it seems as if five days was plenty of time.

Yet, Ormandy is buried alive with the brand of "irresponsible" because he allowed only five days.

That is five days more than other researchers have allowed Microsoft in the past. There are plenty of examples where notification to the vendor has been null and void, and details of a vulnerability were made public.

If Ormandy had said nothing, and this was attacked anyway, would he be called irresponsible because he remained silent, should others have discovered he was sitting on the issue?

I find myself wondering if Ormandy was replaced with another researcher, would the issues be the same and the hype just as big, or is all of this simply because Ormandy works for a company who is seen as one of Microsoft’s top rivals? Adobe’s security patch this month credited Ormandy with nine of the flaws patched. Yet, there has been hardly a mention of this in the coverage over his single disclosure.

In the past, Microsoft-based vulnerability disclosures have been released, followed by the Responsible Disclosure issue being raised by Redmond, while the press covers the issue, Metasploit modules are released, and often criminals target the issue and launch attacks.

Again, Ormandy’s post caused the same cycle. Now suddenly this issue is different than those from the past. Why? I can only imagine that it is all due to the fact he works for Google.

Disclosure, no matter how it is done, will always cause issues and expose someone to risk. Ultimately, the researcher has to use their own gut feeling and make a call. Once that call is made, there is no turning back. However, the flagrant disregard to his previous security efforts is concerning.

What if he stopped and simply walked away, never working on security research again?

Ormandy has done a lot of work to help secure both common users and businesses by focusing on software vulnerabilities. To lose his insight and knowledge would seem like a small loss in the short term, but in the long run you can never replace an individual with insight and critical thought. It isn’t like there are millions of researchers to choose from who can do the work needed.

No matter where a person stands on disclosure issue, most professionals agree that there is no simple answer. Disclosure will never be as simple as right and wrong as long as different personalities are working the field.

No two researchers think or work alike, which is why the security community as a whole benefits from the different people living within it. Legit researchers learn from criminal researchers, and vice versa.

To some, Tavis Ormandy was wrong. Others think he made the right call. All that matters in the end is that he acted. He made a call from the gut based on the information he had. You can’t really judge him unless you’ve been there yourself. Give some credit for the fact he researched that vector of attack at all, and followed-up by taking action of some kind.  
Disclosure has been made. Microsoft has issued an advisory and even a FixIt solution, and the average Jane or Joe is no less secure today then they were before Ormandy’s fateful post.    

This is because for every vulnerability made public, hundreds if not thousands more are tucked away and never mentioned. Sometimes this hoarding is done by legit professionals, other times it is the vendor. More often than not, the criminals do the most hoarding. That should be where everyone’s negative energies are directed, at the criminals, not at a researcher who might or might not have made a bad call.

No matter what, this issue has been blown completely out of proportion and it’s time to let it go.

[This editorial is the opinion of Steve Ragan, placing him firmly in what appears to be the minority, and not necessarily those of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below or sent to [email protected]]

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Awesome Stuff Made Out Of Car Parts

An awesome picture has started doing the rounds showing a bathroom with sinks made out of car tires and faucets created from gas pumps. It’s the ideal bathroom for any discerning car nut. That got us thinking — what other stuff is there made out of car parts and car paraphernalia. Here are some of the coolest […]

Range Rover Evoque Convertible Confirmed

Land Rover has officially confirmed that the Range Rover Evoque Convertible will go on sale in 2016. The company released some publicity photos showing a prototype of the Evoque Convertible driving through train tunnels under construction in London. The company says use of the Crossrail tunnels let them test the convertible in privacy. A Land […]

Mercedes-AMG GT3 Racing Car to Debut at Geneva Motor Show

The company says the standard Mercedes-AMG GT already provides the ideal base for the race model, with low centre of gravity, good weight distribution and wide track width.The driver sits on a carbon-fibre seat pan and is protected by a roll-over cage made from high-tensile steel.The engine cover, doors, front wing, sidewalls, side skirts, diffuser, […]

Lamborghini Aventador Wallpaper

Lamborghini Aventador wallpaper for your desktop or mobile device. Each image links to a page with multiple sizes of wallpaper you can download.

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in the photo is probably causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a university in the UK told the BBC that it was impossible to see what other people see but that it […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]