Main Area and Open Discussion > Living Room

Microsoft lashes out at Googler for making Windows vulnerability public

<< < (2/12) > >>

f0dder:
Gotta be +3 here, one plus for each of the above points by Eóin, Renegade and Stoic Joker.

I'm all for making exploits details + proof-of-concept code public, but only after the software vendor has had a reasonable amount of time to fix the bug. Microsoft have been pretty damn bad in the past, but they've measured up - and are pretty open about security these days.

Carol Haynes:
+4

There is no excuse for publishing this sort of detail when no fix is available.

If there is a temporary work around that should be suggested and a reason but details are pretty unforgivable.

What will happen when someone sues Google for publishing the method by which a company gets attacked? It's a bit like publishing how to make nerve gas and then saying 'not guilty' when terrorists use the recipe!

Paul Keith:
I'm going to side with Google on this one I guess.

I can understand it from a security standpoint but the thing is, this is Microsoft.

What their intent now doesn't cover up their years and years of failing to secure things.

This is one of those cases where it looks bad because of the proper tradition of why things are done and should be done.

However in this same token, it's Microsoft. Sure it's unprofessional and dangerous but the reputation of Microsoft on security has already sunk into the culture of computing that Microsoft should just man up and fix this instead of turning this into some PR/media complaint. It's not like they couldn't have thrown and put more focus on a more valid complaint as the article showed:

Reavey also criticized Ormandy for not being thorough in his analysis: “It turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented.”
--- End quote ---

But why go so far as to excuse and side Microsoft this time? At the very least, stay neutral and cite why it's bad policy but going so far as to say what one should have or shouldn't have done and why one side is correct while ignoring that side's past. Seems like it's that attitude that has allowed the security by obscurity to continue and it's that kind of support that will eventually make it sometimes security by obscurity sometimes we'll disclose it.

Just fix it and move on. You're Microsoft not some development team with a long history of emphasizing utmost security.

Renegade:
Paul, no disrespect, but I think you're really off-base on this one.

Microsoft's bad security days are WAY a thing of the past. In Internet history, it's prehistoric.

Google has shown an utter disregard and disrespect for Windows users with a completely flagrant and irresponsible spit in the face to both Microsoft and all Microsoft customers (which also happen to be Google customers). Google has clearly shown that it is more concerned with hurting its competition than in caring for its customers.

4 days is very, very far from reasonable.

The reality of security is that Windows is more secure than most other operating systems by a very wide margin. Literally. (You can't stop idiots from getting hacked no matter what platform, so that's really not a valid complaint about Windows.)

As for Microsoft's security history, a look at the last few years shows that they are among the best in the industry.

As for this being Microsoft or anyone else -- that's largely irrelevant. The fact is that Google disclosed a security vulnerability without allowing the product vendor the opportunity to fix the problem. This is simply inexcusable and unforgivable. It doesn't matter whether it is Microsoft or anyone else. It is standard to give vendors a couple months to get the problem fixed and rolled out, much less disclose the vulnerability WITH EXPLOIT CODE!!!!!

Actually, I need to take something back. It isn't Google spitting in people's faces. That would be irresponsibly disclosing the vulnerability. They disclosed exploit code. No... Google pissed in everyone's face.

Again, that it was Microsoft only shows that Google is more interested in pissing in people's faces to spite its competition than in acting like a responsible, good corporate citizen.

I seriously doubt that this would happen for ACME Software Inc. because they're not any kind of threat or competition for Google.

zridling:
Problem is, Tavis Ormandy has submitted numerous security bugs and larger issues for years, and in return has waited months and years for patches. Seems like he just got tired of waiting on someone at Microsoft to write better code.

Search result: Tavis Ormandy Windows kernel vulnerability

PS: @Renegade -- There are no "good corporate citizens." They'll all get away with whatever they can, just as Microsoft has always done. Karma ain't so fun when it's due.

Navigation

[0] Message Index

[#] Next page

[*] Previous page