Jump to content

6 posts in this topic

Posted

On Tuesday, Microsoft warned that it was issuing an emergency patch to fix a dangerous flaw in its software.

 

This is notable for a few reasons. Microsoft rarely releases these kinds of urgent patches, only nine of them so far in 2014. It normally saves all patches for one mega patch day once a month.

 

The software in question affects almost all of Microsoft's family of security software. That means that the software Microsoft designed to protect computers from hackers can be hacked. In this case, it can be turned off, and from there, the hacker could do more harm.

 

The person who found the flaw was none other than Microsoft's security nemesis, Tavis Ormandy.

 

Google%27s_Famous_Security_Guru_Found-3f

Google security researcher Tavis Ormandy

 

Ormandy is a well-respected Google engineer who has become famous for finding problems with Microsoft software and, sometimes, showing hackers how to use them before Microsoft has fixed them.

 

This time, it looks like Ormandy did not share the problem before Microsoft could fix it.

 

And that's a good thing, because the vulnerable software includes everything from Microsoft's free Windows antivirus program, Microsoft Security Essentials, to its corporate security product family, Forefront. It also includes Intune, the security butt service Microsoft has been heavily hawking to enterprises.

 

But Microsoft knows Ormandy could share the problem  if he feels that company is dragging its feet.

 

A year ago, when he found a bug that let hackers crash or gain control over Windows ,  he not only discussed the bug before Microsoft had fixed it, he released "exploit" code that showed them how to work with the bug.

It's all part of a long-running skirmish between Microsoft and Ormandy, pressuring Microsoft to respond faster to security problems.

Microsoft has an age-old reputation for doing a poor job with security, in part because Windows is so popular it is a constant target for hackers.

Back in 2010, Ormandy really pushed the company, angering many in the security world along the way. He gave Microsoft only five days between the time he told them about a flaw and the time he published information about it.

 

The previous standard in the security world was 30 to 60 days. Security pros are anxious to publish information on the flaws they find. That's how they build their reputations and their careers.

 

Last year, Google backed Ormandy and changed its disclosure policy. It said that if its engineers find security flaws in other's code, they will only wait seven days before making it public to the world.

 

Their goal, Google said, was to make all companies move faster when they need to fix their software.

 

Meanwhile, Ormandy continues to breathe down Microsoft's neck. His latest interest? Windows 8.  

For instance, he tweeted a bug found in Windows 8 just last month:

 

Here's a bug in the Touch Injection API, brand new Windows 8 code.https://t.co/3cqve8cChP

 

1 person likes this

Share this post


Link to post
Share on other sites

Posted

MS is bad if they don't patch their bugs in a reasonable time frame.

Share this post


Link to post
Share on other sites

Posted

You'd think by now most every 'hole' would be gone -- but what do I know.

Share this post


Link to post
Share on other sites

Posted

MS is bad if they don't patch their bugs in a reasonable time frame.

Yeah, "reasonable" time period. And five days isn't it. You do realize they have patch the hole and thoroughly test the fix on theorectically every vulnerable systems to ensure it doesn't break things instead of fixing them? Like the article says, the standard is 30 to 60 days.

Share this post


Link to post
Share on other sites

Posted

I love this guy!

Share this post


Link to post
Share on other sites

Posted

 

Microsoft has an age-old reputation for doing a poor job with security, in part because Windows is so popular it is a constant target for hackers.

 

Apparently we are still stuck in the past...

1 person likes this

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.