Summarising what seems to have happened in fewer than 100 words is a challenging exercise, but here goes:
Security researcher Michael Zalewski creates a browser-based bug-finding fuzzer in July. Apparently this finds bugs by the bucketload in multiple browsers. He talks, amongst others, to Microsoft. Microsoft can't, or don't, repeat his results. By December, he wants to publish his fuzzer. Microsoft urges - or begs, or demands, who can say? - that he hold off. Zalewski doesn't want to. Some Chinese hackers get hold of it early, apparently in a serendipitous accident. Zalewski considers this to be an overriding reason to release the fuzzer anyway, which he does on New Year's Day.
Microsoft is unhappy that Zalewski went public in a full-disclosure forum, suggesting that “risk has now been amplified“. Zalewski is insistent that his full disclosure was beyond acceptable, calling it “a priority“.
Oof! Handbags at ten paces!
As a Naked Security reader asked us earlier this morning, is there substance to Microsoft’s claims that Google increased the risk by releasing this information before a patch was available? Does one company have a responsibility to remain silent in the face of a vulnerability in another’s software?
Those are interesting, and important, questions. If you accept that both sides have a point – and I do – then the answers are indecisive, being ‘Yes’ and ‘No’ respectively.
But in this case, the issue begs a third question which needs to be considered first, and which is of much broader concern. Where does Google come into it?
The answer is that Zalewski works for Google. And Google’s security researchers have not been strangers to controversy with Microsoft in recent months. In June 2010, Tavis Ormandy blurted out an exploitable vulnerability just five days after privately approaching Microsoft; in September, Chris Evans posted demo exploit code, though his complaint was that Microsoft had already had more than a year to fix the flaw.
In all these cases, however, the disclosures were apparently done outside any official Google mechanism. Ormandy published as taviso at sdf dot lonestar dot org. He gave credit to a single individual: Tavis Ormandy. Evans posted as scarybeasts at gmail dot com, linked back to his personal blog, scarybeastsecurity, and signed himself simply, “Cheers, Chris.” Zalewski posted under his handle of lcamtuf at coredump dot cx, opening, with remarkable self-assurance, that “I am happy to announce the availability of cross_fuzz, an amazingly effective but notoriously annoying cross-document DOM binding fuzzer.”
Clearly, it doesn’t matter whether the buck officially stops, morally, ethically or legally, with Google. In the eyes of the internet, this is Google’s work, and the tussle here is between Google and Microsoft. And, given the increasingly blurred work/life boundaries which exist in our always-connected age, especially for technology-loving employees in IT and computer security, that is unavoidable.
You need to take this into account when you plan your organisation’s attitude to security. The traditional outlook of being unashamedly restrictive at work whilst leaving employees to their own devices out-of-hours is no longer a practicable approach in most environments. It’s no longer just the public and private pronouncements of top-ranking corporate staff which shape public opinion of your organisation.
A little flexibility – letting your users off the leash a little at work in return for their improved personal attitudes to computer security and control at home, and their increased willingness to “think of the company” even in their own time – can give you a double victory.
(Of course, it helps if you have a security solution which makes choosing flexibility both easy and safe. You can probably guess where this is going: Sophos Endpoint Security and Data Protection.)