Sophos Cloud Optix
By some accounts, Microsoft and Google are at each other’s throats over the disclosure of vulnerabilities.
Summarising what seems to have happened in fewer than 100 words is a challenging exercise, but here goes:
Security researcher Michael Zalewski creates a browser-based bug-finding fuzzer in July. Apparently this finds bugs by the bucketload in multiple browsers. He talks, amongst others, to Microsoft. Microsoft can't, or don't, repeat his results. By December, he wants to publish his fuzzer. Microsoft urges - or begs, or demands, who can say? - that he hold off. Zalewski doesn't want to. Some Chinese hackers get hold of it early, apparently in a serendipitous accident. Zalewski considers this to be an overriding reason to release the fuzzer anyway, which he does on New Year's Day.
The results?
Microsoft is unhappy that Zalewski went public in a full-disclosure forum, suggesting that “risk has now been amplified“. Zalewski is insistent that his full disclosure was beyond acceptable, calling it “a priority“.
Oof! Handbags at ten paces!
As a Naked Security reader asked us earlier this morning, is there substance to Microsoft’s claims that Google increased the risk by releasing this information before a patch was available? Does one company have a responsibility to remain silent in the face of a vulnerability in another’s software?
Those are interesting, and important, questions. If you accept that both sides have a point – and I do – then the answers are indecisive, being ‘Yes’ and ‘No’ respectively.
But in this case, the issue begs a third question which needs to be considered first, and which is of much broader concern. Where does Google come into it?
The answer is that Zalewski works for Google. And Google’s security researchers have not been strangers to controversy with Microsoft in recent months. In June 2010, Tavis Ormandy blurted out an exploitable vulnerability just five days after privately approaching Microsoft; in September, Chris Evans posted demo exploit code, though his complaint was that Microsoft had already had more than a year to fix the flaw.
In all these cases, however, the disclosures were apparently done outside any official Google mechanism. Ormandy published as taviso at sdf dot lonestar dot org. He gave credit to a single individual: Tavis Ormandy. Evans posted as scarybeasts at gmail dot com, linked back to his personal blog, scarybeastsecurity, and signed himself simply, “Cheers, Chris.” Zalewski posted under his handle of lcamtuf at coredump dot cx, opening, with remarkable self-assurance, that “I am happy to announce the availability of cross_fuzz, an amazingly effective but notoriously annoying cross-document DOM binding fuzzer.”
Clearly, it doesn’t matter whether the buck officially stops, morally, ethically or legally, with Google. In the eyes of the internet, this is Google’s work, and the tussle here is between Google and Microsoft. And, given the increasingly blurred work/life boundaries which exist in our always-connected age, especially for technology-loving employees in IT and computer security, that is unavoidable.
You need to take this into account when you plan your organisation’s attitude to security. The traditional outlook of being unashamedly restrictive at work whilst leaving employees to their own devices out-of-hours is no longer a practicable approach in most environments. It’s no longer just the public and private pronouncements of top-ranking corporate staff which shape public opinion of your organisation.
A little flexibility – letting your users off the leash a little at work in return for their improved personal attitudes to computer security and control at home, and their increased willingness to “think of the company” even in their own time – can give you a double victory.
(Of course, it helps if you have a security solution which makes choosing flexibility both easy and safe. You can probably guess where this is going: Sophos Endpoint Security and Data Protection.)
Google is now plain arrogant! This is unacceptable as Google’s action! I wish Microsoft PUBLICLY disclosed a MAJOR Google bug in Google Chrome OS or Google Chrome just to exact revenge!!
First of all, I'd recommend that people read the original sources instead of distorted accounts of the situation. Not this article, but many others.
If anyone bothers to read http://lcamtuf.coredump.cx/cross_fuzz/fuzzer_time… , Zalewski notes that "Ref_fuzz and cross_fuzz are a pair of fuzzers developed in my spare time" (emphasis on the "my spare time" part).
Second, before Google hired Zalewski he was already a security researcher and will always remain one, regardless of his employer. Security researchers act according to ethical codes established by their peers.
Why and how Google comes into play into this story is strongly debatable. However, let's say that it is. Google already officially affirmed its support for what it calls "reasonable disclosure deadlines" of 60 days for "a genuinely critical issue in widely deployed software."
So, there's the matter of who is the liar here. In the aforementioned timeline, Zalewski claims that the crash could be replicated with the July 2010 version of the fuzzer and even includes an alleged statement from MSRC in which they admit that this is true and have no explanation as to why they couldn't replicate the issue originally.
However, in Microsoft's official statement following the disclosure, they claim the issue was only replicable with the December 2010 version of the fuzzer and not the earlier one. Someone is clearly lying here.
If Zalewski is telling the truth, he gave Microsoft way more than 60 days. Is it his fault that the engineers at Microsoft failed to properly use the tool? All other affected browser developers were given the same deadline and managed to fix their bugs.
Third, everyone seems to report that the vulnerability was leaked because Zalewski accidentally left the web directory to be indexed by Google's crawlers, when he clearly states that he saw search queries suggesting that it was *independently* discovered by someone else.
As usual, a lot of the media twists stories so they appear more sensational. "Google vs. Microsoft Vulnerability Disclosure War" is certainly more appealing than "Researcher Creates Tool to Find Browser Bugs"
Two wrongs don't make a right.
Evolve, already.
People need to chill. Microsoft is the real culprit here. The problem is that they were told about a security exploit, refused to fix it, and as a result put users of their software at risk. No company should ever let another company decide the safety of the users of its software. So, someone releases the exploit, Microsoft is now forced to fix it. It makes everyone safer, and it teaches Microsoft to show some urgency when dealing with security threats. The article shows a bias against Google.
Interestingly, whilst you were posting this comment, I was adding the sentence "It's no longer just the public and private pronouncements of top-ranking corporate staff which shape public opinion of your organisation" to the article.
As for "bias against Google", that seems unfounded if you consider that I offer _my_ answer to the question, "Does one company have a responsibility to remain silent in the face of a vulnerability in another's software?" And it is, "No."
But that's not the point of the article.
The deal is here that the behaviour of Ormandy, Evans and Zalewski outside work _is Google's corporate behaviour_ because that's how the world sees it.
Some security policies still rely on on locking everything down solidly at work and assuming you can disavow everything your employees do outside – which may well include trying to do the work which they can't do in the office because of draconian policies.
That's not going to work, so try to engender an attitude to security in your company which meets home and work, staff and organisation, in the middle.
Plus, how can you know whether Microsoft is correct in that it couldn't find a hole when Zale first told them about it. Is there not a way to verify? Did Microsoft not reply to Zale asking for clarification and Zale did not respond?
Plus, as you know Microsoft Internet Explorer is a very much an intergrated part of the OS as Windows Explorer is. There should be time to throughly "test" the fix to make sure it doesn't cause more probelm than it fixes.
If Microsoft hastily releases patches, they are critized. When they do not release/methodically tests a patch, they are criticized. The only way to avoid such critisism is if those critisinging make the patches themselves!
The code of Zalewski's fuzzer acknowledges that reproducing behaviour between runs of the fuzzer is difficult.
Indeed, the latest release of the fuzzer (dated 2011-01-05, an update from a version apparently dates 2010-07-29) expressly notes, in a comment, that:
//This fuzzer is an improvement of cross_fuzz_randomized_20100729_seed.html
// that makes it considerably easier to reproduce fault conditions,
// especially when running it from file:///. This is achieved by minimizing
// the risk of DOM crawl desynchronization by resyncing the PRNG when
// returning from a particular recursion level, and after shuffling arrays.
And a special version from December 2010 is offered as an "MSIE-optimized version of that fuzzer (triggers msie_crash.txt reliably)."
So I don't see any need to doubt Microsoft's assertion that they weren't as excited as Mr Z. at the results he originally claimed. OTOH, as Mr Z. says, six months is a long time, and it does seem he'd hit the jackpot with a number of genuine bugs found.
Like I said, handbags at ten paces 🙂
Ranting cont:
Plus, I think Google's (or at least their employees) behavior is akin to Greyhat hackers. They disclose a bug for a ransom fee (or for personal gain… Google is a serious contenter to Microsoft). In any way, I think vulnerabalities should only be disclosed when a. a fixed is released or b. When the offending company (Microsoft) has not responded for years! There are enough virus as there is! Isn't there a sort of control system in the amount of vulnerabilty that can be released? Like woah there, there has been enough vulnerabilites relesed recently (the UAC hole, the recent .net hole, and now the major IE hole).
_______
On a side note, I do hope Microsoft and other companys *like Sophos and Symantec* provides a patch for this ASAP!!! But above all, make sure the fix is TESTED THROUGHLY and not cause ANY MORE problems *bsods, crashes are the worse!*
With all due respect, I don't agree with your statement about "When the offending company (Microsoft) has not responded for years" simply because if one person found the vulnerability, then that means that others can. So, while the offending company is sitting on their laurels (sitting on their hands) because they know that the researcher won't release the information, virus and malware creators could be finding the hole and exploiting it.
In the case of these vulnerabilities being disclosed, I would say this: five days is too soon (unless the offending company basically says "We're not going to fix this." or "We don't care."). Six months is about right. If you can't fix a bug in your code in six months, then either a) you're not that good of a programmer, b) your code is even buggier than you (and others) think or c) you're not even trying to fix it.
Yes in this case, Internet Explorer is deeply tied into the Operating System. The difference is that Microsoft has ALL of the source code for Windows and Internet Explorer. If they can't find the bug (when they're essentially pointed in the right direction by someone without the source code), there's a problem. There's no excuse for them having to take six months to fix the bug.
If you look at things, Microsoft has security issues that are still prevalent in Windows 98/ME/XP (and have been known about for years). That's not acceptable–even if the chance of someone exploiting them is low or non-existent. They're bugs. They're problems and mean that the code is faulty. Would you buy a car with faulty brakes (and not expect them to be fixed)?
Have a great day:)
Patrick.
Not germane to the topic but please don't use 'begs the question' when you mean 'raises the question' ("the issue begs a third question which needs to be considered first"):
From Wikipedia, the free encyclopedia:
Begging the question (or petitio principii, "assuming the initial point") is a type of logical fallacy in which the proposition to be proven is assumed implicitly or explicitly in the premise…. Begging the question is related to the circular argument, circulus in probando (Latin, "circle in proving") or circular reasoning, though these are considered absolutely different by Aristotle.
I'll see your Wikipedia and raise you a New Oxford Dictionary of English (IMO the finest single-volume dictionary of worldwide English by a country mile).
"To some traditionalists [the use of 'begs the question' as a direct translation of _petitio principii_] is still the only correct meaning.
However, over the last 100 years or so, another, more general, use has arisen: 'invite an obvious question'… This is by far the commonest use today and is widely accepted in modern standard English."
Aristotle, eh? Mentioning him really _is_ traditionalist 😉
there seems to be lots of speculation on the matter of what google/employees did/it's intentions behind the release of the info, but the basic facts stand: microsoft is/has been and probably always will be riddled with a vast number of bugs and holes, it's got such a large install base as to be the top target for exploits and it's history for doing timely fixes for exploits… well. it's not the best. I suspect that without public releases, there would never be any heat to get them to fix much of anything. expecting security researchers to sit on discoveries for _years_(?!?) is far, far beyond reasonable.
Erm, I don't relate the actions of Google's employees in their spare time to Google at all. I don't know of anyone who does. Can you please point these people out to me so I can go and tell them how foolish they are.
Personally, I think it's high-profile articles, and this one, that appear to want to reinforce the notions of an unbreakable connection between employer and off-duty employee so they can make use in their headlines of the obvious traffic-generating qualities of a Google vs. Microsoft showdown. STOP IT NOW – it's irresponsible! This will only go to encourage employees to think that they can, indeed must, try to regulate what their employees do in their spare time.
Google, while not flawless in this respect, is a fairly enlightened libertarian organisation and, as long as their employees are not breaking the law, what they do in their spare time is generally considered their own business. As a result we have access to the thoughts and sometimes good work, of a lot of very bright people. That's how it should be. Don't spoil it for the sake of headlines and your own bit of reflected limelight.
Hmmm. Methinks you are putting words in my mouth – you say that my article wants to 'reinforce…an unbreakable connection' over off-duty employees and to 'encourage employe[r]s to regulate' staff in their spare time.
What I actually wrote was:
'A little flexibility – letting your users off the leash a little at work in return for their improved personal attitudes to computer security and control at home, and their increased willingness to "think of the company" even in their own time – can give you a double victory.'
And I don't accept that people are 'foolish' if they draw inferences between the attitudes of employers and their employees on the basis of what employees publish out-of-hours _in their work/life specialist field_.
Imagine a group of Sophos coders – guys considered sufficiently good not only to write software for the company, but also to pronounce publicly, officially and technically about 'how Sophos does its coding'.
Now imagine this same group of guys contributing code to an open source project they all enjoy, with which you're also involved with. And imagine that their code regularly showed behaviours which concerned you – poor buffer checking, no comments, bad choice of algorithm, etc. (This is a hypothetical example, of course 🙂
Surely you'd be foolish _not_ to ask yourself what that said about Sophos?
And, for the record, Ormandy, Evans and Zalewski have pronounced publicly, officially and technically – on the very subject of vulnerability disclosure – for Google, e.g. here:
http://googleonlinesecurity.blogspot.com/2010/07/…
Judging Google's attitude to security and disclosure entirely by their out-of-work public behaviour is, I admit, a step too far. But to disavow any connection in attitude is IMO similarly inappropriate.
I'm not trying to put words in your mouth, but ironically, you are putting words in mine, or rather meanings that weren't in the original by missing some important words out. I did not just say your article "wants to reinforce…an unbreakable connection [between] off-duty employees [and employers]" I said your article has the *appearance* of doing so, (which it does, at least to me anyway, whether it was deliberate or not). Nor did I say your article "wants to encourage employers to regulate staff in their spare time" but that it will be the result of it, if they think people are making that connection (which they will if people keep writing articles as though there is one).
I believe it is journalistically appropriate to mention that Zalewski works for Google, as a point of interest, but be sure to point out he is acting independently and then leave it there. If people keep bringing up Google during such an article then people will make the connection, not because they would have done but because they keep reading about it.
In your reply to me you talk about what your article says, but you overlook (as did I in my original comment) the rather more blatant title, "Google versus Microsoft – handbags at dawn" which couldn't have blurred the distinction between Zalewski and Google any more strongly if it tried. This title implies the matter is *all* about Google, rather than Zalewski vs. Microsoft. It might seem unfair to focus on the title, but the title will remain with people long after they've forgotten what they article actually said.
I know it is normal to use attention-grabbing articles but it's not good if the title is false and misleading.
I fear the end result is companies feeling obliged to make more restrictive conditions of employment regarding out-of-hours activities and I don't think that is a good thing. If journalists made a point of always distinguishing clearly people would be less prone to conflate the two and employers would have less reason to fear for their public image and to muscle in on our free time.
BTW, in your hypothetical scenario, I would think the company was pretty bad a recognising and hiring good coders, but I wouldn't attribute the bad *coding* done in the employees spare time to the company. That's basically what is being done here when people attribute Zalewski's disclosures to Google.
I'll make one final reply (I'm not sure how deeply WordPress can nest replies 🙂 and then I think we should agree that we actually, for the most part, agree.
Where we don't agree is this:
>I believe it is journalistically appropriate to mention that
>Zalewski works for Google, as a point of interest, but be
>sure to point out he is acting independently and then
>leave it there.
I think it's more than interesting. It's important. Because he works for Google, and is part of the official public face of Google's policy on, and opinion about, vuln disclosure, I think that nothing he does in public relating to vuln disclosure (unless he explicitly distances himself from Google) can be considered _100%_ independent. There's a connection, and the connection is, at least in part, metacontractual, if you will permit me to close with a neologism.
Now, let's leave behind our discussion and see if anyone will come up with a comment on the Microsoft side of things 😉
Suppose that Sophos anti-virus writers started writing virus on their free time. Won't that ruin the reputation of Sophos? Sure it would and I expect those employees would be fired soon.
Thanks for your replies, Paul. I've enjoyed the discussion, even though I might disagree with you on some points. I would agree it's interesting and a point of discussion, but in an article that is clearly (perhaps marked by a title) that we are discussing and speculating on a possibility rather than an actual fact.
I agree both our points of contention have been made well and it's time to move on. I'll continue now to enjoy the rest of the discussion. Thanks. 🙂
The employer should be partially responsible for what their employee do in their free time. If Google employee started writing malware, it would basically ruin the reputation of Google. And I'm pretty sure Google would take action (fire them?) as soon as possible.
I think we aren't talking about illegal activity but only legitimate; and many would say Zalewski's actions were ethical, at least in his eyes they were.
"And, given the increasingly blurred work/life boundaries which exist in our always-connected age…"
I'm not seeing the validity of this premise. I have been in IT for the last 20 years, 15 of those in telecom. For a very brief time I worked for a company that I felt deserved my consideration when I was off the clock. They demonstrated loyalty and appreciation for their employees. As far as working for corporate companies goes, they neither reward loyalty nor show any. When I'm at work, I'm all work; when I'm off, the company doesn't exist. I wouldn't undermine a given corporation I worked for, and I give everything I can while carrying out my responsibilities within the limits of my employee contract, but no telecom company I have worked for cares much about a given employee. All are expendable.
Maybe conservatism is a trait of the people in the security industry that is showing through in some of Sophos' posts, but I don't see that any employer has the right to mandate employee activities outside the workplace. Employment contracts have clauses regarding nondisclosure and product development controls for products an employee might conceive of while working for a company. That's as much as the corporations merit. If I sound disgruntled, you should talk to another 90% of my coworkers. I'm in the contented crowd.
And by the way, only people REALLY interested in technology news and developments would have any idea there was a row between Microsoft and Google, especially over a given single event. Most users would like to be safe on the internet, and have it all be transparent.. I appreciate Sophos warnings on Facebook, but I've even turned off getting alerts or having Sophos show up on my home page on FB. I check in a couple times a week to see if there's some new scam. And I appreciate the heck out of those warnings.
"A little flexibility – letting your users off the leash a little at work…"
Um, Google has 20% time, where their coders can work on projects that interest them 20% of the time. It's where GMail came from. They have personal massages on site. They're the most flexible corporation I've ever heard of.
As someone with experience in both journalism and tech, I would say the media (which is where this blog appears to be placing itself, albeit containing some opinion and advertisement and reporting on a specialized field) has some responsibility to attempt to distinguish between whether someone's actions had any official relation to the company or whether they were acting on their own.
And you did that well – "In all these cases, however, the disclosures were apparently done outside any official Google mechanism."
But then you came back to – "In the eyes of the internet, this is Google's work, and the tussle here is between Google and Microsoft."
Whose eyes? Where on the internet?
Why not expect more of people rather than assuming they will make the simplest assumptions without thinking?
Anyway, despite my first comment being critical, in general it's a great blog y'all do.
>Whose eyes? Where on the internet?
I put three links in the first sentence to try to establish how this was broadly perceived this as a "Google" thing. That's how I first became aware of the drama unfolding – news links mentioning Microsoft, Google and disclosure.
(Incidentally, as I have argued above, in this particular case, and with these particular people, in this particular field, I think that they _can_ be considered to represent Google, and at least in part to exemplify Google's viewpoint, even when they are off the clock. And I mean that as a compliment to the three of them.)
Thanks for the compliment to us, BTW. We aren't trying to be "media", but we aren't trying to be inaccessibly techie, either.
I'll admit I missed those links in the first sentence (esp. since it would be easy to see them as one).
And I'll give you props for being clearer about Zalewski doing this as a project in his own time than some of those other articles.
http://www.infoworld.com/d/security-central/secur…
This guy works for Microsoft and has published this on /his/ personal blog, publicly disclosing a security hole in the Adobe Flash sandbox. Is this going to get the same level of publicity as a Google researcher's spare time escapades and Google's need to keep a check on the image their employees are putting out? Of course not, everyone is out to make Google look like the bad guy these days.
(This is not a slight at this blog, which does a good job on the whole of staying impartial and reporting directly, not repeating another reporters distorted view, merely this comment is an open question in a place of fairly neutral ground.)
I'm confused. The link you provided says "Billy Rios, a researcher who is a security engineer for Google, published on his personal blog a way to get around Flash Player's local-within-filesystem sandbox.". I guess you meant to bash Adobe here, because obviously Google are the good guys.