Google to Microsoft: Patch faster, you slowpokes

Don’t look now, but Google and Microsoft are at each other’s throats again. This time it’s over something more serious than whether users are being “Scroogled” or if Bing is stealing Google search results. It concerns the disclosure of critical security vulnerabilities that could affect us all.

In an extremely terse statement in its latest security advisory, Microsoft acknowledged that “targeted attacks” had occurred in the wild due to a vulnerability in Internet Explorer. According to Reuters, this security hole was made public last May by Google security researcher Tavis Ormandy, who skipped the usual protocol of notifying Microsoft first before telling the world — or at least, the extremely geeky world of security wonks and hackers.

[ For a humorous take on the tech industry’s shenanigans, subscribe to Robert X. Cringely’s Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld’s Tech Watch blog. ]

(Full disclosure: I’ve been unable to independently verify whether the “targeted attacks” referred to in the advisory are in fact due to the flaws revealed by Ormandy. The holes he revealed do not allow for remote attacks, which makes the scenario for a “targeted attack” hard to visualize. Perhaps readers with more gray matter than I can locate the links.)

In his posts, Ormandy noted that he was fed up with how Microsoft treated researchers like himself and that he didn’t have “the free time to work on silly Microsoft code,” so he was opening the hole to anyone who wanted to explore it further.

How long does it take Microsoft to get around to patching its products, minus any external pressure to do so? Try 17 years. That’s how long it took to fix a hole in its Virtual DOS Machine made public in January 2010 by — wait for it — Tavis Ormandy.

Ormandy strikes again

Ormondy has become such a force in the Microsoft bug hunt that security blogger Graham Cluley renamed Patch Tuesday “Patch Tavis Day.” That was back in 2010, around the time Ormondy revealed a zero-day exploit in Windows XP only five days after notifying Microsoft. Ormandy’s maneuver ignited a raging debate in security wonk circles over what is or isn’t “responsible disclosure,” a debate that is only getting more heated.

In May 2013, shortly after Ormandy revealed the latest flaw in Windows, Google’s Online Security Blog declared its new get-tough-on-security-slackers policy: Companies with critical vulnerabilities in their products would have seven days to patch the holes and/or notify customers before Google went public with the information.

Mind you, this was two weeks before we learned, via a report by Bloomberg’s Michael Riley, that Microsoft deliberately delays patching security holes in its software so the NSA can patch its own systems and exploit the vulnerabilities elsewhere.

In a massive Patch Tavis — er, Patch Tuesday — last February, Microsoft swatted 57 bugs, more than half of them identified by researchers at Google. The search giant is clearly fed up with cleaning up Microsoft’s mess. Can you blame them?

Blowback for the whistleblower

Ormandy’s situation is analogous to that of the Whistleblower of the Year, Edward Snowden. Frustrated by attempts to go through established channels of disclosure, knowing that such efforts would be at best ignored and at worst punished, both men went public with the information. And both have been criticized or lionized in roughly equal measure.

Let’s say you’re a hot-shot security researcher and you discover a big, fat bug in Windows that will allow the bad guys to do bad things. You know Microsoft is going to let the NSA have its way with that hole and it could be months (or decades) before they do anything constructive about it. Meanwhile, hackers at least as smart as you may have already discovered the hole and are mining it for all its worth. What would you do?

Not an easy question to answer, I think. But one we’ll all be faced with more and more as time (and Windows) wears on.

Would you go public with exploits, knowing you’re helping cyber fiends in the process? Or would you privately disclose and wait? Post your thoughts below or email me: cringe@infoworld.com.

This article, “Google to Microsoft: Patch faster, you slowpokes,” was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely’s Notes from the Field blog, and subscribe to Cringely’s Notes from the Underground newsletter.