Thursday, 11 July 2013
Microsoft Issues Patch to Deal with 'Silly Code'
Back in May, Google engineer Travis Ormandy took the occasion of a blog post to point out a security flaw present in the Microsoft Windows 7 and Windows 8 operating systems. Microsoft's reputation for security problems insured Ormandy's post garnering little real media attention. However, the Washington-based software giant did take notice. Their latest patch for both operating systems closes the loophole pointed out by Ormandy.
The security flaw was one that allowed local users on either of the operating systems to increase their security privileges. For experienced computer users like Ormandy, this flaw is more of a blessing than a bug. By increasing security privileges, they are able to gain more access to their own systems with relative ease. However, such ease is dangerous in the hands of an inexperienced user.
Ormandy's critics, while agreeing with his assessment of the security flaw, claim he should have gone directly to Microsoft and allowed them to fix the hole without going public. In failing to do so, he opened the door for hackers who previously were not aware of the issue. Indeed, it seems some hackers have done just that.
In his own defence, Ormandy claims Microsoft can be hostile against researchers to the point of making it very uncomfortable to report vulnerabilities. Ormandy has even gone so far as to advise other researchers to deal with Microsoft using pseudonyms or as anonymous entities. In his blog post, he said he did not have time to deal with ‘silly Microsoft code’ relating to the security flaw he found.
Microsoft's inability to design and build secure operating systems with a minimum of vulnerabilities opens them up to these types of embarrassing situations. Furthermore, it seems rather strange to have outside researchers being the main force in pointing out software vulnerabilities. This type of scenario is one of the reasons Microsoft-based cloud computing has been slow to catch on. Companies just don't feel secure.
Nonetheless, Microsoft continues to move ahead unchanged simply because they can. Their OS dominates the market without question; competing operating systems do not even come close. Moreover, because everything from IT services to major manufacturers to local entrepreneurs depends on Windows, there is no real incentive to make drastic changes.
In support of Microsoft, it would have been better for Ormandy had he dealt with them directly. It doesn't help Internet users or those running the Windows OS one bit to publicly air Microsoft's dirty laundry in a blog post. It could have even been potentially dangerous from an IT perspective.
If there is any good news here then it's the fact that Google has assured the IT community that Ormandy's actions were done on his own time. The company says he does not engage in vulnerability research within his role as a Google engineer, indicating he does not have a Google endorsement to do what he did. That is probably no comfort to Microsoft.