Microsoft to thank Google researcher for privately reporting Windows bugs

Tavis Ormandy, who kicked off bug reporting debate, to get credit for reporting four flaws

The Google security engineer who stirred up a hornets' nest two months ago after publicizing a critical Windows vulnerability said Friday that Microsoft will credit his work on four of the 34 bugs slated for patching on Tuesday.

"Apparently I'm getting four credits on Tuesday," said Tavis Ormandy in a Twitter message Friday.

Ormandy is the researcher who disclosed a bug in Windows' Help and Support Center just five days after reporting it to Microsoft. Ormandy said he took the bug public when Microsoft wouldn't commit to a patching deadline; Microsoft has disputed that, claiming that it had only told Ormandy it needed the rest of that week to decide.

The resulting debate over Ormandy's actions grew heated at times , as some researchers defended his actions while others criticized him for revealing information that later was used by hackers to attack Windows PCs.

After the incident, Google said researchers should give vendors a 60-day window to patch, then go public with their findings to pressure patching. Not surprisingly, Microsoft has disagreed with setting patch-or-else deadlines.

Microsoft plugged Ormandy's vulnerability on July 13 as part of that month's Patch Tuesday. Microsoft did not credit Ormandy, or anyone else for that matter, in the MS10-042 advisory that accompanied the Help and Support Center patch.

At the time, Microsoft reiterated that that was standard practice, and had nothing to do with Ormandy specifically.

"When a security researcher is acknowledged in one of Microsoft's monthly security bulletins, it means that the vulnerability was reported to the Microsoft Security Response Center (MSRC) privately," said Jerry Bryant, a group manager with the MSRC, in a e-mail reply to questions last month. "The acknowledged individual or organization security researcher worked with us to help us understand the vulnerability, the extent of the risk to the products and platforms, and possible mitigations."

Bryant's language was identical to policies Microsoft has spelled out on its Web site.

The four flaws that Ormandy said will be acknowledged were reported privately to Microsoft, Bryant intimated. "Credit given in our bulletins is always based on the finder working with us to keep vulnerability details private until the update goes out," he said Friday. "The August bulletins will not deviate from normal process."

Bryant declined to confirm that Ormandy will, in fact, receive credit for several vulnerabilities. "As usual, we cannot discuss details of bulletins, beyond the [advanced notification] and yesterday's blog post, until they are released," he said.

Ormandy did not reply to questions about when he reported the vulnerabilities to Microsoft, and whether he thought it meant anything more than Microsoft following its usual practice.

Andrew Storms, director of security operations for nCircle Security, noted that researchers typically receive a heads-up several days prior to a Patch Tuesday that will include fixes for bugs they have privately reported.

French security researcher Matthieu Suiche said Friday that he would also receive credit for reporting four vulnerabilities on Tuesday's fix list. "Apparently I'm getting only 4 credits too," he said on Twitter .

Suiche, who now has his own security consultancy, MoonSols , has worked for EADS, the European Aeronautic Defence and Space Company; the Netherlands Forensics Institute of the Dutch Ministry of Justice; and, according to his LinkedIn profile, participated in Google's Summer of Code, a program that provides student developers stipends to write code for open-source projects.

Storms assumed that there was nothing under the surface about Ormandy receiving credit next week. "It would be pure speculation if Microsoft is patching his bugs any quicker than others," Storms said in an interview conducted via instant message. "In fact, I don't think I'd touch that topic with a 10-foot pole. But we can certainly be certain that Microsoft is keeping the conversation open and often with Tavis."

Bryant declined to respond to additional questions, including whether Microsoft was giving Ormandy's vulnerabilities higher priority than other researchers' bugs.

That didn't surprise Storms. "I think everyone wants to keep the relationship open and professional as much as possible," he said.

Last month, Microsoft urged others to drop the term "responsible disclosure" and instead substitute "coordinated vulnerability disclosure" (CVD) to describe the collaboration between researchers and vendors.

According to Mike Reavey, the director of the MSRC, the name change would eliminate the loaded word "responsible" from the debate about how researchers report bugs and how and when companies provide patches.

In an interview two weeks ago, Reavey denied that the name change was triggered by the Ormandy disclosure, saying that Microsoft had been working with outside researchers and security experts for months before the June brouhaha.

On Aug. 10, Microsoft will release 14 updates -- 8 labeled "critical" and 10 affecting Windows -- that will patch 34 bugs.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags GoogleMicrosoftsecurityWindowssoftwaretwitterMalware and Vulnerabilitiesoperating systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?