- On Tuesday, Microsoft warned that it was issuing an emergency patch to fix a dangerous flaw in its software.
This is notable for a few reasons. Microsoft rarely releases these kinds of urgent patches, only nine of them so far in 2014. It normally saves all patches for one mega patch day once a month.The software in question affects almost all of Microsoft’s family of security software. That means that the software Microsoft designed to protect computers from hackers can be hacked. In this case, it can be turned off, and from there, the hacker could do more harm.
The person who found the flaw was none other than Microsoft’s security nemesis, Tavis Ormandy is a well-respected Google engineer who has become famous for finding problems with Microsoft software and, sometimes, showing hackers how to use them before Microsoft has fixed them.And that’s a good thing, because the vulnerable software includes everything from Microsoft’s free Windows antivirus program, Microsoft Security Essentials, to its corporate security product family, Forefront. It also includes Intune, the security cloud service Microsoft has been heavily hawking to enterprises.But Microsoft knows Ormandy could share the problem if he feels that company is dragging its feet.A year ago, when he found a bug that let hackers crash or gain control over Windows, he not only discussed the bug before Microsoft had fixed it, he released “exploit” code that showed them how to work with the bug.It’s all part of a long-running skirmish between Microsoft and Ormandy, pressuring Microsoft to respond faster to security problems.Microsoft has an age-old reputation for doing a poor job with security, in part because Windows is so popular it is a constant target for hackers.
Back in 2010, Ormandy really pushed the company, angering many in the security world along the way. He gave Microsoft only five days between the time he told them about a flaw and the time he published information about it.The previous standard in the security world was 30 to 60 days. Security pros are anxious to publish information on the flaws they find. That’s how they build their reputations and their careers.Last year, Google backed Ormandy and changed its disclosure policy. It said that if its engineers find security flaws in other’s code, they will only wait seven days before making it public to the world.Their goal, Google said, was to make all companies move faster when they need to fix their software.Meanwhile, Ormandy continues to breathe down Microsoft’s neck. His latest interest? Windows 8.For instance, he tweeted a bug found in Windows 8 just last month.
JULIE BORT