Responsibility is perhaps one of the first values that we have learned early in life, but then, among all that happen in our lives, there seems to be some that justifies the loss of it. Travis Ormandy, a Google engineer, is in the hot set because of his recent reports on a Microsoft-XP flaw. As a matter of fact, this was not an ordinary report. On his report last Thursday, he included a code that would give an opportunity to some to exploit it. Thus, this seems to be overboard with the right disclosure etiquette.
The Thursday report was a thorough giveaway of the flaw. The flaw he found is located at the Windows Help and Support Center tabs. He then proceeds with providing it on a Full Disclosure security email. As that, there is also an attack code in it.
The issue has also become a concern for both Google and Microsoft. As a background, these two companies have been experiencing a drift as Google refuse to use Microsoft while citing reasons about its security. This has been happening for quite some time.
On the other hand, there are also other IT experts that are concerned with the irresponsible move from Ormandy. He has made a bold but irresponsible use of this Disclosure Email. As cited, he stated that if he did not report that issue without the attack code then, he would have been ignored. This still does not justify such an irresponsible use of such disclosure.
Microsoft’s Jerry Bryant has also stated that such a move risked all computer users using such system. Now, what is alarming is the fact, that this can go worldwide. Windows XP or a Windows Server 2003 users would only need to be invited to a particular web site and the attackers can already control the whole computer.
Another irresponsible aspect of such move is that he only gave a mere five days for patching this up. Robert “Rsnake” Hansen, SecTheory security researcher and chief executive, believes that this is not a reasonable length of time. He also mentioned how Google has made a bold move that it can go on Full Disclosure while others could not. This is against Google’s past concern on responsible disclosures.
However, Google believes that such statements, findings and disclosure is a work of an individual. The same is also said by Travis Ormandy. He says that such move has been made not in connection to his employers.
There are still some that commend Travis Ormandy’s reports like the Computer Professionals for Social Responsibility. Still, they are quiet o it being either right or wrong.
H.D. Moore of Metasploit exploit database, on the other hand, seems to commend such action stating that the fastest way of solving such problems would be to do the same, release an exploit of the said problem.
However, fast and effective this full disclosure and exploit are, this should not be used as a way to catch attention and have a problem fixed. They should keep in mind that there are millions of computers that might be affected, thus, remembering that this is social responsibility and not just a matter of who is better than whom.