There has been a recently discovered remote code execution in the Microsoft Malware Protection Engine that had the potential to allow an attacker to completely take over affected computers. This has been fixed by Microsoft in an update to the Microsoft Malware Protection Engine in affected programs. This will automatically apply, but you can update the anti-malware definitions manually, which will trigger an engine update at the same time, rather than waiting for the automatic schedule to apply.
Now I don’t intend to go into the details of the exploit / bug / unwanted feature of the Microsoft Malware Protection Engine, loads of other sites will do that, in much more detail than I can ever hope to. What I want to talk about is the way that it was revealed to the world.
Once again this bug was discovered by Tavis Ormandy of Google Project Zero. The first we knew about it was approx. 3am UTC on Saturday 6th May 2017 with this tweet from @Taviso
I think @natashenka and I just discovered the worst Windows remote code exec in recent memory. This is crazy bad. Report on the way.
— Tavis Ormandy (@taviso) May 6, 2017
It is the method and style of release of the bug / exploit information that concerns me. Everybody in the InfoSec field knows of Tavis Ormandy and has a very high regard for his skillset and the way he finds bugs / exploits and unwanted features in all the major operating systems and many commonly used programs. When he tweets or announces something, the whole InfoSec community jumps to attention and starts to say “what now”? “Does it affect me or my users?” “How can we alleviate this, before a patch comes out? ”
The tweet this time gave no details except to say ” I have found a bug in windows that is really dangerous”. To my way of thinking that is an irresponsible approach and only increases the belief that Tavis is a self seeking, publicity hungry, narcissistic personality who must always be the centre of attention.
There was absolutely no need to post anything about the bug, in the way he did. His tweet didn’t help anybody to protect themselves. All it did was exacerbate his belief in his own self importance.
He could easily have not posted anything and just reported it to Microsoft ( as he did) and only posted after it was fixed 3 days later.
I personally wouldn’t have had any problems if he had posted that he had discovered a remote code execution bug in the Microsoft Malware Protection Engine on Saturday Morning. That at least would have given some peace of mind to millions of harassed InfoSec personnel who at least know if they are affected and what they might be expected to do to cure it and whether their weekend was totally ruined or not. Giving that small amount of information wouldn’t have helped any bad guys to build an attack. If Tavis discovered it, then anybody could also have independently discovered it either simultaneously or even earlier and have already been using it in targeted attacks.
To sum up, I have the highest regard for Tavis Ormandy’s skill set and dedication in finding important bugs. But I have serious reservations about his desire for publicity in regards to what he finds.