mrb's blog

Microsoft Wrongly Accusing Google

Keywords: google microsoft security

The animosity that Microsoft displays towards Google is stupefying.

Check this out. On both the Microsoft Security Response Center blog and the Security Research & Defense blog, Microsoft comments:

  • "This issue was reported [...] by a Google security researcher."
  • "One of Google's security researchers publicly released vulnerability details."
  • "The analysis is incomplete and the actual workaround Google suggested is easily circumvented."
  • "We recommend not counting on the Google hotfix tool."

What is this about? Tavis Ormandy released details of a Windows Help and Support Center vulnerability (CVE-2010-1885). He discovered this on his own, as an independent researcher. In fact his advisory states:

"Finally, a reminder that this documents contains my own opinions, I do not speak for or represent anyone but myself."

This guy just happens to work for Google. Nothing wrong with that, right? Well Microsoft does not think so. They place the blame directly on Google, and make sure to mention the name "Google" 8 times in these 2 blog posts, without ever mentioning Tavis Ormandy's name once, the guy who actually discovered this.

Mike Reavey, Director, MSRC, you should know better, sir. Please apologize. Angry at Tavis that 5 days' notice was not enough to patch the flaw? Blaspheme him, not Google. Do not use this full disclosure event as a vehicle to carry your frustration towards Google.