In perusing the daily news headings with google’s new personalized home feature I saw a news article titled “Google Fixes Desktop Search Loophole” hosted on CIO Today. This is a great thing. I agree that it is a good move for google to fix the problem now as apposed to waiting for Microsoft for a product update to their ever failing-in-popularity Internet Explorer.
However, I didn’t agree with the statement made at the end of the article:
“If Google has fixed its software so it is no longer vulnerable, then that is good news,” said Sophos senior technology consultant Graham Cluley. But Cluley questioned whether Gillon’s disclosure actually helped the situation by going public with a security flaw without working with Google and Microsoft first.
“Does the researcher think he has really contributed to the security of Internet users worldwide by going public with details of the problem when no fix is available?” he asked. “Or is this just a case of ‘Look at me! Aren’t I clever?’”
All security researchers should work with the vendors in whose products they have found flaws, said Cluley, and only disclose the details of the vulnerability in a responsible way when a patch is available.
I think that Culey is mistaken here. As a senior technology consultant I am sure that he has the resources to get through to large software companies red tape and let them know about real or even potential security flaws in design.
The problem comes when you try and attack the way that Matan Gillon provided the information to the world. Gillon’s personal website doesn’t state what he does at Onigma but I doubt that he has the resources to get through to even the public friendly google (let alone trying to tell Microsoft that they have yet again forgotten to secure their software).