[uxp]

> I've seen plenty of bugs where the original fix didn't fix everything

You're right, but plenty of bugs aren't for a browser extension that is supposed to enhance the user's security when browsing the internet. The initial fix appeared to show a complete lack of understanding of basic web security.

If you and an intelligent coworker have an agreement to review each other's code on commit, and that coworker responds to a valid complaint about what they've written with something that's probably lifted off of the first StackOverflow post they searched for that addresses the literal value of the complaint without actually solving the problem, you'd probably be a bit peeved that they're not doing their job. Here, the Chrome developers are just showing frustration at AVG's apparent lack of basic skill.

[ikeboy]

Frustration is fine. I'd even be fine if they banned AVG. But revealing a 0-day publicly without giving time to respond is worse, and is also not in line with Google's policies as I understand.

Many security bugs are for things that one might think are basic after hearing about them, and that shouldn't make it right to 0-day them.

edit: why would revealing a vulnerability to the world before it's been fixed be the right response to incompetence on the part of the vendor?

[brazzledazzle]

Regardless of policy it was the right thing to do.

[ikeboy]

Do you think 0-days should be reported as soon as they're found if the vendor is incompetent? If yes, what's the argument, if not, why is this different?

[tptacek]

When you find critical vulnerabilities in popular antivirus software, you can establish a 90 day publishing schedule, or a requirement not to publish until all related vulnerabilities are fixed, or whatever other policy you deem sensible.

Tavis Ormandy is one of the best known vulnerability researchers in the world; whatever publishing decision he and his team made, I think they probably put more thought into it than any combination of the comments on this HN thread did.

[ikeboy]

It sounds like you're saying he's above criticism for some reason related to fame? That doesn't make sense to me.

If there are details I don't know about that explain it, fine (but it doesn't look like that from what I do see) but arguments over ethics shouldn't be won by appealing to authority.

I might place more stock in your point here if he'd actually given a reason and acknowledge that he's opening up users to exploits, and say it's worth it because of X. As is it doesn't look thought out at all.

[tptacek]

I'm suggesting that the implication you're generating all over this thread that (a) there are hard-and-fast rules for disclosure and (b) Tavis Ormandy has somehow broken them is probably built on something other than firsthand knowledge of how vulnerability research works --- to say nothing of firsthand knowledge of how this particular vulnerability was handled.

[lfam]

If the vendor is incompetent and the bug is being actively exploited, then it's reasonable to violate the 90-day policy, which is designed in the spirit of cooperation with competent vendors.

6 months ago they decided to limit inline installations [1] and they probably started reviewing poorly-rated add-ons like this one at that time.

http://blog.chromium.org/2015/08/protecting-users-from-decep...

[ikeboy]

There's no indication that the bug was being actively exploited.

Anyway, it's not clear what benefit was had over releasing the report but without the XSS link. Maybe even say "there's XSS on your site" but don't mention the exact link.

Again, they should ban the extension completely if they think it's insecure, and if they haven't done that, they shouldn't be publicizing exploits.

[lfam]

Tavis Ormandy started tweeting at AVG about this subject several months ago.

And it's been pointed out that they aren't able to remove the extension from users' machines due to how it bypasses the Chrome security system. So their best bet was to ask AVG to do the right thing. AVG won't or can't.

So, what can Google do? Just silently accept it? The 90-day policy is worthless in this case.

[brazzledazzle]

Yes. 90-day windows are for us, not for companies/projects/teams. They are an acknowledgement that the producer of the software is best suited to patch and get that update to users. If they aren't suited for the task notifying users that they are at risk is the right thing to do.

[ikeboy]

Out of the following two outcomes:

1. Tell the company, maybe it takes another week to get it fully fixed 2. Tell users, most of whom will never hear about it, while hackers will

The first still seems better. As long as Google isn't pulling the extension and uninstalling it from all chrome users, it seems like disclosure is only hurting most users.

[tptacek]

That is a perfectly respectable and intellectually coherent rationale for not disclosing bugs you find prior to the availability of their patches.

However, on the off chance that you are somehow (despite it being 2015) new to the Great Disclosure Debate, you should be aware that there are other respectable and intellectually coherent rationales for other disclosure schedules, and that you are vanishingly unlikely to be the Internet Message Board Commenter That The Prophets Foretold Would Resolve The Disclosure Debate.

So while it's one thing to use this incident to give voice to your own reasoning about how disclosure should be handled, it's another thing entirely to moralize about it --- in this case, repetitively --- with a tone suggesting that the debate has somehow been settled, and you've somehow found out about that before the rest of us.

Your opinions about vulnerability research also get a lot more interesting if you can tell us about your own VR/xdev experience. Because, like it or not, and I know from your comments thus far that you do not like this, if Tavis Ormandy said "new rule: you can disclose 15 seconds after discovery, patch or no patch, so long as you yourself are wearing a pirate eye patch with a large googly eye glued to it", a pretty big swath of the security research community would accept that as The New Rule.

[brazzledazzle]

If they manage to keep XSS vulnerabilities off of the pages on their domain(s) for longer than a year I'll be very surprised.

Personally speaking, I'd rather know. If it's a piece of security software it's reasonable to assume the bad guys are already looking at it or using it.