Jibbering Musings

Google seem to have finally fixed the flaw sometime around 6am today, not bad only took them a little over 2 years, so good to know they’re responsive. Actually it seems from the logs that it made it into the google bug tracking system around 4pm yesterday, so 14 hours from then to fully rolled out is actually quite impressive, what’s not impressive is the failure of the security@google.com address and the lack of any phone numbers to contact them.

Google did eventually get in contact with me by email at around 7PM yesterday, 3 hours after they knew about it and an hour after the bugtraq posting they didn’t seem to be overly concerned and claimed “to be aware of the issue” combined with their lack of thanks of me drawing their attention to it suggests that it was actually a known bug they’d just neglected to fix. They said they’d look in to why my security@google.com emails failed to elicit a response, but seemed mostly concerned about getting me to take the exploit page down - I declined that request, it didn’t seem worthwhile as the exploit had by then been mentioned on lots of other sites, so it would’ve done nothing to aid security.

The fix they put in place is still flawed, it relies on special casing the vbscript, javascript and perlscript strings, meaning other language protocols are still at risk in IE with its multiple scripting language capability. The risk is obviously much lower as very few people have other scripting handlers registered, but it could still be used as a vector to attack a corporate installation with known other script engines. What I don’t understand is why instead of blacklisting various strings, they don’t just require it to start http:// - what other protocols do you want in an image on a customised google?

Hopefully Google will get in touch explain what went wrong with the communication of the issue, hopefully google will realise that a phone number of the security team on the web would also help (After trying to explain to Tesco customer support a few years back that there was a non SSL credit card collection problem and getting absolutely nowhere, I’m not going to call normal people with security issues, they don’t understand them) I don’t actually expect them to get back in touch though, they weren’t exactly friendly. Perhaps not surprising as to them it seemed I went public before informing them, but a trivial hole that’d been there for 2 years, I had to do something to get it fixed.