Tavis Ormandy works at Google Project Zero. His job is finding security vulnerabilities. He is, by most accounts, the most prolific vulnerability researcher alive.
His resume of things he has broken reads like a who’s who of software you probably run right now:
- Windows kernel
- Linux kernel
- Norton/Symantec antivirus
- Sophos antivirus
- CloudFlare
- GnuPG
- GhostScript
- LastPass (multiple times)
That last one deserves emphasis. He broke LastPass not once. Multiple times. The software that guards your passwords was itself insecure, and one person kept proving it.
The beautiful irony
Ormandy’s most consequential work is on antivirus software. His research demonstrated something that security professionals had whispered for years but nobody could prove at scale: antivirus software, by its very nature, expands the attack surface of your computer.
To scan files, an antivirus needs deep system access. It runs with the highest privileges. It parses every file format imaginable (PDFs, archives, executables, documents). Every parser is a potential vulnerability. The software that is supposed to protect you is, in many cases, the easiest way to attack you.
Ormandy proved this with vulnerability after vulnerability in Symantec, Sophos, and others. He did not just find bugs. He demonstrated a structural problem with the entire approach.
Why you have never heard of him
Security patches ship silently. When Microsoft pushes an update that fixes a critical vulnerability Ormandy reported, the patch notes say something generic like “Addressed a remote code execution vulnerability in…” Your computer is safer. You have no idea why.
The researchers who find these vulnerabilities practice responsible disclosure: they tell the vendor first, give them time to fix it, and only publish details after the patch is available. The whole system is designed to be invisible.
The result: billions of devices are protected by the work of people whose names never appear in any headline. Ormandy is the best example of this pattern because of the sheer volume and severity of what he finds.
The uncomfortable truth
One person at Google finds more critical vulnerabilities per year than many entire security teams at the companies whose products he is breaking. The companies selling you “protection” are often less capable of finding their own flaws than one researcher with a disassembler and a lot of patience.
Next time your antivirus tells you that you are protected, remember that someone out there has probably already found a way through it. And if you are lucky, that someone is Tavis Ormandy, not an attacker.
Tavis Ormandy’s research is published at lock.cmpxchg8b.com. Follow his work if you care about what is actually keeping your computer safe.
[Draft: Awaiting Carlos’s twist]