Google Researcher Publishes Unpatched Windows 8.1 Security Vulnerability

An anonymous reader writes "Google's security research database has after a 90 day timeout automatically undisclosed a Windows 8.1 vulnerability which Microsoft hasn't yet patched. By design the system call NtApphelpCacheControl() in ahcache.sys allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext(). Long story short, the aforementioned function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It hasn't been fully verified if Windows 7 is vulnerable. For a passer-by it is also hard to tell whether Microsoft has even reviewed the issue reported by the Google researcher. The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."

GAY NIGGERS OF THE WORLD UNITE! FUCK STRAIGHTS!

GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY ?
Are you a NIGGER ?
Are you a GAY NIGGER ?

If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE and watch it.

You can watch GAY NIGGERS FROM OUTER SPACE on Youtube.

Second, you need to succeed in posting a GNAA "first post" on slashdot.org , a popular "news for trolls" website

Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.easynews.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here.

If you have mod points and would like to support GNAA, please moderate this post up.

This post brought to you by Penisbird , a proud member of the GNAA

G_____________________________________naann_______ ________G
N_____________________________nnnaa__nanaaa_______ ________A
A____________________aanana__nannaa_nna_an________ ________Y
A_____________annna_nnnnnan_aan_aa__na__aa________ ________*
G____________nnaana_nnn__nn_aa__nn__na_anaann_MERI CA______N
N___________ana__nn_an___an_aa_anaaannnanaa_______ ________I
A___________aa__ana_nn___nn_nnnnaa___ana__________ ________G
A__________nna__an__na___nn__nnn___SSOCIATION_of__ ________G
G__________ana_naa__an___nnn______________________ ________E
N__________ananan___nn___aan_IGGER________________ ________R
A__________nnna____naa____________________________ ________S
A________nnaa_____anan____________________________ ________*
G________anaannana________________________________ ________A
N________ananaannn_AY_____________________________ ________S
A________ana____nn_________IRC-EFNET-#GNAA________ ________S
A_______nn_____na_________________________________ ________O
*_______aaaan_____________________________________ ________C
Gary Niger gary_niger@gnaa.us GNAA Corporate Headquarters 143 Rolloffle Avenue Tarzana, California 91356
Enid Al-Punjabi enid_al_punjabi@gnaa.us GNAA World Headquarters No.33 Kyutei Bld. 2F, Shinjuku 2-11-7, Shinjuku-ku, Tokyo, Japan æ±äéf½æ-å®åOEæ-å®ï¼'äç®ï¼'ï¼'â'ï¼-
Copyright (c) 2003-2015 Gay Nigger Association of Amer

Re:GAY NIGGERS OF THE WORLD UNITE! FUCK STRAIGHTS!

[The+Fifth+Man]

[sigh]

If Slashdot has a patrolbot that auto-deletes comments with the letters (ess jay double-yew) in it in gender politics threads, can't it also be made to cover a post with the N-word if it occurs a dozen times?

Re:GAY NIGGERS OF THE WORLD UNITE! FUCK STRAIGHTS!

No censorship allowed!!! Don't like it? Don't read it!!! To anybody who wants to start deleting comments on Slashdot, here's a big FUCK YOU!!! We must not tolerate censorship! EVER!

Re:GAY NIGGERS OF THE WORLD UNITE! FUCK STRAIGHTS!

[slashdotwannabe]

WE MUST NEVER CENSOR TROLLS! Because, umm, wait. Why must we never censor trolls?

Re:GAY NIGGERS OF THE WORLD UNITE! FUCK STRAIGHTS!

Perhaps we could move it to a "Possible trolls" thread?

Re:GAY NIGGERS OF THE WORLD UNITE! FUCK STRAIGHTS!

A few days late, but here we go: because to do it properly we must first find a definition of 'troll' with absolutely no room for misinterpretation or false positives. Failing that, we would end up with the same kind of censorship our benevolent leaders claim is meant to protect us from obscenities, terrorist propaganda and child pornography.

90 days to fix

"The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
Really? They had 90 days to fix this. That is plenty of time.

Re:90 days to fix

We don't know if Microsoft reviewed that report.

Re:90 days to fix

[plover]

"The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
Really? They had 90 days to fix this. That is plenty of time.

It's no big deal. I'm posting this from my Windows 8.1 box, and nothing bad has happened. ... @LizardMafia RULEZ!1! d0wn with S0NY!!11!

Re: 90 days to fix

[O('_')O_Bush]

That really isn't Google or our problem. Attackers aren't going to politely wait for Microsoft to fix issues like this, and Microsoft won't fix issues like this unless they are pressed to. And this brings up the glaring flaw with closed source products. If a third party flagged an issue in an open source product, any user that is concerned enough could potentially fix it or patch their own systems themselves. With closed source, we have to wring our hands and wait for someone at Microsoft to care enough to fix it.

Re: 90 days to fix

In most cases it's too hard for the user to fix the open source product. It requires a true überwizard and lots of time.

Re:90 days to fix

I think after 90 days, Miccrosoft should be held criminally accountable to every single user, worldwide. Applies to "dropped" support products people may be forced to continue using for various reasons (embedded, integrated systems, lack of budget to upgrade to new OS/hardware) .. think Win 7 and even XP.

Re:90 days to fix

So you think Microsoft should be forced to provide security updates for all of their products in perpetuity?

Have you really thought about the economic ramifications of that?

Re:90 days to fix

It is a user escalation vulnerability. These sort of vulnerabilities sometimes exist in Linux for months or years as well. They are generally considered less urgent to fix.

Re: 90 days to fix

[The+Fifth+Man]

If only there were a way to communicate such bugs discovered in an open source piece of software to lots and lots of people. That way, many sets of eyes would surely see and then fix the issue and, in turn, communicate the fix and maybe distribute a binary for patching.

Re:90 days to fix

[Charliemopps]

"The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea."
Really? They had 90 days to fix this. That is plenty of time.

You've never been through regression testing have you?

Re: 90 days to fix

More often than not, when I communicate something like that, for example report a bug via mailing list or bug tracker, no one replies anything and the bug never gets fixed properly. Months pass by.

Re:90 days to fix

[hawguy]

I think after 90 days, Miccrosoft should be held criminally accountable to every single user, worldwide. Applies to "dropped" support products people may be forced to continue using for various reasons (embedded, integrated systems, lack of budget to upgrade to new OS/hardware) .. think Win 7 and even XP.

No one is "forced" to continue using MS products -- unless they signed a support contract for extended support, MS can't be held responsible for supporting legacy systems indefinitely. If you don't want to be stuck with a system running an unsupported operating system, then you can sign (and pay for) a long-term support contract throughout the life of your product, you can get the source (harder with closed-source products, but not impossible with enough money) and support it yourself, or you can plan on upgrading your product hardware/software to stay with currently supported software.

I fail to see how Microsoft has any responsibility to support software for a hardware product that a manufacturer has decided not to keep current enough to run supported software. If the old HVAC system in your building relies on Windows 3.1 to keep it running, then maybe you ought to go after the vendor that sold it to you, if a replacement for the fan motor in your HVAC system is no longer available, you'd either retrofit to accept a current motor, or just upgrade the entire system, which is what you should do when the computer that controls it is no longer supported by current software.

Re: 90 days to fix

[kenshin33]

can't they -the user- hire "a true überwizard " to do it?

Re: 90 days to fix

Sure, if you got the money. :) However a lot of people choose open source exactly because it is free in beer.

Re: 90 days to fix

[guruevi]

Really? Any coder able to find issues like this should be able to fix issues like this if they have the proper source code. Most issues are trivial to fix, substituting an unsafe call with a safe(r) call (eg. strcpy vs strncpy) is often enough to fix most issues.

Sure there will be some side cases where it is really hard or there may be better solutions than your patch (eg. I recently found a bug in the MariaDB optimizer which leads to bad data being returned) but then at least if the product on top of it (CiviCRM and Drupal in my case) is also open source, at least I can modify the query to fit my needs even though both Drupal and CiviCRM people say 'not our problem'.

Re:90 days to fix

Either that or let someone else fix it.

After all, it was their failure in the first place.

Re:90 days to fix

[gweihir]

I agree. Even a second-rated software shop should have no trouble meeting that deadline. It appears that MS is still third-rate. The only thing that will help is making them fully responsible for any and all damage caused by their inaction.

Re: 90 days to fix

[gweihir]

Actually, for FOSS projects a single user that fixes it and submits a patch is enough for all users to have a patch. This is much more powerful and the reason fix-times are often measured in hours for well-done FOSS projects.

Re: 90 days to fix

[gweihir]

Indeed. But since it is FOSS, a single "true überwizard" that then submits a patch is enough for all to have a patch. In the closed-source case, some mediocre, underpaid and unmotivated corporate slave has to take an interest and manage to fix it, and that takes far longer in most cases. 90 days is completely unacceptable though.

Re:90 days to fix

[drinkypoo]

you can get the source (harder with closed-source products, but not impossible with enough money) and support it yourself

Well no. Sometimes you can find the bug, but you're not allowed to use the source. Common with closed-source products. They'll give you enough information to help them, but they won't legally let you help yourself. Because money.

Re:90 days to fix

[hawguy]

you can get the source (harder with closed-source products, but not impossible with enough money) and support it yourself

Well no. Sometimes you can find the bug, but you're not allowed to use the source. Common with closed-source products. They'll give you enough information to help them, but they won't legally let you help yourself. Because money.

Then you haven't applied enough money and/or pressure.

I worked for a large VAR years ago that had access to the Windows source... I don't think they had the whole source tree, they couldn't do a full build, but they could get access to any module they needed.

I worked for a another company that was the largest and most well known customer of an up and coming database company, they used our name heavily in marketing - we wanted source code escrow in case the DB company went under and we had to support it ourselves. after months of negotiation we couldn't come to an agreement, so we told them we were moving to a different product and engineering was actively porting over to the other product. In less than a month, that company capitulated and we had full access to their source code (not just escrow, we had live access to their source code repository).

If you don't have enough money and/or pressure to get access to the source code, then you're accepting Microsoft's limited support window and shouldn't cry foul when Microsoft stops supporting your product.

Re:90 days to fix

[Stan92057]

Really? They had 90 days to fix this. That is plenty of time.

Really? says who? YOU? Anonymous coward says so?

I just thinking out loud here but if everyones PC gets infected by someone using the knowledge given by this asshole, everyone who gets exploited and has there credit card exploited or there debit cards exploited PC exploited should sue Google. Its not thee right to make Windows/any OS users open to scum criminal hackers. IMO this is nothing more then criminal blackmail. they cant beat MS with an open market so they help hackers take them down.

Re: 90 days to fix

[Stan92057]

umm why would it be his responsibility to take interest? Since hes a slave, underpaid,unmotivated coder, doesn't he have to be told what bugs to fix by some corporate overpaid, under motivated, drone MS manager?

Re:90 days to fix

[bkcallahan]

Either that or stop using it.

Re:90 days to fix

[drinkypoo]

You've never been through regression testing have you?

If stories of Microsoft's competence (heh heh) are to be believed (heh heh heh) then they already have a full test harness in place, and engineers tasked full-time with adding new cases to the system. Given what slips through, though, one doubts both their competence and also that they have a meaningfully representative set of PCs to test on. I'll grant you that would be difficult in the best case due to wide variation in the market, but the point stands.

Re: 90 days to fix

[gweihir]

Depends on the set-up, but usually it works like this: Engineer escalates to PHB -> PHB makes clueless decision -> engineer implements clueless decision. Done right, the engineer is reasonably senior, makes his own decision and just consults with a more senior or equally senior engineer for plausibility. Management only sets policy in that case. Of course, it is possible that MS has a "fix only if there is outside-pressure" policy for their engineers.

Re:90 days to fix

[RingDev]

From the looks of things, this vulnerability only allows the would-be exploiter to circumvent UAC.

They still need valid credentials for a user with Admin rights to do anything significant (the demo just attempts to launch Calculator).

Which, given your post would imply that you are logged into your Windows 8.1 PC as a user with Admin rights. And if you are perusing Slashdot while logged in as an Admin, you are doing something far worse than Google disclosing the vulnerability :P

-Rick

Grammar police alert

Undisclosed?

Re:Grammar police alert

[NoNonAlphaCharsHere]

I do not think that word means what you think it means.

Re:Grammar police alert

[ceoyoyo]

Google inadvertently reveals they have captured enough of the Internet to erase things from it.

Re:Grammar police alert

Inflammable!

Re:Grammar police alert

[franblets]

It is like a double positive... Yeah, right.

Re:Grammar police alert

As an adjective, undisclosed means hidden. But OP used it as a verb. To disclose something would be to reveal it. OP could have said that the Google bot automatically revealed something previously undisclosed, but for OP to say that the bot automatically undisclosed the information is, indeed, an error of using the word "undisclosed" in a nonsensical way.

Re:Grammar police alert

Undisclosed?

Yeah, didn't it "automatically disclose" the flaw?
If it was "undisclosed" it would still be unknown.

Re:Grammar police alert

[marciot]

So this is good. This vulnerability was previously disclosed, but they undisclosed it. The undisclosure was done by the NSA using their version of the neuralizer, the existence of which was disclosed by Snowden last year, but has since been undisclosed (which is why you don't know about it).

Re: Grammar police alert

[GrantRobertson]

Haven't they already proven it is impossible to "UNdisclose" anything on the internet. Once it is disclosed, it's out there forever.

"Can't stop the signal, Mal."

Re:Grammar police alert

[ndogg]

I think they meant non-undisclosed, which is a perfectly cromulent word. Irregardless, we should all be carefuller with grammar.

Re:Grammar police alert

[Maritz]

Yeah. Personally if I was writing a summary for a news site, I'd check what the fuck I was saying makes sense before posting it.

How Long?

Is a reasonable amount of time to let a company sit on a known vulnerability? I feel like 90 days is pretty reasonable. There's still that Apple root pipe thing that's floating around that they haven't fixed and hasn't been fully disclosed.

Re:How Long?

[gweihir]

90 days is plenty if they are actually prepared to maintain their stuff. It seems MS is not.

Google is terrorist

Jailtime for Google! Happy New Year for all!!!

Sony

Researchers!

First Sony, now this.

Re:Sony

Researchers!

First Sony, now this.

The researcher's name was Lizar Dsquad.

Ha ha ha

[drinkypoo]

The database has already one worried comment saying that automatically revealing a vulnerability just like that might be a bad idea.

Not automatically revealing a vulnerability just like that would be an even worse idea. Sometimes, there is no good idea, just the best of bad options.

Re:Ha ha ha

Yeah. I'd rather the world knew than just the hacker scumbags of the world. Seems like the relatively good option.

Re:Ha ha ha

The problem is that it's likely that at that point most of the scumbags will also learn from the vulnerability for the first time.

Re:Ha ha ha

[nobuddy]

People used to wait on Microsoft to fix before revealing. As a result, Microsoft didn't bother to fix anything until it became a problem in the wild.
Once people started giving deadlines and sticking to them, Microsoft's patch response time became orders of magnitude faster. Simply put, they will do ONLY what they are forced to do.

Re:Ha ha ha

[Dutch+Gun]

Microsoft got serious about security a decade ago when it became obvious that their customers cared about security, and made it a company-wide priority. They've taken reported security exploits seriously for a very long time now, and disclosing any vulnerability before a patch is deployed is absolutely irresponsible. It's arrogant as hell for Google to decide that 90 days is long enough, thank you. Recently, though, that seems to be nothing new for Google, as they now seem fairly comfortable dictating timelines to the rest of the internet about all sorts of recent security-related issues.

Keep in mind that if Microsoft screws up a patch (something that's happened a few times recently), it causes very real problems for a massive number of people... much more so than security issues that may not have even been seen in the wild yet (I saw no indication in the linked article that this was the case) - but now probably will since the attack is known. If that happens, Google is as culpable for any harm done as Microsoft is because of their disclosure policy.

Sorry if I sound like an MS shill, but Google is really starting to piss me off with their high-handed attitude on stuff like this lately.

Re:Ha ha ha

If that happens, Google is as culpable for any harm done as Microsoft is because of their disclosure policy.

90 days to handle this. Ninety.

Re:Ha ha ha

[robi5]

I've been laughing, reading your tongue-in-cheek humor until your last sentence... then realized that maybe you actually meant what you wrote...

Re:Ha ha ha

Why is 90 too short?

It only took 3 days to fix the OpenSSL problem.

Oh right - they had the source, so the announcement and fix was simultaneous.

Re:Ha ha ha

If that happens, Google is as culpable for any harm done as Microsoft is because of their disclosure policy.

Yea, damn that Google for first forcing Microsoft to write buggy code*, refusing to patch the code and release it themselves**, and only giving Microsoft 90 days*** to fix the bug, make an announcement, do all the regression testing, and release the fix to the public.

* Because it's Microsoft's code and they own the copyright on it. About the only defense Microsoft has in any of this is trying to argue that Google didn't have the right to discover the bug to the degree of finding the actual function/fault instead of the usual fuzzy testing which would only hint at the problem. But, yea, even that sort of fuzzy testing would likely give away the actual fault.

** Because again it's Microsoft's code and their copyright/license prohibits Google from releasing any sort of a patch (binary patches, even, are legally dicey). Compare that to if Microsoft discovered a bug in Chrome, released a patch, and then Google refused to include the fix. Because that's basically the place you'd have to go to point out the dissimilarity in position of the two when it comes to what can legally be done and culpability.

*** Because a person spends less time in jail for assault. So, literally if Google was reporting a bug to a notorious barroom brawler coder, they'd have good odds of being charged, tried, serving their jail time, and still having plenty of time to get the bug report, fix the bug, do regression testing, make an announcement, and release the patch. I mean, fuck, that's a pathetically generous amount of time.

Re: Ha ha ha

[mshieh]

You sound like a MS shill, because the bug would not have been automatically disclosed if Microsoft had attempted to contact Google regarding this bug within 90 days.

Re:Ha ha ha

[gweihir]

If software manufacturers actually cared to fix things fast, there would be no need. But as fixing bugs costs money and there is _zero_ penalty for not doing so, most do not bother unless forced to. 90 days is plenty. Things not fixed in 90 days will never be fixed, unless there is at the very least a risk of bad press.

Re:Ha ha ha

It's arrogant as hell for Google to decide that 90 days is long enough, thank you. Recently, though, that seems to be nothing new for Google, as they now seem fairly comfortable dictating timelines to the rest of the internet about all sorts of recent security-related issues.

Never trust online-controlled systems that forbid airgapping by design. For instance, application "markets" that are popping up like crazy instead of good old mirrorable http / ftp repos. Anything a company can pull from the cloud is an illusion that you shouldn't waste your mindshare and time with. This goes the same with trusting your browser, which can hide things from you and auto-update itself unless you mess with settings or just block your updater. Because keeping up with a version number that is known "insecure" but under my control is more valuable to me than one that is secure but is missing features at the whim of a comopany.

The fact that features routinely will stop working overnight with the latest Chrome or Firefox updates for your home or work environment is frightening.
Blocked non-HTTP frames in HTTPS contexts, disabling my old plugins and extensions with annoying warnings (including even McAfee antivirus), and now blocking ddwrt's default certificates and threatening to kill side-loaded extensions are a few of the things that have AMBITIOUSLY changed in about 18 months. This doesn't account for the bold requirement of a google account to download even free chrome browser apps...
This post almost forgot mentioning the GUI brain-death reaching my every browser. I'm not safe in Firefox because it is tainted with chrome's ideological cancers. I have version-frozen builds of Palemoon and Comodo Dragon that I prefer to the official browsers. My next OS reinstall will just not have the official versions installed, due to this hubris that is their upgrade drama

Re:Ha ha ha

[strikethree]

Microsoft got serious about security a decade ago when it became obvious that their customers cared about security, and made it a company-wide priority.

ROFLMAO. I could go on and on for hours about how pathetic Microsoft Security is but instead, I will not bore you and just talk about the one that is the largest pain in my rear right now: It is titled Windows Credential Theft.

Yes, the geniuses at Microsoft decided that leaving Domain Admin credentials laying about on any average workstation is not a huge problem. It is not like just anyone has access to the computer after all and it is not like having your entire domain compromised is a huge deal...

Seriously. Caching Domain Admin credentials. On a workstation... Serious about security? It is to laugh. These clowns would not know security if it walked up and introduced itself.

Re:Ha ha ha

[drinkypoo]

Keep in mind that if Microsoft screws up a patch (something that's happened a few times recently), it causes very real problems for a massive number of people

So, get to the part where it's google's fault that Microsoft is too incompetent to take security seriously?

Re:Ha ha ha

[Dutch+Gun]

Ok, people are getting distracted by my statement that MS is "taking security seriously". Let's put aside how *effectively* they're "taking security seriously" for now, because that's entirely besides the point. What my point was is this: MS has well-established machinery and procedures in place for accepting bug reports and getting them fixed. This is indisputable; a lot of bugs has been responsibly reported to them in confidence and subsequently fixed. We see them every month on Patch Tuesday. Did the machinery fail here, or is it just a back-burner bug that's taking a long time to fix? It's hard to say. Did Google make any attempt to contact MS before this went public?

More importantly, is Google justified in releasing details of an exploit that hasn't been fixed yet? In the security world, this is typically considered black hat behavior, not white hat. 90 days is an annoyingly long time for MS to get a bug fixed, true, but I haven't seen any indication that this is a high-priority fix either - that is, like it's currently being exploited in the wild and is a critical security breach.

Sorry, but I'm just having a hard time justifying Google's behavior here. It seems pretty irresponsible to set up a system to automatically push out bug details after 90 days automatically, regardless of whether or not it's been fixed. This seems more like a political move against MS to embarrass them (and yeah, they probably should be embarrassed that it's taking them so long). What I don't understand is why people think this is acceptable, regardless of how you feel about MS.

Re:Ha ha ha

[Kirth]

> It's arrogant as hell for Google to decide that 90 days is long enough, thank you.

Totally ridiculous. I've witnessed the "responsible disclosure" discussions a few years back, and even then, 4 weeks was considered generous. I'd say it's totally egotist of you to expect google to keep even quiet for more than 30 days.

I'd given them two weeks and gone out with it. And there's some researchers with a lot more clout than me, who would have given them exactly ZERO days: http://www.securityfocus.com/a...

Re:Ha ha ha

> It's arrogant as hell for Google to decide that 90 days is long enough, thank you.

Totally ridiculous. I've witnessed the "responsible disclosure" discussions a few years back, and even then, 4 weeks was considered generous. I'd say it's totally egotist of you to expect google to keep even quiet for more than 30 days.

I'd given them two weeks and gone out with it. And there's some researchers with a lot more clout than me, who would have given them exactly ZERO days: http://www.securityfocus.com/a...

I really don't see how that type of attitude helps with security? While I understand security researchers wanting to improve security and make things better for everyone, the elitest attitude that things need to be fixed right NOW doesn't actually help anyone.

Everyone here has a valid point! Most commercial interests like Microsoft and Apple do not take security as seriously as they should. There are of course many different reasons for this. For one, not all developers are security experts and another reason of course is that commercial operating systems like Mac OS X and Windows 8.1 are trying to Wow end users with flashy features that often aren't tested properly with regard to security.

While it would be great if we lived in an ideal world where we could have our cake and eat it too and have all the flashy bells and whistles and have great security to boot, that's never going to happen! Or if it does happen will take a monumental effort from both consumers and security experts to convince the corporations to make more secure software.

Regardless of how secure things are made, there will always be someone out there that finds a way around it. You can install a home alarm system, bars on all your windows, dead bolt locks on all your doors, and a turret on your house :) A determined thief will still find a way in if they want something in your house or if they know you have valuables in your house that make it worth their time.

So I feel the poster is correct and that Google shouldn't have disclosed the details until Microsoft had a patch out. Though it still doesn't give Microsoft an excuse to take so long to patch a security flaw.

Let's be honest

If you're using Windows 8.1, this particular vulnerability is the least of your problems.

Re:Let's be honest

[gatkinso]

For a long time I thought that... then I actually tried Windows 8.1.

It is not bad actually, and far better than 7 in every way that I can tell.

Re:Let's be honest

Superficial UI bullshit notwithstanding, could you list even a slngle way it is better than Win 7?

Re: Let's be honest

Better battery life. Better support for touch.

Re: Let's be honest

Better battery life. Better support for touch.

That sure is better in every way. Um. Wait. No. It isn't.

Re: Let's be honest

It is better in a single way, which was what was asked for.

Re:Let's be honest

[gatkinso]

Boots faster. Is more stable. Uses less memory resources. Windows networking seems to work better. Seemless integration with the kids XBox.

I seem to have much more luck developing drivers on 8.1 as well - far less error check screens (more a function of me learning the DDK), also at the user level ETW seems rather more robust. Windbg also seems to be more stable when running on 8.1.

Also, I like the UI better (on the desktop) - I largely ignore the metro screen or whatever it is called.

Re: Let's be honest

What was asked for was a single way.
That's two ways.
FAIL.
(Couldn't resist.)

Re:Let's be honest

No matter how you cut it the same old baloney.

Re:Let's be honest

Windows 10 TP is even better. Feels like Windows 2000, amazing.

Re:Let's be honest

[drinkypoo]

Seemless integration with the kids XBox.

Yeah, guess what? The kid's Xbox would integrate with Windows 7 or even XP just fine. But it still wouldn't play MKVs without PS3MediaServer or similar.

Re:Let's be honest

[gatkinso]

Try it on 8. Mo betta.

Poor choices to use proprietary cause this!

Stop using it and you won't have this problem!

If somebody cares to fix it the problem at least can be fixed. That's not the case with proprietary software though. While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.

Re:Poor choices to use proprietary cause this!

[halivar]

While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.

The average Linux user does not fix his own kernel bugs. End-users are restricted, if not by closure, then by competence and knowledge.

Re:Poor choices to use proprietary cause this!

[Dagger2]

So?

The GP's point is still entirely valid.

Re:Poor choices to use proprietary cause this!

[plover]

Let's see how that plays out in the Open Source world:
Step 0: discover exploitable vulnerability in Linux kernel random number generator.
Step 1: send a private message to Linus Torvalds saying you've found a vulnerability
Step 2: endure a private tirade of racist and misogynistic abuse about how stupid you are in not recognizing this as not-a-bug
Step 3: publicly post details of exploit
Step 4: endure a public tirade of racist and misogynistic abuse about how irresponsible you are for not disclosing this privately
Step 5: wait for it ...
Step 6: enjoy your now-patched system.

I'm sure I missed an unpleasant step somewhere in the above, but it should be enough to acknowledge that Open Source isn't always the perfect solution we imagine it to be.

Re:Poor choices to use proprietary cause this!

[jones_supa]

While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.

It's only a theoretical possibility. Even if the fix would not consist of much code, getting familiar with the codebase and then designing the proper fix takes ages.

People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.

Re:Poor choices to use proprietary cause this!

I don't see how it is valid anymore.

Re:Poor choices to use proprietary cause this!

[drinkypoo]

People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.

You've really got to try to fix a few things before you can appreciate how uneven the situation can be. I've fixed some little things, they were easy. I've tried to fix some other apparently little things and failed, and found some other solution instead. Or not.

Re:Poor choices to use proprietary cause this!

You sound like someone who is pro-gamergate.

Re:Poor choices to use proprietary cause this!

"tirade of racist and misogynistic"

Sounds like you're a real nasty sexist who discriminates white men on their gender and skin color, by assigning them these attributes out of nowhere.

Re:Poor choices to use proprietary cause this!

People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.

Why? The great thing about open source is that if there's a problem in a key package then any supplier can work on it. Red Hat can. Canonical can. IBM can. Or I can pay someone to work on it myself if I really want to. Maybe you're the exception but I suspect that most of us work in businesses where multiple sources of supply is a good thing - that's something open source at least helps with and closed source actively works against. Suggesting that open source only makes sense if I can fix it myself is like suggesting I use proprietary wiring in my house that only one supplier can work with because, hey, I'm not an electrician myself. Madness.

Re:Poor choices to use proprietary cause this!

[gatkinso]

I think the "at least the end-user isn't restricted from fixing bugs when they occur" part is what the rejoinder was referring to.

Re:Poor choices to use proprietary cause this!

[jones_supa]

Why? The great thing about open source is that if there's a problem in a key package then any supplier can work on it. Red Hat can. Canonical can. IBM can. Or I can pay someone to work on it myself if I really want to.

Sure, but now we are already talking about paid professional developers. My criticism was directed to the original claim which was that the end-user can fix the bugs.

Re:Poor choices to use proprietary cause this!

[buchanmilne]

Sure, but now we are already talking about paid professional developers. My criticism was directed to the original claim which was that the end-user can fix the bugs.

No, the original claim was:
"at least the end-user isn't restricted from fixing bugs when they occur."

Paying/getting a different party to fix the bug is a valid application of "not being restricted from fixing the bug". In the case of proprietary software, if the original vendor doesn't fix it, you're stuck with the choice of being vulnerable or making significant changes (switching to a different proprietary software).

Re:Poor choices to use proprietary cause this!

[ruir]

I already fixed kernel bugs. And probably many others. At least there is the choice and the possibility of doing it. Could we do the same in Windows?? Think about it.

Re:Poor choices to use proprietary cause this!

While non-proprietary software might be imperfect at least the end-user isn't restricted from fixing bugs when they occur.

The average Linux user does not fix his own kernel bugs. End-users are restricted, if not by closure, then by competence and knowledge.

The linux kernel source code is riddled with unused variables and other unfixed and seemingly minor issues which collectively represent security vulnerabilities. The worst part about trying to capture these unused variables is the sheer verbosity of the output during compilation. While building Linux From Scratch (LFS) I encountered a multitude of unused variables, among other deficiencies, which I would have liked to address, however, the compilation messages scrolled merrily off screen never to be seen again...until the next compile cycle. If someone would pay me a decent income I would enjoy hunting down these deficiencies but alas companies don't view that work as sexy so it is left to fester and bit rot sets into the code base as the years pass.

Re:Poor choices to use proprietary cause this!

[jones_supa]

That's true.

Re:Poor choices to use proprietary cause this!

[halivar]

Unused variables are warnings and not errors because their use is detected only heuristically and not conclusively. I'm not saying that's the case in the Linux kernel; only that it's a possibility.

Re:Poor choices to use proprietary cause this!

[chipschap]

But the real point, I think, is that even if everyone/most users can't fix a bug in open source code (similar to the prior poster, I've also fixed small and medium ones, but waited for fixes on complex stuff), there are people who can, and will, and do. Even though, for the really obscure things, that group may be small, there is no absolute dependence on some group that has access to closed source code. This seems like rather an advantage for open source.

Re:Poor choices to use proprietary cause this!

[ancientt]

Why are you bringing up the average user when he was talking about the end user who has a strong reason to keep something patched? That's comparing a Mint home user to someone running the distribution upgrade servers.

If you are in charge of managing an important system or network, then you can either fix the problem yourself, have your programming team fix it and commit the fix back to the upstream vendor or you can potentially hire the work out. Even if you are an average end user, you could actually fix it if you were willing to put in the work, however unlikely that scenario might be.

Re:Poor choices to use proprietary cause this!

[pr0fessor]

I'm surprised more people haven't responded that they already have contributed, given the way anything about a particular language turns into an argument.

I'm not a professional developer, but I have on occasion been the fresh pair of eyes that has spotted something that turned out to be an easy fix. On many more occasions I have found bugs that were out of my league.

Re:Poor choices to use proprietary cause this!

[unrtst]

People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.

Trolls that keep posting crap like this should eat their own dogfood - try it yourself before extolling the horrors, and try it with both the closed source product and the competing open source one. I've done this. IME, you're full of shit.

It's also worth noting that the bug was reported over 90 days ago. "proper fix takes ages"... results will vary wildly depending on the product, the bug report, and the bug, but the majority would be addressable well within that time frame. In most cases, you won't have to do anything as the maintainers will handle it, just like (a good) closed source maintainer would.

Re:Poor choices to use proprietary cause this!

[Dishevel]

10,000 times more people are able to fix an issue in Linux than in Windows. So a single individual may be limited but the community is much stronger.

Re:Poor choices to use proprietary cause this!

[nobuddy]

Sorry you got lost. Tumblr is three doors down, on the right.

kthx, bye.

Re:Poor choices to use proprietary cause this!

[Dishevel]

Linus is an ass. He never seemed racist or filled with hate for women.

Maybe you just spend too much time pulling statements out of your ass?

Re:Poor choices to use proprietary cause this!

[Dishevel]

WOW! I have mod points quite often. Rarely have I wanted them more than now.

Gratz. You sir are a thinking and evolving being.

Re:Poor choices to use proprietary cause this!

[gatkinso]

>> the linux kernel source code is riddled with unused variables...

One would think that the linker would eliminate most of this. Not sure about the unspecified "unfixed and seemingly minor issues which collectively represent security vulnerabilities."

As far was the warnings go - most of those that I see are in the modules, not the kernel itself.

Re:Poor choices to use proprietary cause this!

In addition, unused variables may be the beginnings of an update that hasn't been finished.

Besides, the kernel isn't "riddled". Yes, there are a few places that DO have them. And in some cases, they are actually errors from patches removing old code that missed removing the variables used.

Re:Poor choices to use proprietary cause this!

Linus just doesn't put up with crap.

Re:Poor choices to use proprietary cause this!

[strikethree]

People talking about the wonders of open source should do an experiment where they personally actually fix some little thing in one open source project.

Hm. Back when I decided to build my own Linux based computer from source code, I did a lot of tweaking to the sources for a lot of the software that I decided to run. It was not terribly hard and it made the entire user experience amazingly awesome.

Now I am just pissed off. What with the removal of the ability to ctl-alt-backspace out of X (yes, i can add it back in) and "systemD integration" (yes, I can currently avoid it entirely) and other such nonsense like Gnome going off the deep end (nothing I can do about that but fork it), why even bother with Linux anymore? There is way too much to tweak and fix now. Stuff that should NOT NEED to be tweaked and fixed when it was already working.

Re:Poor choices to use proprietary cause this!

[Dagger2]

Because FOSS still doesn't place some arbitrary BS restriction on fixing stuff.

Yes, it's true that a lot of users won't have the knowledge to do it, or won't be competent enough. Heck, even the people who can fix bugs won't have the time to fix every bug they encounter. But at least FOSS doesn't just outright ban you from doing it.

Re:Poor choices to use proprietary cause this!

Sounds like the opposite to me.

A victim of applications and history

[Junta]

This seems to come out of the peculiar microsoft feature of being able to be an administrator user but without administrator privilege most of the time except when needed, and a lot of work to make this escalation happen in an non-intrusive fashion or be faked depending on context. It's a really complicated beast that no other platform tries to do.

MS up to and including XP (excluding the DOS based family) basically had the same as everyone else, you either were an administrator or you weren't, with facilities to 'runas' an elevated user to handle as-needed. The problem being they had tons of software from the DOS based system failing to use the right section of the registry and filesystem, requiring people to go through pains to run as administrator to run a lot of applications. This meant that most XP users just logged in as administrator.

To mitigate it, they embarked upon crafting this fairly complex thing to make running as administrator user safer most of the time. It's funny because at the same time they started doing more and more to allow even poorly designed DOS-era software to run without administrator. They create union mounts to make an application think it can write to it's application directory even when it cannot (and do sillier things like make 'system32' a different directory depending on whether a 32 or 64 bit application is looking). I do the atypical usage of a non-administrator user full time with UAC prompts nagging me about passwords if needed, and nowadays it doesn't nag any more than sudo does in a modern linux desktop. If I understand this behavior correctly, this usage model might be immune to this risk factor.

Re:A victim of applications and history

[cnettel]

This seems to come out of the peculiar microsoft feature of being able to be an administrator user but without administrator privilege most of the time except when needed, and a lot of work to make this escalation happen in an non-intrusive fashion or be faked depending on context. It's a really complicated beast that no other platform tries to do.

MS up to and including XP (excluding the DOS based family) basically had the same as everyone else, you either were an administrator or you weren't, with facilities to 'runas' an elevated user to handle as-needed. The problem being they had tons of software from the DOS based system failing to use the right section of the registry and filesystem, requiring people to go through pains to run as administrator to run a lot of applications. This meant that most XP users just logged in as administrator.

To mitigate it, they embarked upon crafting this fairly complex thing to make running as administrator user safer most of the time. It's funny because at the same time they started doing more and more to allow even poorly designed DOS-era software to run without administrator. They create union mounts to make an application think it can write to it's application directory even when it cannot (and do sillier things like make 'system32' a different directory depending on whether a 32 or 64 bit application is looking). I do the atypical usage of a non-administrator user full time with UAC prompts nagging me about passwords if needed, and nowadays it doesn't nag any more than sudo does in a modern linux desktop. If I understand this behavior correctly, this usage model might be immune to this risk factor.

While impersonation and other techniques is used a lot more and including larger portions of the API, impersonation itself has been along since NT 3.1. Are you a file server process serving a request from a client? Just create an impersonation context for the user who sent the request and pass that along to the file system. You only need to make sure that you create the right context and tell other services on whose behalf you are doing this. This is not identical to setuid and similar, most importantly because a single thread can keep many impersonation contexts.

That this is part of the application compatibility cache service is almost coincidental, the real problem is in the fact that impersonation services are used, but used incorrectly. Impersonation was part of the original NT design, and for relatively good reason.

Re:A victim of applications and history

This is not a UAC exploit. A non-admin user can use this exploit to run something as local system

Re:A victim of applications and history

[ceoyoyo]

You should type "man sudo" sometime.

Re:A victim of applications and history

While some have clarified that impersonation is more complex than just how it is used in the context cited, sudo is very different than the authorization model that ms uses to have an administrative user logged in but not blindly allow whatever activity to do admin things... Usually.

Re:A victim of applications and history

But it exists because UAC exists. The entire infrastructure being exploited would have no business existing in this manner if UAC were not present in the codebase.

Re:A victim of applications and history

Works very much like the original NFS services...

Which has already been left behind due to the security failures it promoted.

How exactly do you

"undisclose" something? Did they send one of those worthless "recall email" things?

Might not be serious by itself.

[140Mandak262Jamuna]

It does not appear to be a serious hole by itself. Microsoft claims you need a valid log-on to exploit this, In reality all you need to do is to get your code run in a machine with the privilege of ordinary user. There are ways and other vulnerabilities to do it. There are numerous holes where the browser executes supplied malware from the net, without admin privileges. These two holes, when combined forms a serious threat.

undisclosed

[bug1]

"Google's security research database has after a 90 day timeout automatically undisclosed a Windows 8.1 vulnerability"

"undisclosed
adjective
1. not made known or revealed: an undisclosed sum"

From that description i assume google has a database of recent security vulnerabilities (from the last 90 days).
Vulnerabilities are immediately public information, then after 90 days they are removed from the list as they arent recent, and assumed to be patched ?

OR

Its the opposite and the person writing the description for the story should have said disclosed instead of undisclosed.

(sarcastic comment about reundisclosing the vulnerability so they can redisclose it in another 90 days)

Re:undisclosed

You are so cool can I be you! I mean like really?

p.s there are at least two glaring mistakes in your own post.

Not fixing it . . .

. . . might be a worse idea.

3 months

That is probably not enough time.

UAC at highest level prevents it

If you change your UAC to highest level (mine is such for years) UAC warns you before you run the executable.

Re: GAY NIGGERS OF THE WORLD UNITE! FUCK STRAIGHTS

Umm... I get your point about censorship. But coming up with a definition isn't particularly hard in this case. And that's where you leave it. Not every trolling comment needs to be deleted. Only the ones that rise past a clear definition.

As SCOTUS has said, I don't know how to define obscenity, but I knownit when I see it.

Re: GAY NIGGERS OF THE WORLD UNITE! FUCK STRAIGHTS

Not every trolling comment needs to be deleted. Only the ones that rise past a clear definition.

10 GOTO HELL!
20 GOTO 10

  Censorship must never be allowed, ever! We need to make the internet absolutely indelible AND universally accessible. This is the utmost of importance. All people who want ANY kind of censorship should have their hands cut off! Fuck them all sideways!

Re: GAY NIGGERS OF THE WORLD UNITE! FUCK STRAIGHTS

[The+Fifth+Man]

So why does /. censor posts in gender politics threads? They do selectively run a script in some threads. In the case I'm talking about, it will ghost posts that use ess jay doubleyew (social justice warrior). They DO censor. This isn't hypothetical.

Your planet is scheduled for demolition

Prostectic Vogon Jeltz:
There's no point in acting all surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for fifty of your Earth years so you've had plenty of time to lodge any formal complaints and its far too late to start making a fuss about it now.

Flaw in the open source argument

Lets say I am a consumer having routers running Linux and even if I knew about developing in some manner, I wouldn't necessarily have time or interest to start fixing bugs in gear running platforms that might require a complete recompilation and setting up a remote-build system and what else.

Contrast this C/C++/open source model to a model where operating system and everything was written in eg. variations of C# called M# that was used to develop a real operating system.

In this managed language model, if my router or phone etc has a bug, I can download the affected binary from the router and get back source code that's readable enough that I could actually make larger changes to it and send it back to the router. Yes. You could do this with IDA pro but having actually tried it, I can tell you it's nowhere as easy as with C#.

Re:Flaw in the open source argument - addendum

by "readable enough" I meant that with C# (and probably Java etc) you can decompile binary, get back good enough source that you can in few minutes be recompiling it again. The only problem would be if the OS used signed executables and would not allow replacing the executables with ones that you self-signed. So while waiting for official patch, you'd have to set the OS into a mode that accepts self signed executables. This certificate for self-signing could be put into the hardware cert store through a firmware interface pre-boot. This way the entire system would stay secure despite using self-signed modded OS dll's.