Google Releases More Windows Bugs

An anonymous reader writes: Just days after Google angered Microsoft by releasing information about a Windows security flaw, they've now released two more. "The more serious of the two allows an attacker to impersonate an authorized user, and then decrypt or encrypt data on a Windows 7 or Windows 8.1 device. Google reported that bug to Microsoft on Oct. 17, 2014, and made some background information and a proof-of-concept exploit public on Thursday. Project Zero is composed of several Google security engineers who investigate not only the company's own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically publicly posts details and sample attack code if the bug has not been patched." Microsoft says there's no evidence these flaws have been successfully exploited.

No evidence

Microsoft: "There's no evidence these flaws have been successfully exploited."
Google: "Then why are you wearing that fake mustache and goatee?"

Re:No evidence

[RelaxedTension]

"Microsoft says there's no evidence these flaws haven't been successfully exploited."

FTFY.

Re:No evidence

How about Microsoft just man up and respond instead, "We have been working diligently to address this issue. A patch is being validated now and will be released in the new future." AND actually be at that stage of patching since they have had 90 DAYS ALREADY to work on the issue.

Re: No evidence

They did. Google knew that the patch was under testing and will be in the Feb 10th patches. It would've already been released but they identified compatibility issues and delayed until those were resolved. Google was made aware of all of this, yet Google decided that 90 days is 90 days and fuck the response or consequences.

Re:No evidence

You're the kind of person I don't serve at parties because we're all out of prune juice and the bitches are taken.

Re:No evidence

Only children go to parties.

Re:No evidence

[v1]

Microsoft says there's no evidence these flaws have been successfully exploited.

"...so we're going to wait until the bot herders have sucked in a few million more machines before bothering to patch it."

WHAT is WRONG with you, ms?? If I'm reading that right, google is doing precisely what is necessary to light a fire under MS's ass to get the bugs fixed. It isn't really even that. They're basically telling us they don't consider it to be a big deal until it starts getting exploited. By making that comment, they completely justify (and encourage) Google's actions.

Re: No evidence

Oh well. MS should do a better job next time.

I get the impression, as a consumer, you're pissed off at Google, but I don't see why. Surely, again assuming you're an MS consumer, why would you not want your MS products to be more secure? Even if you aren't an MS consumer, why would you want MS consumers to be vulnerable to these exploits?

Re:No evidence

Being that the reason we bring our own booze and bitches on those parties.

Re: No evidence

Actually, the NSA asked Microsoft to delay the patch so they could exploit it.

Re: No evidence

Why? Because with a patch imminent whose timetable wouldn't be speed up by publicly releasing the information all that release did was empower those who would use the information for nefarious purposes. Are you really that dumb?

Re:No evidence

[niftymitch]

"Microsoft says there's no evidence these flaws haven't been successfully exploited."
FTFY.

Anyone that runs a web server or other interactive device on the internet and also looks at their logs knows that
the list of exploited flaws in all types of systems is best enumerated by counting on both fingers and toes in binary.
The data that flows past a company like Google is astounding.
Mostly we hear about some engineer discovering a bug by inspecting
code. What we do not often hear is the cases where honeypots watched
by "G" or "deep web exploration" discovers who, what, how and where...
We also do not see disclosures where a TLA agency sends a confidential
email to an engineer at a security company that then files the bug.

N.B. the banner that Google pops up and announces that this site is a risky
place to go and that it has been found to serve up malware and other
bad code.

This is a big problem and perhaps the #1 external issue of any web based
company. Especially one that is constantly under attack from all the corners of the
globe.

I happen to have grown fondish of some of the windows only application tools.
That list of applications grows despite my personal preference of a _nix OS.
I always ask the vendor for non-Windows tools....

Given the quality of engineers I personally know that work at MS I can only
assume that there is an astounding failure by management to improve the
product and its foundations.

Is that a typo?

[colordotmatrix]

Shouldn't that read:

Microsoft releases more windows bugs?

Google isn't writing code for Microsft, is it? :-)

Re:Is that a typo?

[mrchaotica]

It should read "Google discloses more Windows bugs."

Re:Is that a typo?

[binarylarry]

From the bug link:

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public

.

Re:Is that a typo?

Or, more accurately, it should read "Google releases info about more windows bugs".

Re:Is that a typo?

[unixisc]

More like Microsoft writes the software and Google adds on the bugs ;-)

Evil corporation cage match!

Yay! (gets popcorn!)

And yes - Google is just as much an evil corporation as Microsoft. Hell, given Google's business model is selling YOUR privacy, they're probably MORE evil.

Re:Evil corporation cage match!

[jellomizer]

Like Bing doesn't sell data it collected either.

Re:Evil corporation cage match!

And that fact negates the OPs comment how? At least MS has an income stream other than leveraging your data to better serve ads.

Re:Evil corporation cage match!

[turbidostato]

"And that fact negates the OPs comment how?"

By stating that since Microsoft business practices equal those of Google and then more, it can't be followed that Google is any more evil than Microsoft.

Signed: Captain "So I thought" Obvious

Re:Evil corporation cage match!

[nedlohs]

Because the claim was "they're probably MORE evil" which is a relative claim and hence "they do it too" is in fact a valid argument.

Re:Evil corporation cage match!

Such horseshit. Which MS Reputation Management firm are you with again?

Re:Evil corporation cage match!

Such horseshit. Which MS Reputation Management firm are you with again?

There are two sides to this:

1) Some Slashdot posters far too quickly turn to the claim of (paid) "shill" for posts they don't agree with. It is intellectually lazy and sort of Slashdot version of Godwin's law.

2) As someone who have worked with communication at fairly high level at large vendor -- *if* Microsoft actually pays someone to sit and post at Slashdot, someone there are seriously stupid at wasting money. Yes, there are fake posts on the internet, but targeted at far more cost-effective places than the obscure little cult site that we really are.

Re:Evil corporation cage match!

[jdawgnoonan]

But to my knowledge that is the only way Google makes any money at all, and, since Google has a higher market cap than Microsoft who also sells a lot of for profit software, I can only assume that Google sells a lot more information. Every tool Google provides for consumers is a data mining tool that is funded solely by data mining. Microsoft actually sells stuff that you can buy and use without agreeing to allow your data to be mined.

Re:Evil corporation cage match!

[El_Muerte_TDS]

Microsoft actually sells stuff that you can buy and use without agreeing to allow your data to be mined.

For now. For example, Microsoft no longer sells a non-service version of MS Office.

Re:Evil corporation cage match!

But I thought nobody uses bing? Now suddenly Bing is on equal footing? hehehe .. always interesting to see how google cheerleaders get twisted to deflect blame..

anyway.. last I checked MS is an actual technology company.. whether you like them or not.

All google does is try to insert themselves between you and your data and then make advertising profiles on you and sell them. what a horrible and disgusting "business" model.

Re:Evil corporation cage match!

[Ravaldy]

I think long term Google will be worst than MS since it owns access to information and online marketing. At least with MS, you had alternatives. With Google, if you don't use Google to advertise online, your target audience won't find you.

Re:Evil corporation cage match!

[jdawgnoonan]

Office 365 is not a data mining tool. It is a pay for subscription to the latest version of Office and allows you to install on multiple machines. And you can still buy Office as a single license that is not a part of the subscription model. Also, any version of Office, 356 or otherwise, allows you to save everything on your own machine or out on One Drive.

Re:Evil corporation cage match!

There are two sides to this:

Three sides.

3) MSFT doesn't need to pay because it actually has its own fanbois, as creepy and bizarre as that may seem.

Re: Evil corporation cage match!

The strength of your argument is apparent by the straw men you just knocked down with it. I am in awe.

Re: Evil corporation cage match!

Or maybe solipsism is ab innacurate worldview and those are actually the true opinions of real people.

Re:Evil corporation cage match!

> owns access to information Get real - anyone can build a search engine. Yes it takes a lot of resources to make it good and Google has a big head start, but no way that they're invulnerable.
Earlier search giants have fallen to the wayside.

What brilliance was the root to Googles success? Something as simple as a minimalistic clean GUI.

Re:Evil corporation cage match!

[bgarcia]

I can only assume that Google sells a lot more information.

Google collects information. Google uses that information to determine what ads to show users. But unlike other companies, Google does NOT sell that information.

Re:Evil corporation cage match!

microsoft even get windows 8 and 8.1 users information from bing searching inside windows and other data when they are logged in with microsoft passport

Re:Evil corporation cage match!

[mythosaz]

WUT?

You can buy 2013 in non-subscription, non-365 versions.

Re:Evil corporation cage match!

[Cro+Magnon]

Last I heard, they still sell Office 2013, though they're trying to push 365.

Re:Evil corporation cage match!

I'm sure they do. But I still believe Google does orders of magnitude more privacy invasion than Microsoft.

Google has carefully cultivated a geek-friendly image that has ingratiated them with the nerds of the world; nerds now too besmitten to rationally assess what's actually taking place.

Re:Evil corporation cage match!

[chadenright]

+1

Re:Evil corporation cage match!

[david_thornley]

That's one theory, sure.

Re: Evil corporation cage match!

Hahahahaha, I haven't laughed that hard in a long time. Thanks.

Re:Evil corporation cage match!

[hattable]

Then don't use google. Dammit people this isn't victim shaming, you are explicitly choosing to use google services, google ad supported web sites, and agreeing to their terms when you do so. Access to information may be a basic human right, but being given access to a private company's indexed version of that is not.

Also they don't sell your information, they sell your viewership. They are the endpoint advertising agency not a separate company collecting and providing data to an advertising company.

Re:Evil corporation cage match!

Correction: Microsoft sells stuff you can buy, and then STILL sells all your data, exactly like Google does. Ex-Microsoft here, just to lay it out there.

Re:Evil corporation cage match!

Microsoft's market cap, at 374.88 B, is currently higher than Google's, at 341.75 B. Microsoft's P/E, 18.11, is also better than Google's 25.75.

Re: Evil corporation cage match!

Or maybe solipsism is ab innacurate worldview and those are actually the true opinions of real people.

I've seen posters with *years* of posting history that was pro-Linux and OSS been called shills because they dared to try to correct misinformation about MS technology being discussed in typical 'everything M$ suxxor' fashion.

Re:Evil corporation cage match!

Oh yes, and this targeted ads - they are just magically appeared before you.

Re: Evil corporation cage match!

You're assuming Bing has users to harvest data from...

Re:Evil corporation cage match!

[Uzuri]

You can't not use Google without not using most of the Internet (assuming for the moment that you don't use something like RequestPolicy to blacklist/whitelist, which is generally too much for most normal folks). It follows you around via Google Analytics, embedded maps and calendars, Google fonts... other people are making the choice to give your browsing information to Google (and Facebook, and Twitter). Same trouble if you ever email anyone with a GMail address or need to collaborate with someone via Google Drive/Docs. You're kinda stuck.

Hope the trend continues.

[140Mandak262Jamuna]

I wish Apple would also pitch in and find and publish bugs in both Windows and Android. And Microsoft to retaliate by finding and reporting bugs in Android and Apple. In the end we as consumers will benefit. This should be come the norm. No longer minor players report possible bugs and the clock does not run till the company "accepts" that there is a bug.

Free markets! Competition!! That is what made America, what it is.

I wish such fierce competition exists in all spheres of the economy.

Re:Hope the trend continues.

Except without the public posting of them. It takes time to get personnel assigned to track down and then fix a bug. And then put it through testing. That time doesn't always fit in to this 90 day timescale Google is holding them to.

Re:Hope the trend continues.

Why isn't Microsoft finding these bugs in their own products ?

Re:Hope the trend continues.

THIS is the issue. NOT finding and disclosing.

Both times MS has had a fix ready (last time) or in the pipeline (This time, fix started but not ready due to buggyness).

"90 days, or DIE!!!" Rules should have exceptions, especially if the companies have been responsive AND have good reasonable reasons for a delay - which does include MS.

Disclosure for a bug that's being worked on? While refusing to fix bugs in your own software?

Bad Google BAD! *Smacks the nose*

Re:Hope the trend continues.

[iggymanz]

sitting on a macpro here at work, I'd say let's just have Apple fix yosemite bugs and problems. Not worrying about a dust speck in someone else's eye while they have two by four in their own

Re:Hope the trend continues.

[turbidostato]

"Except without the public posting of them."

Except the menace of the public posting seems to be the only way for the vendor to move forward.

Is my bet that if Microsoft were doing their best effort to patch the bug and keep informed Google about it and the expected resolution time, they wouldn't have released the information.

Re: Hope the trend continues.

[wrf3]

Those who might exploit the bug won't wait for the vendor to get its act together.

Re:Hope the trend continues.

[CaptainDork]

It's much cheaper to have someone else do it?

Re: Hope the trend continues.

And those who exploit bugs don't really need Google helping them out by publishing not just the exploit, but sample code on how to do it.

Google really needs to clean up its act (e.g. Android and its complete and utter lack of security) before it starts casting stones at others.

Re:Hope the trend continues.

[Twanfox]

Someone who didn't read the article. One of the comments in the 'more serious of the two bugs' indicated that Microsoft INFORMED them that the patch was lined up for January, but was pulled and rescheduled for February. You lost your bet, by Google's own bookkeeping. Try for another?

Re:Hope the trend continues.

Except this: http://blogs.wsj.com/digits/2015/01/12/google-not-fixing-some-old-android-bugs/

Re:Hope the trend continues.

[rsmith-mac]

Bad Google BAD! *Smacks the nose*

In all seriousness, when the hell did we vote an advertising company as the security czar for the Internet?

Not only is releasing right now stupid - patch Tuesday isn't for another month, so they've just done maximum damage - but we've seen what happens when outside forces try to rush MS security patches. Things get broken in hilarious-but-awful ways.

When you're dealing with a codebase as large as Windows and have to maintain compatibility across an impossibly large array of hardware configurations, 90 days (really more like 60, depending on when PT falls) is not going to be enough time to patch and fully test every flaw.

Re: Hope the trend continues.

Didn't Nadella axe most of their testing dept soms months ago?

Re:Hope the trend continues.

[freeze128]

Google's system for making exploits public is *AUTOMATED*. This is like a passenger in an elevator trying to convince the elevator to go back down while it's already in the middle of its trip to the top floor. You can throw a tantrum, but it's just not going to make any difference.

Microsoft was informed of the issue, and developed a patch, but it was due to Microsoft's own internal policies that the patch could not be included in the monthly update. There was probably some internal cut-off date or some other bureaucratic bullshit that prevented it. Google doesn't care about Microsoft's internal BS. Why should it?

Microsoft could have released the patch as an out-of-band update. Google wasn't insisting that it be released on the monthly schedule.

Re:Hope the trend continues.

Why isn't Google fixing their own bugs first instead of finding them in others' software?

Re:Hope the trend continues.

[sumdumass]

What if the check was in the mail and the dog did eat your homework because you got pizza grease all over it and he loves pizza too?

Or would you prefer reading about how a security patch made your think you were fixed but wasn't or even how it bricked your system because instead of a few more weeks to get it right, they have to rush it out?

Re:Hope the trend continues.

Flaws should include personal data leakage without my consent, too.

Re:Hope the trend continues.

[slashdot_commentator]

Boo hoo. So the alternative is allow Microsoft's entire customer to be hacked at will, because Microsoft doesn't want to dedicate resources necessary to resolve a coding issue within 90 days? Security by obscurity.

Re:Hope the trend continues.

[Ravaldy]

Apple won't fix shit. Their team doesn't have the experience to deal with the complexity MS has to deal with. Jeez, they couldn't, even make iOS 6 run smoothly on the 3GS phone which turned most of those phones into slow ass pieces of shit. Don't get me started on the last big iOS release or the map issues they encountered!

MAC deals with a very limited scope of hardware and a limited number of permutations which in turn reduces the complexity of any patch. MS on the other hand has to deal with billions of permutation in addition to the cross platform compatibility and the large range of products affected by any library change they make. Linux has the same issue but Linux doesn't have the customer base or the same responsibility towards it's customers.

So you sitting in front of a MAC and making it sound like our lives are hell compared to your just tells us how ignorant you really are about the world of PCs.

Re: Hope the trend continues.

[slashdot_commentator]

The sample exploit code is necessary because the corporate response after "I need more than 90 days" is "oh, its not a serious security bug".

Re:Hope the trend continues.

And yet:

http://arstechnica.com/security/2015/01/google-wont-fix-bug-hitting-60-percent-of-android-phones/

Re:Hope the trend continues.

[MightyYar]

As the article you linked suggests, what good would a fix do? The whole reason that someone might still be running 4.3 or below is that the phone manufacturers do not push updates. Google could fix 4.3 and below, but the manufacturers are no more likely to push that update than they are to just push a higher (and thus supported) version. The vast majority of people installing their own firmware aren't going to cry over 4.3, either. Why install a custom ROM with an obsolete Android?

Re: Hope the trend continues.

[sumdumass]

I'm curious if the exploits can be used to correct the encryption installed by ransomware criminals.

Re:Hope the trend continues.

Write me a two-thousand page book on the history of man, without plagiarizing any part of it in two minutes. What you don't want to dedicate the resources to do that? Sometimes deadlines are impossible and your best isn't good enough.

Re:Hope the trend continues.

[dkman]

I'd rather that the 90 day clock have a snooze for 30 days option, so it's not disclosed to everyone. I'd rather that the developer (even MS) have time to fix it right rather than rush a fix that needs a later fix or a fix that breaks something else.

Some times you need to dig through code and figure out what the hell's going on so you can figure out why it's broken and fix it. And it's not like Google is the only one submitting bugs.

Re:Hope the trend continues.

We didn't, they just do a better job at security than anyone else, because they actually care.

Re:Hope the trend continues.

[chis101]

Why install a custom ROM with an obsolete Android?

I still install new custom ROMs with obsolete Android because it runs much smoother on my obsolete hardware. (I'm only addressing your last question here, I don't really have an opinion one way or the other about the rest of the post)

Re:Hope the trend continues.

Or "I came in your mom's mouth last night". Oh wait, that really happened.

Re:Hope the trend continues.

It takes time to get personnel assigned to track down and then fix a bug. And then put it through testing.

Except someone ELSE has taken the time to track down the bug. They'd only need to perform steps (2) and (3) which, you'd hope, a large software company should be able to squeeze into 3 months.

Re:Hope the trend continues.

Disclosing a bug is one thing but do they have to publish how to actually exploit the bug? That type of behavior smacks of being supremely unprofessional and in turn raises the chances of someone repaying them in kind. Especially knowing that the exploit in question is being addressed and tested. Regression and compatibility testing across the entire MS platform is not something done in a few days and rushing out a patch in panic mode usually results in creating even more serious problems downstream. It seems the worlds largest advertising company has decided to adopt the practices of advertisers who push the limits and often exceeds those limits in attempts to manipulate the masses in any way they can to benefit their brand name,

And irresponsible acts such as this do not result in better security. It results in people actually exploiting these bugs during the time between disclosure and fixes. That window is all it takes to cause harm and the cycle will repeat itself endlessly since the rarest thing in the world today is bug free software.

Re:Hope the trend continues.

[afidel]

If Google fixes it in AOSP then you can at least grab a fixed version with Cyanogenmod or other custom builds. At least for tech folks the main thing holding them back from moving up may be device drivers for the newer kernel.

Re:Hope the trend continues.

I fail to see how this excuses Google. They just lazily automated a system to tell the world about security vulnerabilities, and didn't think to allow it to delay those reports? That's the stupidest thing I've heard in a long time. You're really making them sound far worse than Microsoft, who at least decided to take the time necessary to make sure the patch causes fewer problems than it solves. You can whine all you want about Microsoft, but Google are clearly only exacerbating the problem, not helping to solve it.

Re:Hope the trend continues.

[chadenright]

This is a very responsible (from google's point of view) attack on a rival company by google. If Microsoft loses Windows customers, Google gains Android customers. There is no losing scenario for google by doing this -- they make microsoft look bad, encourage hackers to target microsoft products, and drive customers away from microsoft and towards google. To be fair, they did in fact give MS a 90-window (ahem) to fix this bug, rather than making it public as soon as they found it, which they also could have done and which would have had a comparable benefit for Google.

Re:Hope the trend continues.

[EndlessNameless]

If the company had a history of never patching vulnerabilities or even being spotty and refusing to support new products, then it makes sense to out them immediately.

But Microsoft has been issuing monthly patches for supported versions of Windows for years.

Yes, they'll delay or rescind a patch once in a while when it breaks things. Any company can be in that position though, and that's OK too provided they reissue a good patch when it's ready.

Instead of publishing exploit details and POC code automatically after 90 days, they should publish mitigation measures immediately (to actually help admins secure their assets) and sit on the more technical details for longer than 90 days if they reasonably expect the vendor to issue a patch. Maybe set a hard cap of 180 days to avoid being strung along indefinitely. While 90 days is a good starting point, no two bugs are the same.

An automatic one-size-fits-all approach is draconian and stupid. Some bugs require multiple rounds of testing because things get broken unexpectedly by the first "fix". Large software projects often end up with hidden dependencies that complicate bugfixing; it's a fact of life, and ignoring reality in favor of ideologically-driven rules usually ends poorly.

Re:Hope the trend continues.

[ChunderDownunder]

Call it an act of faith.

If patching old code does motivate even one vendor/carrier to get off their arse and release a security update then success...

Re:Hope the trend continues.

[david_thornley]

It's an automated system? Who automated it? The passenger you refer to didn't design the elevator. It was Google's decision to create this process.

Microsoft developed a patch, but didn't do it quite right and missed last Patch Tuesday. People in software make mistakes all the time.

Microsoft established Patch Tuesday for reasons, primarily to allow admins to plan testing of security updates and the like. You're saying Microsoft has to abandon that because Google can't automate a process decently.

Re: Hope the trend continues.

[david_thornley]

This is necessary if the vendor blows off the bug report. It is not necessary if the vendor is actively working on the problem and has a scheduled fix release date.

Re: Hope the trend continues.

But that wasn't corporate response.

Re:Hope the trend continues.

[slashdot_commentator]

Posting notices of critical security flaws after giving 90 days for a company to fix it are security researchers' way to tell CORPORATIONS how IMPORTANT it is to design and release secure products.

If you don't do it, marketing will say that security flaw X can't be fixed because too many customers depend on the "insecure" feature. And the COO will say, "why can't you reveal it one year later, so we don't have to hire 12 people to get a fix within 90 days? We can hire 3 people instead." Eventually, some jackass will say "Shoot the messenger! Its their fault bad guys can exploit our insecure product!" Meanwhile, customers and the internet community will be at the mercy of criminals, and critical infrastructure will be vulnerable to hostile, rogue governments.

No company has a RIGHT to jeopardize computer security to ensure a profit, with underqualified developers and marketing deadlines. If you don't let the market determine security's value, then it will be up to civil lawsuits.

Re: Hope the trend continues.

[slashdot_commentator]

And how do you prove they're working on the problem in a manner which will result in a quick resolution? Instead of hiring minimum wage flunkys to take calls and say "We're working hard on the problem. Its just a matter of weeks..".

Re: Hope the trend continues.

[slashdot_commentator]

That's what Microsoft's response to one of the security bugs. And then they started bitching after Google produced an exploit based on that "trivial" bug.

Re:Hope the trend continues.

Why are you defending a corporate entity that really does not care at all about you? Security by obscurity doesn't work, especially not for MS with their large customer base.

There's also nothing stopping MS setting up their own automated system to post exploits in Google's products. In fact this would probably be a good thing if it leads to companies responding more quickly to critical exploits.

Re:Hope the trend continues.

I'd agree if Microsoft had shown a modern desire to not patch their security bugs, and if Google was in any place to pretend they fixed their security vulnerabilities faster. They don't. They're so bad at it, in fact, that they can't even update Android devices, because it was easier to pretend the problem wouldn't exist and hide behind "it's not our fault, talk to your carrier" as an premeditated excuse. Google has no high ground here, especially since MS has a patch that just needs more time to fix, and Google is lazily hiding behind "it's an automated system" as yet another excuse. You know it's bad when people who loathe Microsoft are more disgusted by Google's behavior.

Re:Hope the trend continues.

Nice rant, but the post you were replying to was suggesting that Apple had bugs and they might want to fix them. Then you ranted about how Apple creates buggy/shitty/slow software.

I think you completely failed to understand the point of view of the post you were replying to, and you came across as a bit of a dick.

Re:Hope the trend continues.

[sjames]

You should probably know that you cannot hire 12 or 3 people AND get them up to speed enough to fix the bug in 90 days. It'll take 30 to 60 just to hire them.

There does need to be some kind of deadline or too many corporations will just pay a bit of lip service and forget all about it, but not everything fits neatly into a 90 day window that starts with no warning.

Google is developing quite a rep for being impossible to reason with (literally, there exists no contact available to mere mortals for anyone who even has the ability to do anything about anything.

Re:Hope the trend continues.

This has been discussed before. The bugs not fixed in Android are not comparable. (It would be comparable, perhaps, if we were discussing a vulnerability that affected Windows XP and earlier. [Yes, mobile development is on much shorter lifecycles than desktop OSes.])

And NO, I argue that there should NOT be exceptions. I shed no tears for Microsoft having to take-on the enormous responsibility for developing and testing patches for complex software that runs on a vast variety of systems.

Exploitable vulnerabilities should be taken seriously, and commensurate resources should be devoted to dealing with them within 90 days. Exceptions can foster complacency. Exceptions can encourage the bean-counters to cut the QA staff and processes... and then we end up with the lousy MS patches that were released recently. Yep, this'll cut into the bottom line... ain't that a shame.

90 days is enough. Don't whine that software is hard. Fix the goddamn code and properly fund the QA teams with qualified MS employees.

Re:Hope the trend continues.

In all seriousness, when the hell did we vote an advertising company as the security czar for the Internet?

C'mon. Yes, it's fashionable to take shots at Google for their use of data they acquire and their dominance of the advertising industry... But they are a technology company that bright and motivated computer science graduates want to work at, moreso than many others.

Not only is releasing right now stupid - patch Tuesday isn't for another month, so they've just done maximum damage - but we've seen what happens when outside forces try to rush MS security patches. Things get broken in hilarious-but-awful ways.

Why should we care about MS's precious patch schedule? The whole damn reason for public disclosure is to make it absolutely certain that the vulnerability is no longer a secret that an unknown number of parties are aware of. (Do you think there is a zero percent chance that these Google engineers were the only people who knew about this?)

I don't have sympathy for Microsoft having to "rush" a patch. The problem is not the "rushing" - the problems are the policies and corner-cutting that impact the ability for qualified MS employees to properly handle the situation in the given time.

So, if anything, 90 days should be the maximum time allotted for every security problem that MS is notified about. It should become the norm the MS is capable of handling these things in 90 days.

MS needs to adapt. 90 days is enough.

Re:Hope the trend continues.

Bitching about 90 days? The BASH bug was given 3 freakin days, then the shit hit the global fan and every microsoftie fanboi jumped and hollered from the roof top at the top of his lungs! You would have thought it was the beginning of world war 3! And it was partially fixed in 5 hours, and a complete fix was in after 23 hours. And the bitchy whiny "we want 90 days" microsofties still kept the swill flowing weeks after all the patches and fixes were in. Dirty mutherfuckers!

Re: Hope the trend continues.

What a stupid post...

Re:Hope the trend continues.

[OneSmartFellow]

If the code is well written - I know, Windows ? - then tracking down and fixing a bug should take minutes, not months.

Re:Hope the trend continues.

[Psyborgue]

No kidding. I've been considering returning to 10.9 considering the stability of Yosemite at 10.1 is what i'd expect from a preview image.

Re:Hope the trend continues.

You are asking the wrong question. We have a verifiable repeatable bug report. What should be the time to fix it? Probably two days to reproduce and another two to fix. Very occasionally it might take you another two weeks to be sure you fixed it because you found a serious complexity in missing functionality in your automated test suite.

At that point the risk of not releasing has become greater than the risk of releasing. You still have two and a half months left in which the entire world's infrastructure is vulnerable to a serious attack. People who have important systems must have backups and if the upgrade fails they are responsible to recover. The question should be; "Why is Google sitting on information for those two extra months?". I can understand a one month release time. However 90 days is unacceptably long.

Re: Hope the trend continues.

The Mythical Man-Month. Go read it.

Additional resources do not better software make.
Rushing patches will end worse than in-the-wild exploits.

Re: Hope the trend continues.

If it matters, have more staff time available.
maybe retask the Windows 10 team to fix the bug, sure it might make Windows 10 3 months late to have the whole team fixing critical flaws, but look at it this way, if it takes the whole team three months to fix a bug, it was a big ducking nightmare if abug that took three months to fix.
not to mention any bug in Windows 8 is 99% of the time going to directly affect Windows 10.
finally, to the idiot that said "but patch Tuesday was two days away!@"
Guess what, a regular patch day is the worst fucking thing you can do for patch schedules. Guess what day the "bad guys" release that zero day back door crypto locker Trojan key logger gets released? Precisely the day that is least convenient to fit into the patch cycle to maximise the damage knowing full well that unless it is super successful it is really unlikely Microsoft will patch it until next Tuesday.

Re:Hope the trend continues.

[stoatwblr]

> "90 days, or DIE!!!" Rules should have exceptions

Having been in this business for more than 30 years, I disagree.

Having a fixed deadline to get their shit together not only focusses a company's attention on fixing the bugs, it also focusses their attention in not releasing bug-ridden code in the first place.

Re:Hope the trend continues.

[stoatwblr]

> across an impossibly large array of hardware configurations

Almost all the bugs so far reported are architecture-agnostic.

The issue is (as always) that MS philosophy has always been "Ship it now, fix bugs later"

Re:Hope the trend continues.

[stoatwblr]

> Eventually, some jackass will say "Shoot the messenger! Its their fault bad guys can exploit our insecure product!"

Yup and this is a common tactic. More flamewars have erupted over publishing bugs than the actual bugs themselves.

MS has historically been one of the worst offenders when bug-reporters have cooperated with them and not publically disclosed. The record between "reported" and "fixed" is more than two years.

Re:Hope the trend continues.

[stoatwblr]

"If the company had a history of never patching vulnerabilities or even being spotty and refusing to support new products, then it makes sense to out them immediately."

Most bugs are trivially avoidable. MS has a sordid history of producing utterly buggy code with security tacked on as an afterthought.

Just because a security researcher has reported a bug doesn't mean the bad guys aren't already using them.
0-day means it was discovered because a badguy triggered an alert.
I've run into a number of reports/fixes (particularly on webservers) where looking at historic logs showed that attempts to use the exploit were made long before the researcher found/reported the bug.

Bad guys have a higher level of motivation to find and exploit bugs than whitehats - and an even higher level of motivation to try and not be deteceted doing so.

Re: Hope the trend continues.

[sumdumass]

Gee, that was fraught with insight. I bet your mom is so proud of you.

Re:Hope the trend continues.

Second! I'm ECSTATIC that google is posting these bugs and making MS get off their butt. I directly benefit from this.

Re: Hope the trend continues.

[sjames]

You should familiarize yourself with Brook's Law:

adding manpower to a late software project makes it later

Re:Hope the trend continues.

[SwashbucklingCowboy]

"Google doesn't care about Microsoft's internal BS. Why should it?"

Because releasing that data two days before Microsoft releases a fix makes the world less secure, not more secure. The point of doing that security research is to make the world more secure, then Google does stupid shit and does the opposite.

Re:Hope the trend continues.

[SwashbucklingCowboy]

90 days is not a lot of time.

Re: Hope the trend continues.

[david_thornley]

You start by giving them the benefit of the doubt. Then you observe the vendor's behavior, ask them questions about the bug, and find out how much benefit of the doubt they should get.

90 days may be a little short

[Lawrence_Bird]

but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.

Re:90 days may be a little short

If it can install itself when someone doesn't have admin rights, it's malware.

You must hate *nix.

Re:90 days may be a little short

Or just the host OS it's installed on is broken for allowing non-admin installation.

Re:90 days may be a little short

Nope, just running on a broken OS

Re:90 days may be a little short

[quantaman]

but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.

From the article:

In the bug tracker for the impersonation vulnerability, Google said it had queried Microsoft on Wednesday, asking when the flaw would be patched and reminding its rival that the 90 days were about to expire.

"Microsoft informed us that a fix was planned for the January patches but [had] to be pulled due to compatibility issues," the bug tracker stated. "Therefore the fix is now expected in the February patches."

The next Patch Tuesday is scheduled for Feb. 10.

So 90 days is an appropriate time to wait but not 106 days?

It's not like MS was sitting on their hands, they made a patch but found problems in QA and had to do more work to get it working properly. I don't see the rationale for Google maintaining the hard 90 day deadline, maybe extensions allow some complacency on the part of the developer, but you're still not going to see them sitting on issues for months or even years on end. Meanwhile by publishing now Google has created one of two scenarios. 1) Users are going to be left vulnerable to unpatched zero-day expoilts, or 2) users are going to break their systems by installing broken patches.

It's not clear to me how this is better than sitting on the issue for anther 26 days.

Re:90 days may be a little short

So... standalone executables are malware. Riiight...

Re:90 days may be a little short

This is a situation where the "slippery slope" argument really does apply. If Google is just going to sit on bugs until the vendor patches... they're going to end up with bedsores. And no one likes bedsores.

Instead, they embarass the vendors a couple times, and once heads are pulled out of asses and people realize they're not screwing around, they start taking these things seriously.

That's my guess, anyway.

Re:90 days may be a little short

[CaptainDork]

No.

In effect, and in actuality, Google is being competitive.

Re:90 days may be a little short

Or just the host OS it's installed on is broken for allowing non-admin installation.

And what non-broken OS does *not* allow a non-admin user to install an application?

Re:90 days may be a little short

[tlambert]

From the article:

In the bug tracker for the impersonation vulnerability, Google said it had queried Microsoft on Wednesday, asking when the flaw would be patched and reminding its rival that the 90 days were about to expire.

"Microsoft informed us that a fix was planned for the January patches but [had] to be pulled due to compatibility issues," the bug tracker stated. "Therefore the fix is now expected in the February patches."

The next Patch Tuesday is scheduled for Feb. 10.

So 90 days is an appropriate time to wait but not 106 days?

It's not like MS was sitting on their hands, they made a patch but found problems in QA and had to do more work to get it working properly.

Technically, it should have been in the November patch set, they should have found the compatibility problem in testing (as they did), and the revised patch should have been in the December patch set. Then the clock would have run out.

So basically the *did* sit on their hands -- for two months.

Re:90 days may be a little short

[plcurechax]

but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.

From the article:

In the bug tracker for the impersonation vulnerability, Google said it had queried Microsoft on Wednesday, asking when the flaw would be patched and reminding its rival that the 90 days were about to expire.

"Microsoft informed us that a fix was planned for the January patches but [had] to be pulled due to compatibility issues," the bug tracker stated. "Therefore the fix is now expected in the February patches."

The next Patch Tuesday is scheduled for Feb. 10.

So 90 days is an appropriate time to wait but not 106 days?

Here is what Google use to say (circa 2010) from most of the same people who make up the Project Zero team (Chris Evans, Michel Zalewski, and others) AFAIK.

Rebooting Responsible Disclosure: a focus on protecting end users:

Update September 10, 2010: We'd like to clarify a few of the points above about how we approach the issue of vulnerability disclosure. While we believe vendors have an obligation to be responsive, the 60 day period before public notification about critical bugs is not intended to be a punishment for unresponsive vendors. We understand that not all bugs can be fixed in 60 days, although many can and should be. Rather, we thought of 60 days when considering how large the window of exposure for a critical vulnerability should be permitted to grow before users are best served by hearing enough details to make a decision about implementing possible mitigations, such as disabling a service, restricting access, setting a killbit, or contacting the vendor for more information. In most cases, we don't feel it's in people's best interest to be kept in the dark about critical vulnerabilities affecting their software for any longer period.

Somewhere along the way they appear to have lost their senses, and enshrine 90-days as some written-in-stone deadline that makes no sense, and is counter to their stated objectives.

Announcing Project Zero

... Our objective is to significantly reduce the number of people harmed by targeted attacks. ...We will only report bugs to the software’s vendor—and no third parties. Once the bug report becomes public (typically once a patch is available), you’ll be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces.

Re:90 days may be a little short

They have been sitting on their hands forever. If nobody holds them accountable, they will never change.

Re:90 days may be a little short

[c]

So 90 days is an appropriate time to wait but not 106 days?

I wouldn't be surprised if there was a "give an inch, take a mile" kind of situation, where they tried allowing some flexibility and got into a cycle where the vendor kept requesting more time each time around.

Re:90 days may be a little short

[tlhIngan]

This is a situation where the "slippery slope" argument really does apply. If Google is just going to sit on bugs until the vendor patches... they're going to end up with bedsores. And no one likes bedsores.

Instead, they embarass the vendors a couple times, and once heads are pulled out of asses and people realize they're not screwing around, they start taking these things seriously.

You know, Microsoft told Google that yes, it was fixed. But you know what? They found a bug in the fix and they needed more time to fix it.

So what do you want Microsoft to do - release a buggy patch that could kill PCs? Or ask for more time so they could fix it right?

Now, Microsoft had to recall at least 3 patches in 2014 because of various issues. I'm guessing that the 90 day time limit was responsible - Google pressured Microsoft to release patches, and then they were insufficiently tested.

And yes, it can take a LONG time to fix bugs. Especially if they're deep in the system, and the deeper they are, the more testing that has to be done because the likelihood of breaking stuff is bigger. And given PCs come in millions of configurations, testing is hard.

I'm sure the time will come when Google bricks a bunch of phones because they updated Google Play Services because I'm sure Google doesn't test their update against every Android phone out there. Or they force the vendor to fix it.

And yes, for bugs you want it fixed right. I mean, Shellshock took at least 3 different patches. The first patch didn't really work, the second patch was a workaround but still left the vulnerability in - it was just harder to exploit. And the third patch actually went and fixed the issue.

Re:90 days may be a little short

[Qzukk]

One with user-writable locations not mounted noexec?

Re:90 days may be a little short

[praxis]

Can it, though? I would imagine it writes to the user's home directory, which does not require root. Nor does running executable files owned by that user.

Re:90 days may be a little short

Shellshock took at least 3 different patches. The first patch didn't really work, the second patch was a workaround but still left the vulnerability in - it was just harder to exploit. And the third patch actually went and fixed the issue.

All of which took, what, about 48 hours?

Re:90 days may be a little short

It took 48 hours to make sure that all of the popular packages for all of the distros on all of the supported architectures work with the patch? Oh... you think your patch works because you checked in two lines of code into a git repository? Hehe.. you kids are so cute ..

Re:90 days may be a little short

[stephanruby]

It's not like MS was sitting on their hands, they made a patch but found problems in QA and had to do more work to get it working properly.

And you actually believe that?

Many times, patches are just punted to QA even thought the developer knows full well that they're not going to pass QA. After all, I should know, I'm a software developer myself. Also, I can tell you that finishing the last 10% of a project is always the hardest part. May be it's because we naturally like to work on the easiest parts of a problem first, or may be it's because we don't actually start understanding the real requirements until we're almost finished with the project (therefore possibly requiring us to start all over from scratch), but whatever the reason is, I can tell you that a feature sitting in QA doesn't necessarily mean that it's almost finished, or anywhere close to finished.

Re:90 days may be a little short

Nonsense. Who died and made Google the Microsoft bug police? What makes them a better judge of how long Microsoft needs to fix their bugs? If Microsoft starts stalling, then Google might at least have some flimsy justification for apply the thumb-screws. But this is just grandstanding. It's not like Google's pet MS bugs are the only ones that need patching, and it's not like Google doesn't have it's own myriad security bugs to fix that take them longer than 90 days.

Re:90 days may be a little short

Well - is this a case where MS didn't start working on the problem until Dec. 26th, because they "knew" it would take 2 days of coding, 7 days of regression testing (I'm pulling numbers out of someone's butt here - but you get the drift) - and Google KNEW they started late (phone call, email, snail mail, whatever), even though they were informed 90 days ago?

Don't know about any other vendors for certain, but EVERY vendor I've worked with (disclaimer - I'm a programmer/blah/blah/blah), waits until the last possible moment to do a fix, because some manager in a meeting said "how long will it take", and some poor fool HAS to give an answer to the question, so they pull some numbers out of their a**, and still utter a disclaimer which is NEVER heard. So, management schedules it for the latest possible moment so it doesn't disrupt their other schedules and carefully laid plans. That pretty much sums up every place I've worked, and most every place I've heard someone talk about this general topic. Works for general bugs and security issues both.

Re:90 days may be a little short

[hattable]

This allows a company to devote minimal resources to these bugs as long as they tell the would-be-disclosing-org that "something" is "in the works." Nevermind that every bug ever submitted is in Phil's queue and he has a backlog of 2 years. It is still in the works! What more can google want from us?!

Re:90 days may be a little short

[david_thornley]

If the vendor isn't responding, sure, publish after 90 days. If the vendor makes a habit of asking for one-month extensions indefinitely, publish. If the vendor has specific plans and schedules, and has a history of doing more or less the right thing, which describes Microsoft here, sit on the disclosure for a little more time.

Re:90 days may be a little short

The real problem is this stupid Patch Tuesday mentality, and hardly anyone questions it. Idiots are blaming Google for releasing details well in advance of "Patch Tuesday", however it's clear at this point that MS have a tested fix in the pipeworks, but don't plan to release it until next "Patch Tuesday". The real issue is Microsoft red tape. If it's done, just fucking release it already!

Re:90 days may be a little short

[MikeBabcock]

The only reason its 106 days is because Microsoft doesn't send out patches when available but makes them 'convenient' on patch Tuesdays. If they felt like it, they could release that patch today.

Re:90 days may be a little short

[Actually,+I+do+RTFA]

Google will never be in that position because they explicitly stop supporting all phones like 3 seconds after they sell. No more security updates, none.

They also can ignore any secuiryt holes because they're unsupported. (See recent stories).

It's just the flip side of the "perpetual beta" mentality. Whatever else you want to say about MS, they have the balls to offer predictability and compatibility in a way that Google and Apple don't.

Re:90 days may be a little short

[Actually,+I+do+RTFA]

If only there was some way of using past performance by specific companies to establish whether exceptions are reasonable or not, given their past behavior of (a) asking for them, (b)delivering after receiveing the 1 month extentions.

That would take some company that could accumulate and parse data unfortunately.

Re:90 days may be a little short

Correct. Microsoft 's problem is that they didn't prioritise this fix appropriately, probably gave it to a couple of newbies as a training exercise or something, with the entirely foreseeable result that the fix wasn't fit for purpose and needed to be redone. If they took the whole thing seriously from the start, they'd put appropriately senior talent on it, and the patch would've been released in December.

Re:90 days may be a little short

The vendor had three months. They should have published on the first patch tuesday. If it went beyond the second then that is the time when they should use an out of band patch. Microsoft is basically deliberately and knowingly putting customers at risk in order to show Google that they won't be pushed around. Someone should sue them.

Re:90 days may be a little short

One with user-writable locations not mounted noexec?

If you are talking about a managed IT environment, you can lock this on Window too. If you are talking about an OS that requires admin to install a program, you are talking about how Windows used to be and got a lot of criticism for.

Re:90 days may be a little short

[Actually,+I+do+RTFA]

It's easy to argue against the stupidist implementation of a rule. Add in some human judgement, and they system is remarkably easy to solve. "Releasing in 106 days because at 88 days we found the cure was worse than the problem" is so qualitatively different from "it's in our lone developer's backlog" that it's a laughable claim that they are confusable.

See also, zero-tolerance policies in schools?

Re:90 days may be a little short

[Lawrence_Bird]

You are a freakin idiot. Go tell your boss that you are releasing your "patch" into his production system and then plan to submit more "revised" patches when new problems/incompatabilities are found. Please do not ever work for a bank or aerospace company.

Re:90 days may be a little short

[sonicmerlin]

Well Google releases "fixes" that break their own Android OS all the time. I guess they think that's standard procedure.

Re:90 days may be a little short

and has a history of doing more or less the right thing, which describes Microsoft here, sit on the disclosure for a little more time.

Microsoft does not have a history of doing the right thing. In fact very much the opposite. They have a history of delaying exploit fixes and playing social games to not bother fixing things.

Yet

"Microsoft says there's no evidence these flaws have been successfully exploited."

And 5...4...3...2...1...

As a Windows 8.1 user

... I can't say that I am much amused by this.
Bad msft!
Bad goog!
*smacks with newspaper*

People who live in glas houses...

Talk about blatant extortion... Perhaps Google should be more concerned about patching the 1,001 vulnerabilities in Android before casting stones at others.

For example, how about this: http://www.extremetech.com/mobile/197346-google-throws-nearly-a-billion-android-users-under-the-bus-refuses-to-patch-os-vulnerability

Re:People who live in glas houses...

[blackomegax]

Google releases android patches all the time. They're up to like 5.0something now.

MS should sue them

This is degenerate behavior.

Re:MS should sue them

[CaptainDork]

I love the Ellen Degenerate show and stuff.

Re:MS should sue them

[X.25]

This is degenerate behavior.

Years (decades, now) ago, it was normal to publish vulnerabilities and exploits and discuss them and (try to) force vendors to act.

What is happening now is degenerate.

Lol, don't be evil

ya i gota admit, i was always oo oo android blahbalhbalh, but now, i would rather pay for an operating system and not have my data sold.

Isn't this the point of what Google is doing?

Microsoft says there's no evidence these flaws have been successfully exploited.

I mean the whole point of doing these types of investigations is to try and prevent exploits from getting out into the wild.

Re:Isn't this the point of what Google is doing?

[TemporalBeing]

Microsoft says there's no evidence these flaws have been successfully exploited.

I mean the whole point of doing these types of investigations is to try and prevent exploits from getting out into the wild.

Exactly; which is contrary to Microsoft's position that they don't fix something unless there is an exploit in the wild...

Quick question

> Microsoft says there's no evidence these flaws have been successfully exploited.
How does sample attack code not count?

90 days is really long

[dwheeler]

90 days is really long. The US CERT vulnerability disclosure policy is 45 days as described in http://www.cert.org/vulnerabil... (see that more more details). The problem is that you have to balance two conflicting needs; in the words of the CERT, "the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively."

Re:90 days is really long

[Eristone]

90 days is really long when you don't have a massive base to run testing and regression against. Let's just say that the fix is adding a bounds check to the input for a single function. The engineer assigned to the bug adds the bounds check and unit tests to make sure it behaves now. The fix is submitted to the build queue for the (let's say nightly) run to generate the next patch set, and the next production build for Windows. Now QA gets it, and being that this particular item failed for an input, they write a bunch of tests that kick in various input items - numbers, letters, binary data, larger than expected, smaller than expected, etc. This is then run in the "Test this subsystem" run and if it passes, yay, else back to step one. Then they run that test as part of their automated "Test Windows" run (which probably takes hours to do). If everything passes, great. If not, back to step one. Then after it passes QA for "Test Windows", it needs to go through QA for "Test Windows with {list of major software that if we break something it is bad}". If that all passes, then it can go to the patch queue for the next scheduled release. I'd be surprised if an automated "Test Windows" run can be completed in less than a day or two. Probably 3-5 days for the "Test Windows with Other Software Running". So the minimum time to get a tested patch is about a week assuming the problem is super simple. Once it starts involving multiple subsystems, you can start running into weeks to get a good tested patch, assuming that it doesn't take a few weeks for engineering to get a fix ready for testing in the first place.

Re:90 days is really long

[whoever57]

Then they run that test as part of their automated "Test Windows" run (which probably takes hours to do)

I am going to nitpick on your analysis, but I have zero sympathy for Microsoft having (hypothetically) a test system that takes hours to provide a result. This is a company with billions of dollars available to it. Invest in more test hardware if the test systems take too long to run.

Re: 90 days is really long

They do. Football fields worth of hardware, tens if not hundreds of thousands of different hardware configurations with huge variations of software installs from many major and not so major software companies. The testing is automated from reinstalling the OSes and other software and then burning through whole suites of tests. This shit takes time, and for the most part Microsoft has a fantastic record for ensuring no regressions, so much so that when there is one it is front page news (and not just on Slashdot.) One of these patches was delayed specifically because of a compatibility regression, one that I could almost guarantee was the result of some third party software.

Re:90 days is really long

[sjames]

9 Women cannot make a baby in a month.

Re:90 days is really long

9 Women cannot make a baby in a month.

Not true. Each of the 9 women could do that. Sure, the babies would be extremely premature...

Re:90 days is really long

As a former MS employee, this is spot on. I never figured out why they think it is cheaper to waste their employees' time than to invest in some more hardware.

To be fair, it isn't just hardware. Their tests aren't exactly designed to run quickly. You wouldn't believe the amount of time a typical test run spends sleeping and rebooting.

Re:90 days is really long

[SwashbucklingCowboy]

"90 days is really long."

Cow manure.

It's short when fixing vulns in an OS and delivering a real product.

Re:90 days is really long

Attributing a quote from "the mythical man month" to a testing system leads me to believe you have no idea what you're talking about. That quote has zero to do with automated systems, it's suppose to describe putting more developers on a feature.

Re:90 days is really long

[sjames]

A turn of phrase can have more than one application. Some tasks are inherently serial.

Wow, that Google is teh awesome

"Google Releases More Windows Bugs"

Releasing bugs on a platform they didn't write, don't have the source code to and they did all this by means of a Computer World atricle.

How in the world did they put bugs in two Windows versions using a magazine? That's really a trick.

Oh wait...

Remember folks, socialism is for the people, not the socialists!

Re: Wow, that Google is teh awesome

What a bunch of fags complaining about information that should be publicly available. And, WGAF what Microsoft thinks. If Microsoft isn't concerned, what makes you bunch of pansies so concerned? We already have too much information that's being withheld (I won't even go into the details on that one) but if you think every bug is some sort of major security risk you should probably stock up on underwear pussys.

Re: Wow, that Google is teh awesome

Underwear pussys.

I like the cut of your jib, and would like to subscribe to your newsletter.

You do have a newsletter don't you?

Remember folks, socialism is for the people, not the socialists!

Shame on you Google

[BitZtream]

Not everyone wants to follow you're ridiculous upgrade cycle. Example: I like Google Chrome, I won't use it because its a pain in the ass to stop it from auto-updating, and if you stop it once, a month later it randomly starts upgrading itself again.

Why does Google think what its doing is any better than the people who sell exploits on the black market? They aren't asking for cash directly for them, but they are trying to hurt the competition.

Issue #128 might not even be a bug depending on your perspective, as noted in the report! The one that is 'the more serious of the two', WTF? And its not like MS hasn't patched it ... they've created a patch, that caused some compatibility issues so they delayed the patch so the compat issues can be resolved ... So Google publishes the exploit code just to be dicks about it.

The less serious ... lets a user view another users power control settings ... Seriously?

This is just Google mud slinging. Its starting to look more like Google is a politician running for elected office than being a good citizen.

Google: You're starting to look like an even bigger douche than Microsoft.

Re:Shame on you Google

Google has been a bigger douche than Microsoft for a year or two, but for some reason it has fanboys these days who will defend it any cost. People who defend companies they don't work for and don't have an investment in are hilarious.

Re:Shame on you Google

Google's assholery aside, you are talking about general upgrades, while the article is about security patches. You make some arguments against a rapid schedule of general product upgrades, but that is entirely orthagonal to rapid release of security updates. I don't think there are any good arguments against rapid releases of security fixes. If you come up with any, I'll be happy to listen, but I doubt I'll agree.

Re:Shame on you Google

[tom229]

I'm not fanboy, but I'd imagine a lot of people feel strongly about supporting the lesser of the two evils in the mobile market.

Re:Shame on you Google

Exactly. Google is not a product company. Heck, its really not even a technology company. it is an advertizing company (89% of its 14Q3 revenue was from advertizing). They have no concept of what it means to produce and support a *product*. Witness the nonsense going on with Android, for example.

90 days is actually a very short time frame for trying to diagnose, fix, test, regress, package and then distribute a change to an established product that has been widely deployed in the real world (which is to say, in 1,000's of different environments).

Google has done everyone a disservice by helping the hackers compromise a widely used platform (meaning, the harm done has been greatly magnified). Those self-righteous little technoids on Google's "Project Zero" panel really need to leave their ivory tower and focus on fixing Google's problems first.

Re:Shame on you Google

[DigitAl56K]

I am glad Google is sticking to their policies. 3 months is easily enough time to deploy a fix.

As one of Microsoft's end users, I'd much rather be faced with the quantifiable risk of deploying a patch than the unquantifiable risk that every system I own has been compromised, any data on them exfiltrated or encrypted and used to hold me to ransom, and the possibility that my systems have been used to attack others.

For all we know, Microsoft could be playing a PR game by developing patches and then holding them just past Google's 90 day window. Two in a row now? Seems fishy to me.

Re:Shame on you Google

I could have sworn there's four modern choices of smartphone OS in the mobile market, at least two of which let you run android applications.

Re:Shame on you Google

So you like Windows Phone? That's good to know.

Re:Shame on you Google

[paziek]

A lot of people use their services, is that enough reason for you to not see those people as fun as you do now? Besides, is it really so bad to defend someone who you think is right? Not saying everyone thinks that Google is, as GP proves, but I don't really see whats wrong with what they do. Chances are those exploits are already being used anyway and MS doesn't care for as long as its not big enough to cause shitstorm.

Re:Shame on you Google

[Gravis+Zero]

Not everyone wants to follow you're ridiculous upgrade cycle.

big fixes are NOT upgrades. bugs are flaws because they were careless and did NOT do proper testing. bug fixes should be pushed out in days, not months. what google is doing is exposing their poor practices.

Re:Shame on you Google

[pop+ebp]

Why does Google think what its doing is any better than the people who sell exploits on the black market?

The black hat guys aren't going to post the exploit on a public bug tracker for everyone to examine, that's why.

Issue #128 might not even be a bug depending on your perspective, as noted in the report!

Then what is the problem with releasing it to the public? They didn't make any statement about its severity as far as I can tell. That evaluation is up to the reader.

they delayed the patch so the compat issues can be resolved ... Google publishes the exploit code just to be dicks about it.

As another poster mentioned in another thread, the researchers acknowledge that some bugs need longer to fix, but they think that after a certain time period, it's better if the public knows about it so can they can take appropriate measures while the patch is being developed. That is the reason bugs are publicized. Whether you agree with that is another question.

This is just Google mud slinging.

It might well be, but if it results in more secure software for everyone, I'm all for it.

Personally I think the strict 90-day rule might be a little to strict. Rather than speculating on Google's ulterior motives, we should discuss whether this move makes software more secure as a whole.

Re:Shame on you Google

You probably know this already:

http://www.srware.net/en/software_srware_iron.php

Re:Shame on you Google

[Ravaldy]

What I'm wondering about all this is, why is Google mud slinging? I can't seem to find a good reason for it. Google only has 2 areas of competition with MS (mobile and search engine). Is Google threatened by the 3% market share MS has?

Re:Shame on you Google

[jdawgnoonan]

All that I question about the action on Google's part is that they are a competitor, not an independent security firm.

Re:Shame on you Google

[slashdot_commentator]

Yet another clueless consumer who doesn't understand the nature of the computer security braying their pronouncement of what Google should do.

What's missing in the real world is a litigation avenue where (security) negligence by a (software) company can be address as a class action suit. Now picture companies like Target going bankrupt for their security miscalculation in court, rather than the business hit it took for being publicly embarrassed. Or picture a major bank going under, because of their security design flaw.

Or you can look at Google's actions as tailor made to address security flaws, while minimizing harm to companies and the world's consumers.

Re:Shame on you Google

Would you care to tel us your ranking of how evil these companies are?

Re:Shame on you Google

[tom229]

Sure.

Apple >>>>>>>>>>>>>>>>>>>>>>>>>>>> Google > Microsoft > Blackberry

Re:Shame on you Google

[tlhIngan]

I am glad Google is sticking to their policies. 3 months is easily enough time to deploy a fix.

As one of Microsoft's end users, I'd much rather be faced with the quantifiable risk of deploying a patch than the unquantifiable risk that every system I own has been compromised, any data on them exfiltrated or encrypted and used to hold me to ransom, and the possibility that my systems have been used to attack others.

For all we know, Microsoft could be playing a PR game by developing patches and then holding them just past Google's 90 day window. Two in a row now? Seems fishy to me.

Obviously posted by someone who doesn't work in software development, or has to deal with the fact the software needs to work in millions of configurations and with interdependencies.

Plus, the bugs need to be investigated for the root cause. Patching over the flaw doesn't help things since it leaves the vulnerability open. See shellshock - the bug was plastered over the first time and it didn't work, so another patch was released days later with a workaround, but the fundamental problem was still there.

These aren't little toy utilities you write to scratch your itch, these are major millions of line code bases where bugs can be simple errors in code, to complex design bugs. Like say, shellshock (which is a design bug and now you have a problem of how to fix it because people are relying on the faulty behavior). Sure there are tons of automated test suites and they're probably the reason why they had to recall the patch, twice.

As for malfunctioning patches, you'll sing a different tune when you have to go fix dozens of PCs because the patch bluescreens, or you can't install software anymore. Either way, millions of PCs get bricked from a bad update just to meet some company's arbitrary timeline.

And I don't know, those 3+ recalled patches were pretty serious if you were one of the affected people.

Re:Shame on you Google

[david_thornley]

Guess how I know you don't have applicable experience or knowledge to make that comment.

Re:Shame on you Google

[DigitAl56K]

Obviously posted by someone who doesn't work in software development, or has to deal with the fact the software needs to work in millions of configurations and with interdependencies.

Wrong, and wrong.

Plus, the bugs need to be investigated for the root cause. Patching over the flaw doesn't help things since it leaves the vulnerability open.

Yes, thanks for stating how security fixes are supposed to work, in case we all thought Microsoft was going to slap a bandaid on it and call it good.

See shellshock

No. Why are you referencing a completely different vulnerability not even managed by the company? Because they're both vulnerabilities? Because there's a risk someone didn't fully fix an issue once therefore no-one can in future? Newsflash for you: Microsoft has fixed vulnerabilities with the same root cause multiple times oflver the years.

Like say, shellshock

Do you know of any others?

(which is a design bug and now you have a problem of how to fix it because people are relying on the faulty behavior)

It was not a design bug Do you even know what you're talking about?

As for malfunctioning patches, you'll sing a different tune when you have to go fix dozens of PCs because the patch bluescreens, or you can't install software anymore.

*shrug* I guess I wouldn't roll straight to production...

Either way, millions of PCs get bricked from a bad update just to meet some company's arbitrary timeline.

Their *3 month* timeline.

And I don't know, those 3+ recalled patches were pretty serious if you were one of the affected people.

Google is between a rock and a hard place. Either they disclose and stuff gets fixed, or they don't and *we don't know if it would be fixed when MS said it would or not*.

Re:Shame on you Google

[Gravis+Zero]

Guess how I know you don't have applicable experience or knowledge to make that comment.

you are one our testers? you live in a reality constructed inside your mind? oh i just must know!

Re:Shame on you Google

[david_thornley]

I've been working in this field longer than a whole lot of /. has been alive. I have written lots of bugs in my time, and have worked with lots of very good developers who also wrote lots of bugs. Testing, proper or not, will find some bugs and not others. A good tester (and I did have a QA gig once) will find more bugs, but will inevitably miss some. Bug fixes cannot necessarily be pushed out in days. I've had bugs that I couldn't find for a long time. I knew the code was buggy, because I could reproduce bugs, but it took a long time to find what the bug was. After that, it's necessary to figure out how to fix the bug, bearing in mind that fixing bugs is one of the processes in software development that has a greater chance of introducing new bugs.

So, knowing that what you wrote was nonsense, it was a reasonable deduction that you were some combination of ignorant, inexperienced, dishonest, or stupid, and I'd much rather accuse people of lacking knowledge and experience than intelligence and honesty.

Microsoft: No evidence flaw successfully exploited

[JoeyRox]

Uh, isn't that what Google's proof-of-concept does - demonstrate the flaw being successfully exploited? Does Microsoft need to see N. Korea exploiting it before they believe it's real?

Cryptonomicon: Shanghai Banks

[handy_vandal]

I'm reminded of Neal Stephenson's description of Shanghai banks on the eve of World War 2:

Here you've got the Hong Kong and Shanghai Bank of course, City Bank, Chase Manhattan, the Bank of America, and BBME and the Agricultural Bank of China and any number of crappy little provincial banks, and several of those banks have contracts with what's left of the Chinese Government to print currency. It must be a cutthroat business because they slash costs by printing it on old newspapers, and if you know how to read Chinese, you can see last year's news stories and polo scores peeking through the colored numbers and pictures that transform these pieces of paper into legal tender.

As every chicken-peddler and rickshaw operator in Shanghai knows, the money-printing contracts stipulate that all of the bills these banks print have to be backed by such-and-such an amount of silver; i.e., anyone should be able to walk into one of those banks at the end of Kiukiang Road and slap down a pile of bills and (provided that those bills were printed by that same bank) receive actual metallic silver in exchange.

Now if China weren't right in the middle of getting systematically drawn and quartered by the Empire of Nippon, it would probably send official bean counters around to keep tabs on how much silver was actually present in these banks' vaults, and it would all be quiet and orderly. But as it stands, the only thing keeping these banks honest is the other banks.

Here's how they do it ...

Continue reading ...

YET...

[swschrad]

>> Microsoft says there's no evidence these flaws have been successfully exploited.

ever call support? everybody does it

[swschrad]

"he did it! he did it!" yeah, they're taught that song at birth.

FTFY

[CaptainDork]

I mean the whole point of doing these types of investigations is to slap the competition in the face.

Re:Reminds me on kindergarten...

[kit_triforce]

Your metaphor does not hold. As you put it, Google is inserting itself into other's business, when they should be concentrating on their own issues. In kindergarden, there are teachers and other staff to oversee the children and resolve conflicts. That does not exist here. Google has stepped up and is trying to improve their whole business environment, both in and around their area of stewardship. When researching an issue, bug, or flaw (such as security issues in this case) sometimes you find that the system you are working on does not contain the flaw, but the environment where it is being used. Normally, we accept it as a limitation and attempt to build around the flaw, leaving it for a pitfall to others. Google is calling out such flaws and letting the stewards over those flawed systems know, and giving them 90 days to fix it before they tell everyone else. This isn't whining, it's community responsibility, and I hope more companies follow suit.

Google should take care of their business first

You don't point out others mistakes when you don't take care of your own problems.

Re:Google should take care of their business first

You don't point out others mistakes when you don't take care of your own problems.

Assuming you're thinking of the 'won't fix old version' bru-ha...

As I understand it, it's fixed in later versions of Android:

* Nexus device - update to later version, no problem
* Other vendors device - only said vendor can push an updated version to the devices. They've got access to newer Android versions that they could package and push out, but won't since they'd rather sell a new shiny. Is Google really the evil party here?

And MS learns from the open source community!

"Microsoft says there's no evidence these flaws have been successfully exploited."

a.k.a. WONTFIX. I wonder if Lennart has been advising them.

Re:Reminds me on kindergarten...

[drinkypoo]

Google is inserting itself into other's business, when they should be concentrating on their own issues.

When Microsoft fails at security, it impacts Google's core business...

Re:Microsoft: No evidence flaw successfully exploi

The need to reassure their customers that the bad guys did not already know about this particular exploit.

Particularly given their Android response

[Sycraft-fu]

"Oh that's an old version, we aren't going to patch the bug." Really? That's an acceptable response that something that's 3 years old is too old to patch? But somehow, taking 100 days to patch a product that's 5 years old (in 7's case) is too long? Much easier to deal with patch issues if you just declare you only support the latest greatest and require everyone to upgrade all the time, no matter the issues.

MS's response is particularly understandable given the complexity of doing regression testing on the wide variety of hardware, software, and patch sets the patch might need to be applied against. If they released it and it caused issues, well then people would cry even more about how shitty they were for not testing it.

I think you are right about the mud slinging/political office: What with Chrome books Google now wishes to directly attack MS. They want to make Windows look bad, and thus make their own product look good by comparison. This isn't motivated by being a good citizen, it is motivated by something else.

For that matter one can get all conspiracy theorist and say maybe they chose their reporting date knowing MS's patch cycle to try and create just such a situation.

Re:Particularly given their Android response

Compared the the stuff Microsoft pulled against Android in the previous years, this is mild, not even illegal or moraly offensive.

Re:Particularly given their Android response

[Xylantiel]

The other option is that Microsoft could acknowledge reality - they are not fixing things fast enough to resist targeted attacks. MS's statement about it "not being seen in the wild" demonstrates that they don't understand the current state of exploits. Google's hypothetical attacker is one who will go to lengths to keep an exploit from being used specifically so that MS won't fix it. Also a monthly schedule for updates is a huge liability against such an attacker, as they know their window of opportunity. MS is stuck in the old model that an exploit is not important unless it has been seen in the wild. While that is all well and good for preventing worms from spreading (and therefore protecting MS's image) it is not good enough to protect your company's data from a targeted attack that can buy or discover a zero-day vulnerability. That is reality.

Another way to look at it is that people using MS stuff have chosen interoperability over security. Thus the longer patch testing cycle, and the once-a-month updates. Therefore they shouldn't be surprised when it is demonstrated that... they chose interoperability over security.

Re:Particularly given their Android response

Mod up, great response.

Re:Particularly given their Android response

[david_thornley]

Which is not a good excuse for providing guides to exploit a vulnerability when the vulnerability is being addressed by the vendor. That stuff is for vendors who ignore vulnerabilities.

It takes Microsoft time to get fixes out there, and that does have some unfortunate implications. However, being too specific about the bugs makes it easier for more people to exploit them, before the poor users can get a patch.

To put this another way, you may consider Microsoft's security inadequate, but that's hardly a reason to weaken it further.

But CERT Also Allows Variances

[mx+b]

90 days is really long. The US CERT vulnerability disclosure policy is 45 days as described in http://www.cert.org/vulnerabil... (see that more more details). The problem is that you have to balance two conflicting needs; in the words of the CERT, "the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively."

It's definitely a fine balancing act, and regardless your opinion on the Google vs Microsoft disclosure debate, I am glad that we are having a public debate about it.

Vulnerabilities cannot really be effectively categorized (look at the attempts from MITRE, for example). Some are due to simple programming errors and can be fixed and rolled out immediately. Some are deeper architectural problems that, even if an "easy" fix, have a whole ecosystem of software built around that wrong behavior. A one-size-fits-all disclosure plan is not necessarily in the public benefit, and I'm glad discussion is being had on what a reasonable timeline looks like, as well as what are extenuating circumstances for changing that timeline.

Re:But CERT Also Allows Variances

[slashdot_commentator]

Some are deeper architectural problems that, even if an "easy" fix, have a whole ecosystem of software built around that wrong behavior..

Google, or the world, do not have an obligation to tolerate Microsoft's willingness to market a fatally flawed product because a whole industry "expects" to take advantage of an insecure feature. It is no different that a fatally flawed skyscraper design. When such a building or bridge comes about, the world doesn't require architects or engineers to keep quiet about a safety flaw, because people already use it. The owner/design company is required to produce an effective correction to the problem, or the building gets condemned. Otherwise, the company is liable to be sued for the deaths and injury that can be attributed to it when the flaw is finally manifested. Do we really want an industry where companies put out shoddy products that can avoid a bad result in 10-20 years, wait for that error to harm people, and then suffer no economic consequences because they no longer exist?

Re:But CERT Also Allows Variances

But what gives Google the right to do what they're doing? They're just as guilty as Microsoft when it comes to security problems and shitty insecure software. Why should they spend their money on announcing other people's flaws, rather than fixing their own? Especially when Microsoft already has fixed pending and just needs a bit more time to ensure they don't cause even worse problems?

Who honestly thinks that forcing someone to rush out a less-tested patch is a good idea, just because Google has a hard-on for playing the fake superhero?

Re:But CERT Also Allows Variances

[slashdot_commentator]

But what gives Google the right to do what they're doing?

What right? The right for the general public to utilize computer products SAFE from thieves and infrastructure terrorism.

They're just as guilty as Microsoft when it comes to security problems and shitty insecure software. Why should they spend their money on announcing other people's flaws, rather than fixing their own?

They are guilty of the same security problems and shitty software. And they should be punished in the commercial markets the way as Microsoft. If they commit the same crime as Microsoft, they should suffer the same penalties. NOT be complicit in covering up competitors' crimes, because they're criminals too.

Especially when Microsoft already has fixed pending and just needs a bit more time to ensure they don't cause even worse problems?

Who honestly thinks that forcing someone to rush out a less-tested patch is a good idea, just because Google has a hard-on for playing the fake superhero?

Microsoft has not always been diligent in correcting security problems, and I'm sure they're more than willing to backslide. Just like once upon a time, you could count on Microsoft putting out reliable windows update patches, but now they drop the ball as when they changed their management and protocols last year.

Re:But CERT Also Allows Variances

[sjames]

I'm no fan of MS (and I'm sure my posting history will bear that out), but there are other considerations here. No, MS shouldn't get a complete skate on this. They have proven that they need their feet held to the fire to get things to happen. BUT, there needs to be some slack in the system. If they appear to have been working on the problem in earnest and have a release plan, it's worth giving them time to complete it.

Unlike a building with a flaw, there aren't lives at stake here and releasing the details of the flaw in advance of the fix increase the chances of trouble. Further, if the likelihood of a problem in the immediate future is small enough, builders are often given the chance to make corrections before the details come out.

Re:But CERT Also Allows Variances

Get the google cock out of your mouth.

Re:But CERT Also Allows Variances

[Lawrence_Bird]

You really woke up on the wrong side of the bed today. Crime? There is no obligation by any of these companies to you to repair or replace any of the flaws. You license (or buy outright) the software AS IS. That you may also buy some type of "service contract" that provides for periodic ugrades, updates and fixes does not in any way oblige the software producer to fix any one specific flaw.

You may not like that system and you can certainly chose to go open source... where btw, who is guilty of the "crime" when a flaw is not fixed for months or years?

Re:But CERT Also Allows Variances

[slashdot_commentator]

Any sale of goods, provision of service, or transaction has implied requirements by the vendor to not "damage" the recipient or bystanders. When such vendor is remiss in delivering services as such, OR try to cover up malfeasance, that is a civil harm. When it physically damages individuals, or otherwise legally defined, it is a crime. In most cases, damages are resolved in the civil courts.

Microsoft's products are so pervasive in our society, their ability to be penetrated by hackers threatens bank accounts, personnel records, medical records, and in rare cases, infrastructure. Where Microsoft is "negligent", they can be sued. Its only a matter of time.

And unknown flaw lurking for years does not make Microsoft liable for negligence. A KNOWN flaw, which Microsoft does not move on, will eventually be grounds for civil damages. If it ends up killing people, its possible for it go criminal trial.

Android patent licensing and litigation ..

[lippydude]

"The licensing quest is largely a byproduct of Microsoft's unique position -- or perhaps more bluntly put, failure in the market" ref.

I never thought that I would say this....

[jdawgnoonan]

I think that Microsoft has better intentions in this than Google does. Microsoft acknowledged the bugs and requested that Google delay the public release slightly so that they could patch. Google to me seems to be simply slamming Microsoft. All the while Google has extremely vulnerable versions of it's old stock browser on older but not out of support Android phones that it openly states that it will not patch.

Re:I never thought that I would say this....

Microsoft had ninety (90!) days to fix the flaw. They are hurting every user by dragging their feet.

Re:I never thought that I would say this....

[jdawgnoonan]

Have you ever worked on or maintained an operating system? It is a little more complex than writing little apps. Are you so sure that they are dragging their feet? Are you aware that all software companies do this same thing? Do you really feel that it is correct for a competitor that is not a security firm to go after another competitor like that? Google is doing the same thing on Android, Apple repeatedly has done the same thing.

Re:I never thought that I would say this....

[jdawgnoonan]

Google hurt users by announcing by publicly announcing an exploit in their competitor's operating system that was not patched, especially when Microsoft tried to do the right thing by communicating with Google regarding when it would be patched and asking them to delay the release. Google is not a security firm by the way. They are a competitor. And for all of the Microsoft hate out there, and I have been in the hate Microsoft crowd myself, Google is in reality like Facebook on steroids (albeit with much cooler products).

Re:I never thought that I would say this....

[Actually,+I+do+RTFA]

All the while Google has extremely vulnerable versions of it's old stock browser on older but still for sale Android phones that it openly states that it will not patch.

FTFY

That's a inappropriate comparison.

[tlambert]

Talk about blatant extortion... Perhaps Google should be more concerned about patching the 1,001 vulnerabilities in Android before casting stones at others.

For example, how about this: http://www.extremetech.com/mob...

That's a inappropriate comparison.

To patch that vulnerability would require the ability to update Android on existing handsets.

For this to work, the handset manufacturers would have to provide a new version of Android for the given handset.

For this to work, the Android development model of "partner, not Google, productizes Android" would have to change.

For this to work, there would have to be ongoing development on an older hardware platform.

For this to work, there would have to be carrier involvement in certification.

For this to work, the carrier revenue model of locking you into a two year contract every 18 months would have to change.

--

It's in absolutely no ones financial interest to provide updates to Android in already shipped handsets, and Google is not in a position, as an OS supplier, rather than a phone vendor (which is what Apple is), to force changes in operational model into the carrier or the partner device vendor.

U.S. Carriers are *NOT* going to change their revenue model just so people can buy ala carte devices that will work with any carrier, and cost more up front for you to go with their service, rather than rolling it into the monthly payment when you go with a competitors service. Everyone would have to change at once (collusion, a violation of both the Sherman Antitrust Act and the RICO Statutes, and definitely something that would be prosecuted), or the carrier that tried to move to the European model would find itself out of business.

Likewise, the handset vendors, whose revenue model is completely built on thin margins, but selling a new handset every 18 months, instead of you buying one and keeping it for 10 years, would have to charge higher margin on their device sales in order to keep their revenue numbers up, and to pay for the R&D ongoing on the already-sold platform. And then they'd need to change their FAS accounting to match that of Apple's, or face charges under Sarbanes-Oxley, which is what Apple had to do before it could give away the WiFi updates to 802.11g/n for iPods. You'll (maybe) remember that they got a percentage of the monthly wireless fee from the carrier for iPhones, but realized their income at time of sale on iPod Touch and non-3G iPads, and so they had to charge $5 for the update.

And seriously, would you be willing to pay $5 for a bug fix for a bug you were pretty sure wasn't impacting you anyway, and was just some security "researcher" throwing a hissy fit to get their company name in the news so they got audit contracts out of it?

Re:That's a inappropriate comparison.

[Karlt1]

That's a inappropriate comparison.

To patch that vulnerability would require the ability to update Android on existing handsets.

You mean like Apple can on iPhones and MS can on Windows Phones?

For this to work, the handset manufacturers would have to provide a new version of Android for the given handset.

I don't have to wait for Dell to provide a new version of Windows for me to patch a security vulnerability.

For this to work, the Android development model of "partner, not Google, productizes Android" would have to change.

huh?

For this to work, there would have to be ongoing development on an older hardware platform.

And my 2006 Mac running Windows 7 is still getting Windows updates from Microsoft.....

For this to work, there would have to be carrier involvement in certification.

Do you really think Apple waits for "certification" from all 160+ carriers worldwide before updating iOS?

For this to work, the carrier revenue model of locking you into a two year contract every 18 months would have to change.

And my old iPhone 4s introduced 9/2011 is still getting updates.....
-

It's in absolutely no ones financial interest to provide updates to Android in already shipped handsets, and Google is not in a position, as an OS supplier, rather than a phone vendor (which is what Apple is), to force changes in operational model into the carrier or the partner device vendor.

Microsoft is an "OS supplier", yet and still my Mac Mini running Windows 7 , Sony, Gateway, and Dell can all get OS updates, but you still have to wait for Verizon to get updates for the Google Nexus on their network?

U.S. Carriers are *NOT* going to change their revenue model just so people can buy ala carte devices that will work with any carrier,

The reason that one phone can't be used worldwide are because of the different bands that the different carriers support and the different technologies (CDMA/GSM) .

You can buy an iPhone right now that will work with varying degrees on all carriers in the US.

and cost more up front for you to go with their service, rather than rolling it into the monthly payment when you go with a competitors service. Everyone would have to change at once (collusion, a violation of both the Sherman Antitrust Act and the RICO Statutes, and definitely something that would be prosecuted), or the carrier that tried to move to the European model would find itself out of business.

All of the carriers have an option that allow you to buy your phone up front and just pay for service.

Likewise, the handset vendors, whose revenue model is completely built on thin margins,

Every heard of this little company called Apple?

And then they'd need to change their FAS accounting to match that of Apple's, or face charges under Sarbanes-Oxley, which is what Apple had to do before it could give away the WiFi updates to 802.11g/n for iPods. You'll (maybe) remember that they got a percentage of the monthly wireless fee from the carrier for iPhones, but realized their income at time of sale on iPod Touch and non-3G iPads, and so they had to charge $5 for the update.

And seriously, would you be willing to pay $5 for a bug fix for a bug you were pretty sure wasn't impacting you anyway, and was just some security "researcher" throwing a hissy fit to get their company name in the news so they got audit contracts out of it?

Not true, the law changed years ago. That's why Apple has been able to "give away" free OS upgrades for all of their devices for years.

Re:That's a inappropriate comparison.

and Google is not in a position, as an OS supplier, rather than a phone vendor (which is what Apple is), to force changes in operational model into the carrier or the partner device vendor.

You're full of shit. Google has already been caught forcing all Android vendors to bundle Google's proprietary shit so that they can spy on users data.

"Just an OS Vendor" .. lol.. what a joke.

Re:That's a inappropriate comparison.

[tlambert]

and Google is not in a position, as an OS supplier, rather than a phone vendor (which is what Apple is), to force changes in operational model into the carrier or the partner device vendor.

You're full of shit. Google has already been caught forcing all Android vendors to bundle Google's proprietary shit so that they can spy on users data.

"Just an OS Vendor" .. lol.. what a joke.

How does a trademark licence agreement for the use of the "Android(tm)" trademark conflate with them being able to magically update the firmware on phones for which the Android team at Google does not even have full source code, and which the carriers would require recertification for use on their network?

Or do you really not understand how that bundling is achieved through the trademark licensing agreement?

Re:That's a inappropriate comparison.

^This. How OP can say all that about and not choke on the hypocrisy is staggering.

That is not how you do it

Go to connect.microsoft.com and file a bug report.

"To the best of our knowledge"

[gwstuff]

> Microsoft says there's no evidence these flaws have been successfully exploited.

Cleverly worded sentence intended to leave the reader with the impression:

"We don't know that there has been a breach, therefore there hasn't been a breach"

when it really means...

"We don't know squat about whether there has been a breach. Maybe all hell has broken lose, and there's no evidence to contradict that either."

Re:Playing with fire...

[TemporalBeing]

MS still holds a lot of Android patents. They can easily do an Apple and forbid use of them, which will completely paralyze Android.

What you mean all those patents that the Chinese outted and nearly the entire tech world found to be not relevant save about as many as you can count on your hands? Yeah, that's really going to stop Android...

Re:Microsoft: No evidence flaw successfully exploi

[Carewolf]

Uh, isn't that what Google's proof-of-concept does - demonstrate the flaw being successfully exploited? Does Microsoft need to see N. Korea exploiting it before they believe it's real?

If you personally create a remote account for a North Korean spy and he uses this exploit to see you power control settings. You really were asking for it, not sure what but something.

Monty Python

[Aaden42]

I’m reminded of the old “blackmail” skit from Monty Python. Just with less of Terry Jones’ ass hanging out at the piano. I like it!

Poor form by Google

[davidwr]

A countdown clock is great but at least a few weeks before it expires a human needs to review it and send a "red flag alert" to the vendor that will fix it and ask if they are working on it and if so ask when they expect to have it fixed.

If the answer is "yes" the estimated fix-it date is in the near future, keep quiet but pester them if the date passes without a fix.

If the answer is "yes, we've been working on this but it is hard" or "no, but we'll get started right away" then keep pestering them and don't release it as long as they are making good progress (you may have to take their word on whether they are making good progress though, sigh).

If the answer is silence or a plain "no" or some other indication that there is no fix coming soon, then release it on the original date.

Re:Playing with fire...

Off topic much? What the fuck does that have to do with a Windows security flaw?

Google vs Microsoft

I know Google isn't all roses and sunshine, but Microsoft is less of a tech company and more of a marketing and public relations firm.

I guess years of Ballmer, entrenched monopoly and security by obfuscation does this to you.

For those who remember: Microsoft spent plenty of resources just to bash Google in negative attack ads. Examples include Googlighting Stranger, Gmail Man, Scroogled. If only Microsoft would use all that time/money/energy to improve its products or fix bugs, eh?

Re:Google vs Microsoft

[jdawgnoonan]

Microsoft is the number one enterprise tech company in the world, so I think that they are more than a public relations firm. Has /. become a site for people who only know about what is popular at the moment in tech? Or maybe it was always that way and I am just experienced enough to see it now.

Re:Google vs Microsoft

Google vs. Microsoft
Microsoft targets Google the company negatively.
Google targets Microsoft's customers negatively.

Can't wait for google smart home.

I just can't wait for Google smart home to be in every house so Google can publish when I forget to lock my door at night.

If only...

If only Google would put this much effort into their own products, like they used to, then maybe we wouldn't be relying on Microsoft at all anymore for their OS.

So I have a question

[Riplakish]

When Google finds security bugs in Android do they publish it along with proof of concept after 90 days?

Re:So I have a question

[Cro+Magnon]

No, but maybe Microsoft should. What's good for the goose.

Re:So I have a question

[Actually,+I+do+RTFA]

No, they do it immediately. While reminding everyone that that version of Android is no longer supported, and they really should buy a new device.

Evil corporation cage match!

You have Google confused with Facebook.

Re:No evidence duhh

[tomxor]

"Microsoft says there's no evidence these flaws haven't been successfully exploited."

Regardless of their meaning that's a ridiculous things to say, obtaining evidence to show the flaws haven't been exploited is infeasible. It's like saying there is no evidence proving that god does not exist.

Re:Reminds me on kindergarten...

If that was true, then they would be working with Microsoft to improve their security, not making it worse by automatically disclosing vulnerabilities when the patch is forthcoming. And if you don't believe they should have to, then I fail to see why Microsoft should have to be beholden to Google's asinine 90-day cut-off when even Google doesn't fix it's security bugs within 90 days in many cases.

Re:Reminds me on kindergarten...

[drinkypoo]

If that was true, then they would be working with Microsoft to improve their security, not making it worse by automatically disclosing vulnerabilities when the patch is forthcoming.

I think waiting 90 days for the company whose last CEO said he would "fucking kill" google to fix their shit software is pretty generous.

then I fail to see why Microsoft should have to be beholden to Google's asinine 90-day cut-off when even Google doesn't fix it's security bugs within 90 days in many cases.

Yes, Google's 90-day cut-off is asinine: It's twice CERT's standard, for example. If we really want these bugs fixed, Google should be disclosing them much earlier.

Time for the lawsuits.

Since Google is behaving in an irresponsible manner they are walking a fine line between legal and illegal activity.

Perhaps it is about time that Google be sued, or possibly indicted on criminal charges for their behavior. Aiding and abetting is still a crime last I knew.

Re:Time for the lawsuits.

Fuck off back to Usenet, you fucking troll !!!!

Re:Time for the lawsuits.

What a great idea. Let's make it impossible for any whitehat to research or publish security vulnerabilities. That's sure to make software more secure.

Another Semantics Exploit

Microsoft says there's no evidence these flaws have been successfully exploited.

Maybe that's because to successfully exploit these flaws would mean you must leave no evidence that anything has been exploited.

Funny semantics begs for some kudos here.

Pot, Kettle

Now if Google would just spend some time fixing bugs in Android, like the VPN bug in 4.4 and 4.3 that prevent most people from using VPNs on their phone.

Re:Reminds me on kindergarten...

Uh huh. Because some jackass CEO blustered, Google has the right to fuck over MS end-users by arbitrarily demanding that MS prioritize their security reports over all others? Apparently you care more about Google's reputation and rushing out fixes than actually solving the problem. What will happen here? Google will make even more people vulnerable, all for what? To try to force MS to push their in-progress patch before it's even ready? And of course only MS deserves this treatment, because they're MS! Google's vulnerabilities can languish for over 90 days without being disclosed, because they're Google. They're never badmouthed other companies like idiots before.

Re:Reminds me on kindergarten...

[drinkypoo]

Because some jackass CEO blustered, Google has the right to fuck over MS end-users by arbitrarily demanding that MS prioritize their security reports over all others?

Well, no. Because some jackass CEO blustered, I will rub my hands together and chuckle with glee every time Google releases an old, old bug report with security ramifications for their stack of crap. It's Microsoft fucking over the end users, by dropping such a stack of crap on them and then refusing to be responsible about security. If Google can find these bugs, then so can dedicated attackers.

And of course only MS deserves this treatment, because they're MS! Google's vulnerabilities can languish for over 90 days without being disclosed, because they're Google.

If Microsoft wants to find security holes in Google software, and report them after 90 days, then I'm sure Google will make sure that someone fixes them within 90 days, or perhaps even 45. That's easy for Google to do, apparently. They roll out a new version of Play Services at the slightest opportunity.

They're never badmouthed other companies like idiots before.

Microsoft showed how they would like to be treated, and now Google is doing that: treating them like idiots. If Microsoft wants to step up their game and act responsibly with regards to security holes, they have that option available to them. Google isn't stopping them.

Why in hell is Google doing this?

[Applehu+Akbar]

Releasing Windows bugs is Microsoft's job.

Bring the beast into the light

[Kuruk]

Im all for bring this up. We need much more of it. Its long time overdue bugs where kept secret for the few.

Don't be evil, bros!

Don't be evil, bros!

Good to see Google living up to their motto by drumming up the same typical bullshit FUD about Microsoft to scare people away from Windows and onto Chromebooks and Android devices.

Because I'm REALLY sure Google gives a tin shit about my grandma's security. Right. That's the only reason they're drumming so hard on Windows. This isn't pre-emptive strikes on Microsoft because suddenly Microsoft is playing seriously in the datacenter, cloud, and mobile space where Google wants to make money...

Relax people

Both vulnerabilities are weak. One it's a simple info disclosure without any potential dangerous information being disclosed and the other one doesn't really get you much unless you use it with at least another exploit. So big deal, it was priority 50 on their list. There's no evidence Microsoft acted irresponsibly. For all you guys know Microsoft patched other 50 serious security flaws and they've dragged their feet on 2 measly ones.