Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Releases More Windows Bugs

Posted by Soulskill on from the speak-softly-and-carry-a-big-bugtracker dept.

An anonymous reader writes: Just days after Google angered Microsoft by releasing information about a Windows security flaw, they've now released two more. "The more serious of the two allows an attacker to impersonate an authorized user, and then decrypt or encrypt data on a Windows 7 or Windows 8.1 device. Google reported that bug to Microsoft on Oct. 17, 2014, and made some background information and a proof-of-concept exploit public on Thursday. Project Zero is composed of several Google security engineers who investigate not only the company's own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically publicly posts details and sample attack code if the bug has not been patched." Microsoft says there's no evidence these flaws have been successfully exploited.

7 of 263 comments (clear)

  1. 90 days is really long by dwheeler · · Score: 5, Informative

    90 days is really long. The US CERT vulnerability disclosure policy is 45 days as described in http://www.cert.org/vulnerabil... (see that more more details). The problem is that you have to balance two conflicting needs; in the words of the CERT, "the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively."

    --
    - David A. Wheeler (see my Secure Programming HOWTO)
  2. Re:90 days may be a little short by quantaman · · Score: 4, Informative

    but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.

    From the article:

    In the bug tracker for the impersonation vulnerability, Google said it had queried Microsoft on Wednesday, asking when the flaw would be patched and reminding its rival that the 90 days were about to expire.

    "Microsoft informed us that a fix was planned for the January patches but [had] to be pulled due to compatibility issues," the bug tracker stated. "Therefore the fix is now expected in the February patches."

    The next Patch Tuesday is scheduled for Feb. 10.

    So 90 days is an appropriate time to wait but not 106 days?

    It's not like MS was sitting on their hands, they made a patch but found problems in QA and had to do more work to get it working properly. I don't see the rationale for Google maintaining the hard 90 day deadline, maybe extensions allow some complacency on the part of the developer, but you're still not going to see them sitting on issues for months or even years on end. Meanwhile by publishing now Google has created one of two scenarios. 1) Users are going to be left vulnerable to unpatched zero-day expoilts, or 2) users are going to break their systems by installing broken patches.

    It's not clear to me how this is better than sitting on the issue for anther 26 days.

    --
    I stole this Sig
  3. Shame on you Google by BitZtream · · Score: 1, Informative

    Not everyone wants to follow you're ridiculous upgrade cycle. Example: I like Google Chrome, I won't use it because its a pain in the ass to stop it from auto-updating, and if you stop it once, a month later it randomly starts upgrading itself again.

    Why does Google think what its doing is any better than the people who sell exploits on the black market? They aren't asking for cash directly for them, but they are trying to hurt the competition.

    Issue #128 might not even be a bug depending on your perspective, as noted in the report! The one that is 'the more serious of the two', WTF? And its not like MS hasn't patched it ... they've created a patch, that caused some compatibility issues so they delayed the patch so the compat issues can be resolved ... So Google publishes the exploit code just to be dicks about it.

    The less serious ... lets a user view another users power control settings ... Seriously?

    This is just Google mud slinging. Its starting to look more like Google is a politician running for elected office than being a good citizen.

    Google: You're starting to look like an even bigger douche than Microsoft.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  4. Re:Hope the trend continues. by Twanfox · · Score: 3, Informative

    Someone who didn't read the article. One of the comments in the 'more serious of the two bugs' indicated that Microsoft INFORMED them that the patch was lined up for January, but was pulled and rescheduled for February. You lost your bet, by Google's own bookkeeping. Try for another?

  5. Re:Is that a typo? by binarylarry · · Score: 4, Informative

    From the bug link:

    This bug is subject to a 90 day disclosure deadline. If 90 days elapse
    without a broadly available patch, then the bug report will automatically
    become visible to the public

    .

    --
    Mod me down, my New Earth Global Warmingist friends!
  6. Re:90 days may be a little short by Qzukk · · Score: 3, Informative

    One with user-writable locations not mounted noexec?

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  7. Re:Evil corporation cage match! by bgarcia · · Score: 4, Informative

    I can only assume that Google sells a lot more information.

    Google collects information. Google uses that information to determine what ads to show users. But unlike other companies, Google does NOT sell that information.

    --
    I'm a leaf on the wind. Watch how I soar.