Slashdot Mirror
Google Releases More Windows Bugs
An anonymous reader writes: Just days after Google angered Microsoft by releasing information about a Windows security flaw, they've now released two more. "The more serious of the two allows an attacker to impersonate an authorized user, and then decrypt or encrypt data on a Windows 7 or Windows 8.1 device. Google reported that bug to Microsoft on Oct. 17, 2014, and made some background information and a proof-of-concept exploit public on Thursday. Project Zero is composed of several Google security engineers who investigate not only the company's own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically publicly posts details and sample attack code if the bug has not been patched." Microsoft says there's no evidence these flaws have been successfully exploited.
but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.
This is degenerate behavior.
Like Bing doesn't sell data it collected either.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
"Microsoft says there's no evidence these flaws haven't been successfully exploited."
FTFY.
THIS is the issue. NOT finding and disclosing.
Both times MS has had a fix ready (last time) or in the pipeline (This time, fix started but not ready due to buggyness).
"90 days, or DIE!!!" Rules should have exceptions, especially if the companies have been responsive AND have good reasonable reasons for a delay - which does include MS.
Disclosure for a bug that's being worked on? While refusing to fix bugs in your own software?
Bad Google BAD! *Smacks the nose*
"Except without the public posting of them."
Except the menace of the public posting seems to be the only way for the vendor to move forward.
Is my bet that if Microsoft were doing their best effort to patch the bug and keep informed Google about it and the expected resolution time, they wouldn't have released the information.
I mean the whole point of doing these types of investigations is to slap the competition in the face.
It little behooves the best of us to comment on the rest of us.
But to my knowledge that is the only way Google makes any money at all, and, since Google has a higher market cap than Microsoft who also sells a lot of for profit software, I can only assume that Google sells a lot more information. Every tool Google provides for consumers is a data mining tool that is funded solely by data mining. Microsoft actually sells stuff that you can buy and use without agreeing to allow your data to be mined.
In all seriousness, when the hell did we vote an advertising company as the security czar for the Internet?
Not only is releasing right now stupid - patch Tuesday isn't for another month, so they've just done maximum damage - but we've seen what happens when outside forces try to rush MS security patches. Things get broken in hilarious-but-awful ways.
When you're dealing with a codebase as large as Windows and have to maintain compatibility across an impossibly large array of hardware configurations, 90 days (really more like 60, depending on when PT falls) is not going to be enough time to patch and fully test every flaw.
Google's system for making exploits public is *AUTOMATED*. This is like a passenger in an elevator trying to convince the elevator to go back down while it's already in the middle of its trip to the top floor. You can throw a tantrum, but it's just not going to make any difference.
Microsoft was informed of the issue, and developed a patch, but it was due to Microsoft's own internal policies that the patch could not be included in the monthly update. There was probably some internal cut-off date or some other bureaucratic bullshit that prevented it. Google doesn't care about Microsoft's internal BS. Why should it?
Microsoft could have released the patch as an out-of-band update. Google wasn't insisting that it be released on the monthly schedule.
I am going to nitpick on your analysis, but I have zero sympathy for Microsoft having (hypothetically) a test system that takes hours to provide a result. This is a company with billions of dollars available to it. Invest in more test hardware if the test systems take too long to run.
The real "Libtards" are the Libertarians!
I'd rather that the 90 day clock have a snooze for 30 days option, so it's not disclosed to everyone. I'd rather that the developer (even MS) have time to fix it right rather than rush a fix that needs a later fix or a fix that breaks something else.
Some times you need to dig through code and figure out what the hell's going on so you can figure out why it's broken and fix it. And it's not like Google is the only one submitting bugs.
I refuse to sign
The other option is that Microsoft could acknowledge reality - they are not fixing things fast enough to resist targeted attacks. MS's statement about it "not being seen in the wild" demonstrates that they don't understand the current state of exploits. Google's hypothetical attacker is one who will go to lengths to keep an exploit from being used specifically so that MS won't fix it. Also a monthly schedule for updates is a huge liability against such an attacker, as they know their window of opportunity. MS is stuck in the old model that an exploit is not important unless it has been seen in the wild. While that is all well and good for preventing worms from spreading (and therefore protecting MS's image) it is not good enough to protect your company's data from a targeted attack that can buy or discover a zero-day vulnerability. That is reality.
Another way to look at it is that people using MS stuff have chosen interoperability over security. Thus the longer patch testing cycle, and the once-a-month updates. Therefore they shouldn't be surprised when it is demonstrated that... they chose interoperability over security.