Slashdot Mirror
Google Releases More Windows Bugs
An anonymous reader writes: Just days after Google angered Microsoft by releasing information about a Windows security flaw, they've now released two more. "The more serious of the two allows an attacker to impersonate an authorized user, and then decrypt or encrypt data on a Windows 7 or Windows 8.1 device. Google reported that bug to Microsoft on Oct. 17, 2014, and made some background information and a proof-of-concept exploit public on Thursday. Project Zero is composed of several Google security engineers who investigate not only the company's own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically publicly posts details and sample attack code if the bug has not been patched." Microsoft says there's no evidence these flaws have been successfully exploited.
MS still holds a lot of Android patents. They can easily do an Apple and forbid use of them, which will completely paralyze Android.
Microsoft: "There's no evidence these flaws have been successfully exploited."
Google: "Then why are you wearing that fake mustache and goatee?"
Shouldn't that read:
Microsoft releases more windows bugs?
Google isn't writing code for Microsft, is it? :-)
Yay! (gets popcorn!)
And yes - Google is just as much an evil corporation as Microsoft. Hell, given Google's business model is selling YOUR privacy, they're probably MORE evil.
Free markets! Competition!! That is what made America, what it is.
I wish such fierce competition exists in all spheres of the economy.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Google can suck a dick with this shit. Patch your shit mobile OS hypocrites.
but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.
"Microsoft says there's no evidence these flaws have been successfully exploited."
And 5...4...3...2...1...
... I can't say that I am much amused by this.
Bad msft!
Bad goog!
*smacks with newspaper*
Talk about blatant extortion... Perhaps Google should be more concerned about patching the 1,001 vulnerabilities in Android before casting stones at others.
For example, how about this: http://www.extremetech.com/mobile/197346-google-throws-nearly-a-billion-android-users-under-the-bus-refuses-to-patch-os-vulnerability
This is degenerate behavior.
ya i gota admit, i was always oo oo android blahbalhbalh, but now, i would rather pay for an operating system and not have my data sold.
Microsoft says there's no evidence these flaws have been successfully exploited.
I mean the whole point of doing these types of investigations is to try and prevent exploits from getting out into the wild.
> Microsoft says there's no evidence these flaws have been successfully exploited.
How does sample attack code not count?
Google needs to worry about Google.
But.... but.... but.... He did it first!!!! WHHAAAAAAAAAAAA!!!!
Maybe Google just needs their diaper changed.
90 days is really long. The US CERT vulnerability disclosure policy is 45 days as described in http://www.cert.org/vulnerabil... (see that more more details). The problem is that you have to balance two conflicting needs; in the words of the CERT, "the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively."
- David A. Wheeler (see my Secure Programming HOWTO)
"Google Releases More Windows Bugs"
Releasing bugs on a platform they didn't write, don't have the source code to and they did all this by means of a Computer World atricle.
How in the world did they put bugs in two Windows versions using a magazine? That's really a trick.
Oh wait...
Remember folks, socialism is for the people, not the socialists!
Not everyone wants to follow you're ridiculous upgrade cycle. Example: I like Google Chrome, I won't use it because its a pain in the ass to stop it from auto-updating, and if you stop it once, a month later it randomly starts upgrading itself again.
Why does Google think what its doing is any better than the people who sell exploits on the black market? They aren't asking for cash directly for them, but they are trying to hurt the competition.
Issue #128 might not even be a bug depending on your perspective, as noted in the report! The one that is 'the more serious of the two', WTF? And its not like MS hasn't patched it ... they've created a patch, that caused some compatibility issues so they delayed the patch so the compat issues can be resolved ... So Google publishes the exploit code just to be dicks about it.
The less serious ... lets a user view another users power control settings ... Seriously?
This is just Google mud slinging. Its starting to look more like Google is a politician running for elected office than being a good citizen.
Google: You're starting to look like an even bigger douche than Microsoft.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Uh, isn't that what Google's proof-of-concept does - demonstrate the flaw being successfully exploited? Does Microsoft need to see N. Korea exploiting it before they believe it's real?
I'm reminded of Neal Stephenson's description of Shanghai banks on the eve of World War 2:
Continue reading ...
-kgj
>> Microsoft says there's no evidence these flaws have been successfully exploited.
if this is supposed to be a new economy, how come they still want my old fashioned money?
"he did it! he did it!" yeah, they're taught that song at birth.
if this is supposed to be a new economy, how come they still want my old fashioned money?
I mean the whole point of doing these types of investigations is to slap the competition in the face.
It little behooves the best of us to comment on the rest of us.
You don't point out others mistakes when you don't take care of your own problems.
"Microsoft says there's no evidence these flaws have been successfully exploited."
a.k.a. WONTFIX. I wonder if Lennart has been advising them.
http://dailycaller.com/2015/01/15/scientists-over-hyped-global-warmings-harm-to-oceans/?advD=1248%2C41002&bt_alias=eyJ1c2VySWQiOiJlZDlmZWY0MS03OTRiLTRiNTUtODYxZi02ZDUxMjE4MzBiZTEifQ%3D%3D#mnetint
Here's some really good stuff for your Friday. Praise be to the Obama! Vote socialist, those evil people-who-have-jobs-and-work-for-a-living should not be able to keep their money, I mean if we vote to steal it from them the government might give some of it to me! Wheee, money money money, I love having other peoples money!!! Vote for Democrats!
"a team of researchers has found that global warming’s impacts on the oceans have been greatly exaggerated by scientists and the media.
As it turns out, reports about things like coral reefs dying off, invasive species destroying ecosystems and species becoming endangered are mostly media hype and have little to do with actual science. It’s a form of groupthink, say researchers, that can damage scientific inquiry."
Read the whole thing for the detials. You'll thank me later!
Oh and there's this, more on the subject of liberals (by this I don't mean classic liberals, but asshole liberals) and their lies disguised as math REVEALED TO BE FALSE:
http://donsurber.blogspot.com/2015/01/top-5-liberal-lies-disguised-as-math.html
"1. 97% of scientists believe in global warming -- which we define as man causing hell on Earth.
From the Wall Street Journal:
The so-called consensus comes from a handful of surveys and abstract-counting exercises that have been contradicted by more reliable research.
One frequently cited source for the consensus is a 2004 opinion essay published in Science magazine by Naomi Oreskes, a science historian now at Harvard. She claimed to have examined abstracts of 928 articles published in scientific journals between 1993 and 2003, and found that 75% supported the view that human activities are responsible for most of the observed warming over the previous 50 years while none directly dissented.
Ms. Oreskes's definition of consensus covered "man-made" but left out "dangerous"—and scores of articles by prominent scientists such as Richard Lindzen, John Christy, Sherwood Idso and Patrick Michaels, who question the consensus, were excluded. The methodology is also flawed. A study published earlier this year in Nature noted that abstracts of academic papers often contain claims that aren't substantiated in the papers.
So 75% is 97% -- if you ignore other reports altogether.
2. 1 in 5 college women is raped.
From the Baltimore Sun:
Let's look at some facts.
According to the FBI "[t]he rate of forcible rapes in 2012 was estimated at 52.9 per 100,000 female inhabitants."
Assuming that all American women are uniformly at risk, this means the average American woman has a 0.0529 percent chance of being raped each year, or a 99.9471 percent chance of not being raped each year. That means the probability the average American woman is never raped over a 50-year period is 97.4 percent (0.999471 raised to the power 50). Over 4 years of college, it is 99.8 percent.
Thus the probability that an American woman is raped in her lifetime is 2.6 percent and in college 0.2 percent — 5 to 100 times less than the estimates broadcast by the media and public officials.
The actual statistic is 1 in 500. A new stat that liberals made up is that 1 in 3 college men want to rape a college woman. Katherine Timpf quickly shot this down: "this stat is based on a survey of just 73 guys at the University of North Dakota."
3. Average age in Vietnam was 19.
From Statistics about Vietnam:
Average age of 58,148 killed in Vietnam was 23.11 years.
I went back 40 years to remind people how prevalent liberal lie
The need to reassure their customers that the bad guys did not already know about this particular exploit.
"Oh that's an old version, we aren't going to patch the bug." Really? That's an acceptable response that something that's 3 years old is too old to patch? But somehow, taking 100 days to patch a product that's 5 years old (in 7's case) is too long? Much easier to deal with patch issues if you just declare you only support the latest greatest and require everyone to upgrade all the time, no matter the issues.
MS's response is particularly understandable given the complexity of doing regression testing on the wide variety of hardware, software, and patch sets the patch might need to be applied against. If they released it and it caused issues, well then people would cry even more about how shitty they were for not testing it.
I think you are right about the mud slinging/political office: What with Chrome books Google now wishes to directly attack MS. They want to make Windows look bad, and thus make their own product look good by comparison. This isn't motivated by being a good citizen, it is motivated by something else.
For that matter one can get all conspiracy theorist and say maybe they chose their reporting date knowing MS's patch cycle to try and create just such a situation.
90 days is really long. The US CERT vulnerability disclosure policy is 45 days as described in http://www.cert.org/vulnerabil... (see that more more details). The problem is that you have to balance two conflicting needs; in the words of the CERT, "the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively."
It's definitely a fine balancing act, and regardless your opinion on the Google vs Microsoft disclosure debate, I am glad that we are having a public debate about it.
Vulnerabilities cannot really be effectively categorized (look at the attempts from MITRE, for example). Some are due to simple programming errors and can be fixed and rolled out immediately. Some are deeper architectural problems that, even if an "easy" fix, have a whole ecosystem of software built around that wrong behavior. A one-size-fits-all disclosure plan is not necessarily in the public benefit, and I'm glad discussion is being had on what a reasonable timeline looks like, as well as what are extenuating circumstances for changing that timeline.
"The licensing quest is largely a byproduct of Microsoft's unique position -- or perhaps more bluntly put, failure in the market" ref.
I think that Microsoft has better intentions in this than Google does. Microsoft acknowledged the bugs and requested that Google delay the public release slightly so that they could patch. Google to me seems to be simply slamming Microsoft. All the while Google has extremely vulnerable versions of it's old stock browser on older but not out of support Android phones that it openly states that it will not patch.
Talk about blatant extortion... Perhaps Google should be more concerned about patching the 1,001 vulnerabilities in Android before casting stones at others.
For example, how about this: http://www.extremetech.com/mob...
That's a inappropriate comparison.
To patch that vulnerability would require the ability to update Android on existing handsets.
For this to work, the handset manufacturers would have to provide a new version of Android for the given handset.
For this to work, the Android development model of "partner, not Google, productizes Android" would have to change.
For this to work, there would have to be ongoing development on an older hardware platform.
For this to work, there would have to be carrier involvement in certification.
For this to work, the carrier revenue model of locking you into a two year contract every 18 months would have to change.
--
It's in absolutely no ones financial interest to provide updates to Android in already shipped handsets, and Google is not in a position, as an OS supplier, rather than a phone vendor (which is what Apple is), to force changes in operational model into the carrier or the partner device vendor.
U.S. Carriers are *NOT* going to change their revenue model just so people can buy ala carte devices that will work with any carrier, and cost more up front for you to go with their service, rather than rolling it into the monthly payment when you go with a competitors service. Everyone would have to change at once (collusion, a violation of both the Sherman Antitrust Act and the RICO Statutes, and definitely something that would be prosecuted), or the carrier that tried to move to the European model would find itself out of business.
Likewise, the handset vendors, whose revenue model is completely built on thin margins, but selling a new handset every 18 months, instead of you buying one and keeping it for 10 years, would have to charge higher margin on their device sales in order to keep their revenue numbers up, and to pay for the R&D ongoing on the already-sold platform. And then they'd need to change their FAS accounting to match that of Apple's, or face charges under Sarbanes-Oxley, which is what Apple had to do before it could give away the WiFi updates to 802.11g/n for iPods. You'll (maybe) remember that they got a percentage of the monthly wireless fee from the carrier for iPhones, but realized their income at time of sale on iPod Touch and non-3G iPads, and so they had to charge $5 for the update.
And seriously, would you be willing to pay $5 for a bug fix for a bug you were pretty sure wasn't impacting you anyway, and was just some security "researcher" throwing a hissy fit to get their company name in the news so they got audit contracts out of it?
Go to connect.microsoft.com and file a bug report.
> Microsoft says there's no evidence these flaws have been successfully exploited.
Cleverly worded sentence intended to leave the reader with the impression:
"We don't know that there has been a breach, therefore there hasn't been a breach"
when it really means...
"We don't know squat about whether there has been a breach. Maybe all hell has broken lose, and there's no evidence to contradict that either."
Uh, isn't that what Google's proof-of-concept does - demonstrate the flaw being successfully exploited? Does Microsoft need to see N. Korea exploiting it before they believe it's real?
If you personally create a remote account for a North Korean spy and he uses this exploit to see you power control settings. You really were asking for it, not sure what but something.
I’m reminded of the old “blackmail” skit from Monty Python. Just with less of Terry Jones’ ass hanging out at the piano. I like it!
A countdown clock is great but at least a few weeks before it expires a human needs to review it and send a "red flag alert" to the vendor that will fix it and ask if they are working on it and if so ask when they expect to have it fixed.
If the answer is "yes" the estimated fix-it date is in the near future, keep quiet but pester them if the date passes without a fix.
If the answer is "yes, we've been working on this but it is hard" or "no, but we'll get started right away" then keep pestering them and don't release it as long as they are making good progress (you may have to take their word on whether they are making good progress though, sigh).
If the answer is silence or a plain "no" or some other indication that there is no fix coming soon, then release it on the original date.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I know Google isn't all roses and sunshine, but Microsoft is less of a tech company and more of a marketing and public relations firm.
I guess years of Ballmer, entrenched monopoly and security by obfuscation does this to you.
For those who remember: Microsoft spent plenty of resources just to bash Google in negative attack ads. Examples include Googlighting Stranger, Gmail Man, Scroogled. If only Microsoft would use all that time/money/energy to improve its products or fix bugs, eh?
I just can't wait for Google smart home to be in every house so Google can publish when I forget to lock my door at night.
If only Google would put this much effort into their own products, like they used to, then maybe we wouldn't be relying on Microsoft at all anymore for their OS.
When Google finds security bugs in Android do they publish it along with proof of concept after 90 days?
You have Google confused with Facebook.
"Microsoft says there's no evidence these flaws haven't been successfully exploited."
Regardless of their meaning that's a ridiculous things to say, obtaining evidence to show the flaws haven't been exploited is infeasible. It's like saying there is no evidence proving that god does not exist.
Since Google is behaving in an irresponsible manner they are walking a fine line between legal and illegal activity.
Perhaps it is about time that Google be sued, or possibly indicted on criminal charges for their behavior. Aiding and abetting is still a crime last I knew.
Microsoft says there's no evidence these flaws have been successfully exploited.
Maybe that's because to successfully exploit these flaws would mean you must leave no evidence that anything has been exploited.
Funny semantics begs for some kudos here.
Now if Google would just spend some time fixing bugs in Android, like the VPN bug in 4.4 and 4.3 that prevent most people from using VPNs on their phone.
Releasing Windows bugs is Microsoft's job.
Im all for bring this up. We need much more of it. Its long time overdue bugs where kept secret for the few.
Don't be evil, bros!
Good to see Google living up to their motto by drumming up the same typical bullshit FUD about Microsoft to scare people away from Windows and onto Chromebooks and Android devices.
Because I'm REALLY sure Google gives a tin shit about my grandma's security. Right. That's the only reason they're drumming so hard on Windows. This isn't pre-emptive strikes on Microsoft because suddenly Microsoft is playing seriously in the datacenter, cloud, and mobile space where Google wants to make money...
Both vulnerabilities are weak. One it's a simple info disclosure without any potential dangerous information being disclosed and the other one doesn't really get you much unless you use it with at least another exploit. So big deal, it was priority 50 on their list. There's no evidence Microsoft acted irresponsibly. For all you guys know Microsoft patched other 50 serious security flaws and they've dragged their feet on 2 measly ones.