Google Releases More Windows Bugs

An anonymous reader writes: Just days after Google angered Microsoft by releasing information about a Windows security flaw, they've now released two more. "The more serious of the two allows an attacker to impersonate an authorized user, and then decrypt or encrypt data on a Windows 7 or Windows 8.1 device. Google reported that bug to Microsoft on Oct. 17, 2014, and made some background information and a proof-of-concept exploit public on Thursday. Project Zero is composed of several Google security engineers who investigate not only the company's own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically publicly posts details and sample attack code if the bug has not been patched." Microsoft says there's no evidence these flaws have been successfully exploited.

No evidence

Microsoft: "There's no evidence these flaws have been successfully exploited."
Google: "Then why are you wearing that fake mustache and goatee?"

Re:No evidence

[RelaxedTension]

"Microsoft says there's no evidence these flaws haven't been successfully exploited."

FTFY.

Re:No evidence

[v1]

Microsoft says there's no evidence these flaws have been successfully exploited.

"...so we're going to wait until the bot herders have sucked in a few million more machines before bothering to patch it."

WHAT is WRONG with you, ms?? If I'm reading that right, google is doing precisely what is necessary to light a fire under MS's ass to get the bugs fixed. It isn't really even that. They're basically telling us they don't consider it to be a big deal until it starts getting exploited. By making that comment, they completely justify (and encourage) Google's actions.

Re:No evidence

[niftymitch]

"Microsoft says there's no evidence these flaws haven't been successfully exploited."
FTFY.

Anyone that runs a web server or other interactive device on the internet and also looks at their logs knows that
the list of exploited flaws in all types of systems is best enumerated by counting on both fingers and toes in binary.
The data that flows past a company like Google is astounding.
Mostly we hear about some engineer discovering a bug by inspecting
code. What we do not often hear is the cases where honeypots watched
by "G" or "deep web exploration" discovers who, what, how and where...
We also do not see disclosures where a TLA agency sends a confidential
email to an engineer at a security company that then files the bug.

N.B. the banner that Google pops up and announces that this site is a risky
place to go and that it has been found to serve up malware and other
bad code.

This is a big problem and perhaps the #1 external issue of any web based
company. Especially one that is constantly under attack from all the corners of the
globe.

I happen to have grown fondish of some of the windows only application tools.
That list of applications grows despite my personal preference of a _nix OS.
I always ask the vendor for non-Windows tools....

Given the quality of engineers I personally know that work at MS I can only
assume that there is an astounding failure by management to improve the
product and its foundations.

Evil corporation cage match!

Yay! (gets popcorn!)

And yes - Google is just as much an evil corporation as Microsoft. Hell, given Google's business model is selling YOUR privacy, they're probably MORE evil.

Re:Evil corporation cage match!

[jellomizer]

Like Bing doesn't sell data it collected either.

Re:Evil corporation cage match!

[turbidostato]

"And that fact negates the OPs comment how?"

By stating that since Microsoft business practices equal those of Google and then more, it can't be followed that Google is any more evil than Microsoft.

Signed: Captain "So I thought" Obvious

Re:Evil corporation cage match!

[nedlohs]

Because the claim was "they're probably MORE evil" which is a relative claim and hence "they do it too" is in fact a valid argument.

Re:Evil corporation cage match!

[jdawgnoonan]

But to my knowledge that is the only way Google makes any money at all, and, since Google has a higher market cap than Microsoft who also sells a lot of for profit software, I can only assume that Google sells a lot more information. Every tool Google provides for consumers is a data mining tool that is funded solely by data mining. Microsoft actually sells stuff that you can buy and use without agreeing to allow your data to be mined.

Re:Evil corporation cage match!

[El_Muerte_TDS]

Microsoft actually sells stuff that you can buy and use without agreeing to allow your data to be mined.

For now. For example, Microsoft no longer sells a non-service version of MS Office.

Re:Evil corporation cage match!

[Ravaldy]

I think long term Google will be worst than MS since it owns access to information and online marketing. At least with MS, you had alternatives. With Google, if you don't use Google to advertise online, your target audience won't find you.

Re:Evil corporation cage match!

[jdawgnoonan]

Office 365 is not a data mining tool. It is a pay for subscription to the latest version of Office and allows you to install on multiple machines. And you can still buy Office as a single license that is not a part of the subscription model. Also, any version of Office, 356 or otherwise, allows you to save everything on your own machine or out on One Drive.

Re:Evil corporation cage match!

[bgarcia]

I can only assume that Google sells a lot more information.

Google collects information. Google uses that information to determine what ads to show users. But unlike other companies, Google does NOT sell that information.

Re:Evil corporation cage match!

[mythosaz]

WUT?

You can buy 2013 in non-subscription, non-365 versions.

Re:Evil corporation cage match!

[Cro+Magnon]

Last I heard, they still sell Office 2013, though they're trying to push 365.

Re:Evil corporation cage match!

[chadenright]

+1

Re:Evil corporation cage match!

[david_thornley]

That's one theory, sure.

Re:Evil corporation cage match!

[hattable]

Then don't use google. Dammit people this isn't victim shaming, you are explicitly choosing to use google services, google ad supported web sites, and agreeing to their terms when you do so. Access to information may be a basic human right, but being given access to a private company's indexed version of that is not.

Also they don't sell your information, they sell your viewership. They are the endpoint advertising agency not a separate company collecting and providing data to an advertising company.

Re:Evil corporation cage match!

[Uzuri]

You can't not use Google without not using most of the Internet (assuming for the moment that you don't use something like RequestPolicy to blacklist/whitelist, which is generally too much for most normal folks). It follows you around via Google Analytics, embedded maps and calendars, Google fonts... other people are making the choice to give your browsing information to Google (and Facebook, and Twitter). Same trouble if you ever email anyone with a GMail address or need to collaborate with someone via Google Drive/Docs. You're kinda stuck.

Hope the trend continues.

[140Mandak262Jamuna]

I wish Apple would also pitch in and find and publish bugs in both Windows and Android. And Microsoft to retaliate by finding and reporting bugs in Android and Apple. In the end we as consumers will benefit. This should be come the norm. No longer minor players report possible bugs and the clock does not run till the company "accepts" that there is a bug.

Free markets! Competition!! That is what made America, what it is.

I wish such fierce competition exists in all spheres of the economy.

Re:Hope the trend continues.

Why isn't Microsoft finding these bugs in their own products ?

Re:Hope the trend continues.

THIS is the issue. NOT finding and disclosing.

Both times MS has had a fix ready (last time) or in the pipeline (This time, fix started but not ready due to buggyness).

"90 days, or DIE!!!" Rules should have exceptions, especially if the companies have been responsive AND have good reasonable reasons for a delay - which does include MS.

Disclosure for a bug that's being worked on? While refusing to fix bugs in your own software?

Bad Google BAD! *Smacks the nose*

Re:Hope the trend continues.

[iggymanz]

sitting on a macpro here at work, I'd say let's just have Apple fix yosemite bugs and problems. Not worrying about a dust speck in someone else's eye while they have two by four in their own

Re:Hope the trend continues.

[turbidostato]

"Except without the public posting of them."

Except the menace of the public posting seems to be the only way for the vendor to move forward.

Is my bet that if Microsoft were doing their best effort to patch the bug and keep informed Google about it and the expected resolution time, they wouldn't have released the information.

Re: Hope the trend continues.

[wrf3]

Those who might exploit the bug won't wait for the vendor to get its act together.

Re:Hope the trend continues.

[CaptainDork]

It's much cheaper to have someone else do it?

Re:Hope the trend continues.

[Twanfox]

Someone who didn't read the article. One of the comments in the 'more serious of the two bugs' indicated that Microsoft INFORMED them that the patch was lined up for January, but was pulled and rescheduled for February. You lost your bet, by Google's own bookkeeping. Try for another?

Re:Hope the trend continues.

[rsmith-mac]

Bad Google BAD! *Smacks the nose*

In all seriousness, when the hell did we vote an advertising company as the security czar for the Internet?

Not only is releasing right now stupid - patch Tuesday isn't for another month, so they've just done maximum damage - but we've seen what happens when outside forces try to rush MS security patches. Things get broken in hilarious-but-awful ways.

When you're dealing with a codebase as large as Windows and have to maintain compatibility across an impossibly large array of hardware configurations, 90 days (really more like 60, depending on when PT falls) is not going to be enough time to patch and fully test every flaw.

Re:Hope the trend continues.

[freeze128]

Google's system for making exploits public is *AUTOMATED*. This is like a passenger in an elevator trying to convince the elevator to go back down while it's already in the middle of its trip to the top floor. You can throw a tantrum, but it's just not going to make any difference.

Microsoft was informed of the issue, and developed a patch, but it was due to Microsoft's own internal policies that the patch could not be included in the monthly update. There was probably some internal cut-off date or some other bureaucratic bullshit that prevented it. Google doesn't care about Microsoft's internal BS. Why should it?

Microsoft could have released the patch as an out-of-band update. Google wasn't insisting that it be released on the monthly schedule.

Re:Hope the trend continues.

[sumdumass]

What if the check was in the mail and the dog did eat your homework because you got pizza grease all over it and he loves pizza too?

Or would you prefer reading about how a security patch made your think you were fixed but wasn't or even how it bricked your system because instead of a few more weeks to get it right, they have to rush it out?

Re:Hope the trend continues.

[slashdot_commentator]

Boo hoo. So the alternative is allow Microsoft's entire customer to be hacked at will, because Microsoft doesn't want to dedicate resources necessary to resolve a coding issue within 90 days? Security by obscurity.

Re:Hope the trend continues.

[Ravaldy]

Apple won't fix shit. Their team doesn't have the experience to deal with the complexity MS has to deal with. Jeez, they couldn't, even make iOS 6 run smoothly on the 3GS phone which turned most of those phones into slow ass pieces of shit. Don't get me started on the last big iOS release or the map issues they encountered!

MAC deals with a very limited scope of hardware and a limited number of permutations which in turn reduces the complexity of any patch. MS on the other hand has to deal with billions of permutation in addition to the cross platform compatibility and the large range of products affected by any library change they make. Linux has the same issue but Linux doesn't have the customer base or the same responsibility towards it's customers.

So you sitting in front of a MAC and making it sound like our lives are hell compared to your just tells us how ignorant you really are about the world of PCs.

Re: Hope the trend continues.

[slashdot_commentator]

The sample exploit code is necessary because the corporate response after "I need more than 90 days" is "oh, its not a serious security bug".

Re:Hope the trend continues.

[MightyYar]

As the article you linked suggests, what good would a fix do? The whole reason that someone might still be running 4.3 or below is that the phone manufacturers do not push updates. Google could fix 4.3 and below, but the manufacturers are no more likely to push that update than they are to just push a higher (and thus supported) version. The vast majority of people installing their own firmware aren't going to cry over 4.3, either. Why install a custom ROM with an obsolete Android?

Re: Hope the trend continues.

[sumdumass]

I'm curious if the exploits can be used to correct the encryption installed by ransomware criminals.

Re:Hope the trend continues.

[dkman]

I'd rather that the 90 day clock have a snooze for 30 days option, so it's not disclosed to everyone. I'd rather that the developer (even MS) have time to fix it right rather than rush a fix that needs a later fix or a fix that breaks something else.

Some times you need to dig through code and figure out what the hell's going on so you can figure out why it's broken and fix it. And it's not like Google is the only one submitting bugs.

Re:Hope the trend continues.

[chis101]

Why install a custom ROM with an obsolete Android?

I still install new custom ROMs with obsolete Android because it runs much smoother on my obsolete hardware. (I'm only addressing your last question here, I don't really have an opinion one way or the other about the rest of the post)

Re:Hope the trend continues.

[afidel]

If Google fixes it in AOSP then you can at least grab a fixed version with Cyanogenmod or other custom builds. At least for tech folks the main thing holding them back from moving up may be device drivers for the newer kernel.

Re:Hope the trend continues.

[chadenright]

This is a very responsible (from google's point of view) attack on a rival company by google. If Microsoft loses Windows customers, Google gains Android customers. There is no losing scenario for google by doing this -- they make microsoft look bad, encourage hackers to target microsoft products, and drive customers away from microsoft and towards google. To be fair, they did in fact give MS a 90-window (ahem) to fix this bug, rather than making it public as soon as they found it, which they also could have done and which would have had a comparable benefit for Google.

Re:Hope the trend continues.

[EndlessNameless]

If the company had a history of never patching vulnerabilities or even being spotty and refusing to support new products, then it makes sense to out them immediately.

But Microsoft has been issuing monthly patches for supported versions of Windows for years.

Yes, they'll delay or rescind a patch once in a while when it breaks things. Any company can be in that position though, and that's OK too provided they reissue a good patch when it's ready.

Instead of publishing exploit details and POC code automatically after 90 days, they should publish mitigation measures immediately (to actually help admins secure their assets) and sit on the more technical details for longer than 90 days if they reasonably expect the vendor to issue a patch. Maybe set a hard cap of 180 days to avoid being strung along indefinitely. While 90 days is a good starting point, no two bugs are the same.

An automatic one-size-fits-all approach is draconian and stupid. Some bugs require multiple rounds of testing because things get broken unexpectedly by the first "fix". Large software projects often end up with hidden dependencies that complicate bugfixing; it's a fact of life, and ignoring reality in favor of ideologically-driven rules usually ends poorly.

Re:Hope the trend continues.

[ChunderDownunder]

Call it an act of faith.

If patching old code does motivate even one vendor/carrier to get off their arse and release a security update then success...

Re:Hope the trend continues.

[david_thornley]

It's an automated system? Who automated it? The passenger you refer to didn't design the elevator. It was Google's decision to create this process.

Microsoft developed a patch, but didn't do it quite right and missed last Patch Tuesday. People in software make mistakes all the time.

Microsoft established Patch Tuesday for reasons, primarily to allow admins to plan testing of security updates and the like. You're saying Microsoft has to abandon that because Google can't automate a process decently.

Re: Hope the trend continues.

[david_thornley]

This is necessary if the vendor blows off the bug report. It is not necessary if the vendor is actively working on the problem and has a scheduled fix release date.

Re:Hope the trend continues.

[slashdot_commentator]

Posting notices of critical security flaws after giving 90 days for a company to fix it are security researchers' way to tell CORPORATIONS how IMPORTANT it is to design and release secure products.

If you don't do it, marketing will say that security flaw X can't be fixed because too many customers depend on the "insecure" feature. And the COO will say, "why can't you reveal it one year later, so we don't have to hire 12 people to get a fix within 90 days? We can hire 3 people instead." Eventually, some jackass will say "Shoot the messenger! Its their fault bad guys can exploit our insecure product!" Meanwhile, customers and the internet community will be at the mercy of criminals, and critical infrastructure will be vulnerable to hostile, rogue governments.

No company has a RIGHT to jeopardize computer security to ensure a profit, with underqualified developers and marketing deadlines. If you don't let the market determine security's value, then it will be up to civil lawsuits.

Re: Hope the trend continues.

[slashdot_commentator]

And how do you prove they're working on the problem in a manner which will result in a quick resolution? Instead of hiring minimum wage flunkys to take calls and say "We're working hard on the problem. Its just a matter of weeks..".

Re: Hope the trend continues.

[slashdot_commentator]

That's what Microsoft's response to one of the security bugs. And then they started bitching after Google produced an exploit based on that "trivial" bug.

Re:Hope the trend continues.

[sjames]

You should probably know that you cannot hire 12 or 3 people AND get them up to speed enough to fix the bug in 90 days. It'll take 30 to 60 just to hire them.

There does need to be some kind of deadline or too many corporations will just pay a bit of lip service and forget all about it, but not everything fits neatly into a 90 day window that starts with no warning.

Google is developing quite a rep for being impossible to reason with (literally, there exists no contact available to mere mortals for anyone who even has the ability to do anything about anything.

Re:Hope the trend continues.

[OneSmartFellow]

If the code is well written - I know, Windows ? - then tracking down and fixing a bug should take minutes, not months.

Re:Hope the trend continues.

[Psyborgue]

No kidding. I've been considering returning to 10.9 considering the stability of Yosemite at 10.1 is what i'd expect from a preview image.

Re:Hope the trend continues.

[stoatwblr]

> "90 days, or DIE!!!" Rules should have exceptions

Having been in this business for more than 30 years, I disagree.

Having a fixed deadline to get their shit together not only focusses a company's attention on fixing the bugs, it also focusses their attention in not releasing bug-ridden code in the first place.

Re:Hope the trend continues.

[stoatwblr]

> across an impossibly large array of hardware configurations

Almost all the bugs so far reported are architecture-agnostic.

The issue is (as always) that MS philosophy has always been "Ship it now, fix bugs later"

Re:Hope the trend continues.

[stoatwblr]

> Eventually, some jackass will say "Shoot the messenger! Its their fault bad guys can exploit our insecure product!"

Yup and this is a common tactic. More flamewars have erupted over publishing bugs than the actual bugs themselves.

MS has historically been one of the worst offenders when bug-reporters have cooperated with them and not publically disclosed. The record between "reported" and "fixed" is more than two years.

Re:Hope the trend continues.

[stoatwblr]

"If the company had a history of never patching vulnerabilities or even being spotty and refusing to support new products, then it makes sense to out them immediately."

Most bugs are trivially avoidable. MS has a sordid history of producing utterly buggy code with security tacked on as an afterthought.

Just because a security researcher has reported a bug doesn't mean the bad guys aren't already using them.
0-day means it was discovered because a badguy triggered an alert.
I've run into a number of reports/fixes (particularly on webservers) where looking at historic logs showed that attempts to use the exploit were made long before the researcher found/reported the bug.

Bad guys have a higher level of motivation to find and exploit bugs than whitehats - and an even higher level of motivation to try and not be deteceted doing so.

Re: Hope the trend continues.

[sumdumass]

Gee, that was fraught with insight. I bet your mom is so proud of you.

Re: Hope the trend continues.

[sjames]

You should familiarize yourself with Brook's Law:

adding manpower to a late software project makes it later

Re:Hope the trend continues.

[SwashbucklingCowboy]

"Google doesn't care about Microsoft's internal BS. Why should it?"

Because releasing that data two days before Microsoft releases a fix makes the world less secure, not more secure. The point of doing that security research is to make the world more secure, then Google does stupid shit and does the opposite.

Re:Hope the trend continues.

[SwashbucklingCowboy]

90 days is not a lot of time.

Re: Hope the trend continues.

[david_thornley]

You start by giving them the benefit of the doubt. Then you observe the vendor's behavior, ask them questions about the bug, and find out how much benefit of the doubt they should get.

90 days may be a little short

[Lawrence_Bird]

but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.

Re:90 days may be a little short

If it can install itself when someone doesn't have admin rights, it's malware.

You must hate *nix.

Re:90 days may be a little short

[quantaman]

but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.

From the article:

In the bug tracker for the impersonation vulnerability, Google said it had queried Microsoft on Wednesday, asking when the flaw would be patched and reminding its rival that the 90 days were about to expire.

"Microsoft informed us that a fix was planned for the January patches but [had] to be pulled due to compatibility issues," the bug tracker stated. "Therefore the fix is now expected in the February patches."

The next Patch Tuesday is scheduled for Feb. 10.

So 90 days is an appropriate time to wait but not 106 days?

It's not like MS was sitting on their hands, they made a patch but found problems in QA and had to do more work to get it working properly. I don't see the rationale for Google maintaining the hard 90 day deadline, maybe extensions allow some complacency on the part of the developer, but you're still not going to see them sitting on issues for months or even years on end. Meanwhile by publishing now Google has created one of two scenarios. 1) Users are going to be left vulnerable to unpatched zero-day expoilts, or 2) users are going to break their systems by installing broken patches.

It's not clear to me how this is better than sitting on the issue for anther 26 days.

Re:90 days may be a little short

This is a situation where the "slippery slope" argument really does apply. If Google is just going to sit on bugs until the vendor patches... they're going to end up with bedsores. And no one likes bedsores.

Instead, they embarass the vendors a couple times, and once heads are pulled out of asses and people realize they're not screwing around, they start taking these things seriously.

That's my guess, anyway.

Re:90 days may be a little short

[CaptainDork]

No.

In effect, and in actuality, Google is being competitive.

Re:90 days may be a little short

[tlambert]

From the article:

In the bug tracker for the impersonation vulnerability, Google said it had queried Microsoft on Wednesday, asking when the flaw would be patched and reminding its rival that the 90 days were about to expire.

"Microsoft informed us that a fix was planned for the January patches but [had] to be pulled due to compatibility issues," the bug tracker stated. "Therefore the fix is now expected in the February patches."

The next Patch Tuesday is scheduled for Feb. 10.

So 90 days is an appropriate time to wait but not 106 days?

It's not like MS was sitting on their hands, they made a patch but found problems in QA and had to do more work to get it working properly.

Technically, it should have been in the November patch set, they should have found the compatibility problem in testing (as they did), and the revised patch should have been in the December patch set. Then the clock would have run out.

So basically the *did* sit on their hands -- for two months.

Re:90 days may be a little short

[plcurechax]

but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.

From the article:

In the bug tracker for the impersonation vulnerability, Google said it had queried Microsoft on Wednesday, asking when the flaw would be patched and reminding its rival that the 90 days were about to expire.

"Microsoft informed us that a fix was planned for the January patches but [had] to be pulled due to compatibility issues," the bug tracker stated. "Therefore the fix is now expected in the February patches."

The next Patch Tuesday is scheduled for Feb. 10.

So 90 days is an appropriate time to wait but not 106 days?

Here is what Google use to say (circa 2010) from most of the same people who make up the Project Zero team (Chris Evans, Michel Zalewski, and others) AFAIK.

Rebooting Responsible Disclosure: a focus on protecting end users:

Update September 10, 2010: We'd like to clarify a few of the points above about how we approach the issue of vulnerability disclosure. While we believe vendors have an obligation to be responsive, the 60 day period before public notification about critical bugs is not intended to be a punishment for unresponsive vendors. We understand that not all bugs can be fixed in 60 days, although many can and should be. Rather, we thought of 60 days when considering how large the window of exposure for a critical vulnerability should be permitted to grow before users are best served by hearing enough details to make a decision about implementing possible mitigations, such as disabling a service, restricting access, setting a killbit, or contacting the vendor for more information. In most cases, we don't feel it's in people's best interest to be kept in the dark about critical vulnerabilities affecting their software for any longer period.

Somewhere along the way they appear to have lost their senses, and enshrine 90-days as some written-in-stone deadline that makes no sense, and is counter to their stated objectives.

Announcing Project Zero

... Our objective is to significantly reduce the number of people harmed by targeted attacks. ...We will only report bugs to the software’s vendor—and no third parties. Once the bug report becomes public (typically once a patch is available), you’ll be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces.

Re:90 days may be a little short

[c]

So 90 days is an appropriate time to wait but not 106 days?

I wouldn't be surprised if there was a "give an inch, take a mile" kind of situation, where they tried allowing some flexibility and got into a cycle where the vendor kept requesting more time each time around.

Re:90 days may be a little short

[Qzukk]

One with user-writable locations not mounted noexec?

Re:90 days may be a little short

[praxis]

Can it, though? I would imagine it writes to the user's home directory, which does not require root. Nor does running executable files owned by that user.

Re:90 days may be a little short

Shellshock took at least 3 different patches. The first patch didn't really work, the second patch was a workaround but still left the vulnerability in - it was just harder to exploit. And the third patch actually went and fixed the issue.

All of which took, what, about 48 hours?

Re:90 days may be a little short

[stephanruby]

It's not like MS was sitting on their hands, they made a patch but found problems in QA and had to do more work to get it working properly.

And you actually believe that?

Many times, patches are just punted to QA even thought the developer knows full well that they're not going to pass QA. After all, I should know, I'm a software developer myself. Also, I can tell you that finishing the last 10% of a project is always the hardest part. May be it's because we naturally like to work on the easiest parts of a problem first, or may be it's because we don't actually start understanding the real requirements until we're almost finished with the project (therefore possibly requiring us to start all over from scratch), but whatever the reason is, I can tell you that a feature sitting in QA doesn't necessarily mean that it's almost finished, or anywhere close to finished.

Re:90 days may be a little short

[hattable]

This allows a company to devote minimal resources to these bugs as long as they tell the would-be-disclosing-org that "something" is "in the works." Nevermind that every bug ever submitted is in Phil's queue and he has a backlog of 2 years. It is still in the works! What more can google want from us?!

Re:90 days may be a little short

[david_thornley]

If the vendor isn't responding, sure, publish after 90 days. If the vendor makes a habit of asking for one-month extensions indefinitely, publish. If the vendor has specific plans and schedules, and has a history of doing more or less the right thing, which describes Microsoft here, sit on the disclosure for a little more time.

Re:90 days may be a little short

[MikeBabcock]

The only reason its 106 days is because Microsoft doesn't send out patches when available but makes them 'convenient' on patch Tuesdays. If they felt like it, they could release that patch today.

Re:90 days may be a little short

[Actually,+I+do+RTFA]

Google will never be in that position because they explicitly stop supporting all phones like 3 seconds after they sell. No more security updates, none.

They also can ignore any secuiryt holes because they're unsupported. (See recent stories).

It's just the flip side of the "perpetual beta" mentality. Whatever else you want to say about MS, they have the balls to offer predictability and compatibility in a way that Google and Apple don't.

Re:90 days may be a little short

[Actually,+I+do+RTFA]

If only there was some way of using past performance by specific companies to establish whether exceptions are reasonable or not, given their past behavior of (a) asking for them, (b)delivering after receiveing the 1 month extentions.

That would take some company that could accumulate and parse data unfortunately.

Re:90 days may be a little short

[Actually,+I+do+RTFA]

It's easy to argue against the stupidist implementation of a rule. Add in some human judgement, and they system is remarkably easy to solve. "Releasing in 106 days because at 88 days we found the cure was worse than the problem" is so qualitatively different from "it's in our lone developer's backlog" that it's a laughable claim that they are confusable.

See also, zero-tolerance policies in schools?

Re:90 days may be a little short

[Lawrence_Bird]

You are a freakin idiot. Go tell your boss that you are releasing your "patch" into his production system and then plan to submit more "revised" patches when new problems/incompatabilities are found. Please do not ever work for a bank or aerospace company.

Re:90 days may be a little short

[sonicmerlin]

Well Google releases "fixes" that break their own Android OS all the time. I guess they think that's standard procedure.

MS should sue them

This is degenerate behavior.

Re:MS should sue them

[CaptainDork]

I love the Ellen Degenerate show and stuff.

Re:MS should sue them

[X.25]

This is degenerate behavior.

Years (decades, now) ago, it was normal to publish vulnerabilities and exploits and discuss them and (try to) force vendors to act.

What is happening now is degenerate.

Isn't this the point of what Google is doing?

Microsoft says there's no evidence these flaws have been successfully exploited.

I mean the whole point of doing these types of investigations is to try and prevent exploits from getting out into the wild.

Re:Isn't this the point of what Google is doing?

[TemporalBeing]

Microsoft says there's no evidence these flaws have been successfully exploited.

I mean the whole point of doing these types of investigations is to try and prevent exploits from getting out into the wild.

Exactly; which is contrary to Microsoft's position that they don't fix something unless there is an exploit in the wild...

90 days is really long

[dwheeler]

90 days is really long. The US CERT vulnerability disclosure policy is 45 days as described in http://www.cert.org/vulnerabil... (see that more more details). The problem is that you have to balance two conflicting needs; in the words of the CERT, "the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively."

Re:90 days is really long

[Eristone]

90 days is really long when you don't have a massive base to run testing and regression against. Let's just say that the fix is adding a bounds check to the input for a single function. The engineer assigned to the bug adds the bounds check and unit tests to make sure it behaves now. The fix is submitted to the build queue for the (let's say nightly) run to generate the next patch set, and the next production build for Windows. Now QA gets it, and being that this particular item failed for an input, they write a bunch of tests that kick in various input items - numbers, letters, binary data, larger than expected, smaller than expected, etc. This is then run in the "Test this subsystem" run and if it passes, yay, else back to step one. Then they run that test as part of their automated "Test Windows" run (which probably takes hours to do). If everything passes, great. If not, back to step one. Then after it passes QA for "Test Windows", it needs to go through QA for "Test Windows with {list of major software that if we break something it is bad}". If that all passes, then it can go to the patch queue for the next scheduled release. I'd be surprised if an automated "Test Windows" run can be completed in less than a day or two. Probably 3-5 days for the "Test Windows with Other Software Running". So the minimum time to get a tested patch is about a week assuming the problem is super simple. Once it starts involving multiple subsystems, you can start running into weeks to get a good tested patch, assuming that it doesn't take a few weeks for engineering to get a fix ready for testing in the first place.

Re:90 days is really long

[whoever57]

Then they run that test as part of their automated "Test Windows" run (which probably takes hours to do)

I am going to nitpick on your analysis, but I have zero sympathy for Microsoft having (hypothetically) a test system that takes hours to provide a result. This is a company with billions of dollars available to it. Invest in more test hardware if the test systems take too long to run.

Re:90 days is really long

[sjames]

9 Women cannot make a baby in a month.

Re:90 days is really long

[SwashbucklingCowboy]

"90 days is really long."

Cow manure.

It's short when fixing vulns in an OS and delivering a real product.

Re:90 days is really long

[sjames]

A turn of phrase can have more than one application. Some tasks are inherently serial.

Wow, that Google is teh awesome

"Google Releases More Windows Bugs"

Releasing bugs on a platform they didn't write, don't have the source code to and they did all this by means of a Computer World atricle.

How in the world did they put bugs in two Windows versions using a magazine? That's really a trick.

Oh wait...

Remember folks, socialism is for the people, not the socialists!

Shame on you Google

[BitZtream]

Not everyone wants to follow you're ridiculous upgrade cycle. Example: I like Google Chrome, I won't use it because its a pain in the ass to stop it from auto-updating, and if you stop it once, a month later it randomly starts upgrading itself again.

Why does Google think what its doing is any better than the people who sell exploits on the black market? They aren't asking for cash directly for them, but they are trying to hurt the competition.

Issue #128 might not even be a bug depending on your perspective, as noted in the report! The one that is 'the more serious of the two', WTF? And its not like MS hasn't patched it ... they've created a patch, that caused some compatibility issues so they delayed the patch so the compat issues can be resolved ... So Google publishes the exploit code just to be dicks about it.

The less serious ... lets a user view another users power control settings ... Seriously?

This is just Google mud slinging. Its starting to look more like Google is a politician running for elected office than being a good citizen.

Google: You're starting to look like an even bigger douche than Microsoft.

Re:Shame on you Google

Google's assholery aside, you are talking about general upgrades, while the article is about security patches. You make some arguments against a rapid schedule of general product upgrades, but that is entirely orthagonal to rapid release of security updates. I don't think there are any good arguments against rapid releases of security fixes. If you come up with any, I'll be happy to listen, but I doubt I'll agree.

Re:Shame on you Google

[tom229]

I'm not fanboy, but I'd imagine a lot of people feel strongly about supporting the lesser of the two evils in the mobile market.

Re:Shame on you Google

[DigitAl56K]

I am glad Google is sticking to their policies. 3 months is easily enough time to deploy a fix.

As one of Microsoft's end users, I'd much rather be faced with the quantifiable risk of deploying a patch than the unquantifiable risk that every system I own has been compromised, any data on them exfiltrated or encrypted and used to hold me to ransom, and the possibility that my systems have been used to attack others.

For all we know, Microsoft could be playing a PR game by developing patches and then holding them just past Google's 90 day window. Two in a row now? Seems fishy to me.

Re:Shame on you Google

[paziek]

A lot of people use their services, is that enough reason for you to not see those people as fun as you do now? Besides, is it really so bad to defend someone who you think is right? Not saying everyone thinks that Google is, as GP proves, but I don't really see whats wrong with what they do. Chances are those exploits are already being used anyway and MS doesn't care for as long as its not big enough to cause shitstorm.

Re:Shame on you Google

[Gravis+Zero]

Not everyone wants to follow you're ridiculous upgrade cycle.

big fixes are NOT upgrades. bugs are flaws because they were careless and did NOT do proper testing. bug fixes should be pushed out in days, not months. what google is doing is exposing their poor practices.

Re:Shame on you Google

[pop+ebp]

Why does Google think what its doing is any better than the people who sell exploits on the black market?

The black hat guys aren't going to post the exploit on a public bug tracker for everyone to examine, that's why.

Issue #128 might not even be a bug depending on your perspective, as noted in the report!

Then what is the problem with releasing it to the public? They didn't make any statement about its severity as far as I can tell. That evaluation is up to the reader.

they delayed the patch so the compat issues can be resolved ... Google publishes the exploit code just to be dicks about it.

As another poster mentioned in another thread, the researchers acknowledge that some bugs need longer to fix, but they think that after a certain time period, it's better if the public knows about it so can they can take appropriate measures while the patch is being developed. That is the reason bugs are publicized. Whether you agree with that is another question.

This is just Google mud slinging.

It might well be, but if it results in more secure software for everyone, I'm all for it.

Personally I think the strict 90-day rule might be a little to strict. Rather than speculating on Google's ulterior motives, we should discuss whether this move makes software more secure as a whole.

Re:Shame on you Google

[Ravaldy]

What I'm wondering about all this is, why is Google mud slinging? I can't seem to find a good reason for it. Google only has 2 areas of competition with MS (mobile and search engine). Is Google threatened by the 3% market share MS has?

Re:Shame on you Google

[jdawgnoonan]

All that I question about the action on Google's part is that they are a competitor, not an independent security firm.

Re:Shame on you Google

[slashdot_commentator]

Yet another clueless consumer who doesn't understand the nature of the computer security braying their pronouncement of what Google should do.

What's missing in the real world is a litigation avenue where (security) negligence by a (software) company can be address as a class action suit. Now picture companies like Target going bankrupt for their security miscalculation in court, rather than the business hit it took for being publicly embarrassed. Or picture a major bank going under, because of their security design flaw.

Or you can look at Google's actions as tailor made to address security flaws, while minimizing harm to companies and the world's consumers.

Re:Shame on you Google

[tom229]

Sure.

Apple >>>>>>>>>>>>>>>>>>>>>>>>>>>> Google > Microsoft > Blackberry

Re:Shame on you Google

[tlhIngan]

I am glad Google is sticking to their policies. 3 months is easily enough time to deploy a fix.

As one of Microsoft's end users, I'd much rather be faced with the quantifiable risk of deploying a patch than the unquantifiable risk that every system I own has been compromised, any data on them exfiltrated or encrypted and used to hold me to ransom, and the possibility that my systems have been used to attack others.

For all we know, Microsoft could be playing a PR game by developing patches and then holding them just past Google's 90 day window. Two in a row now? Seems fishy to me.

Obviously posted by someone who doesn't work in software development, or has to deal with the fact the software needs to work in millions of configurations and with interdependencies.

Plus, the bugs need to be investigated for the root cause. Patching over the flaw doesn't help things since it leaves the vulnerability open. See shellshock - the bug was plastered over the first time and it didn't work, so another patch was released days later with a workaround, but the fundamental problem was still there.

These aren't little toy utilities you write to scratch your itch, these are major millions of line code bases where bugs can be simple errors in code, to complex design bugs. Like say, shellshock (which is a design bug and now you have a problem of how to fix it because people are relying on the faulty behavior). Sure there are tons of automated test suites and they're probably the reason why they had to recall the patch, twice.

As for malfunctioning patches, you'll sing a different tune when you have to go fix dozens of PCs because the patch bluescreens, or you can't install software anymore. Either way, millions of PCs get bricked from a bad update just to meet some company's arbitrary timeline.

And I don't know, those 3+ recalled patches were pretty serious if you were one of the affected people.

Re:Shame on you Google

[david_thornley]

Guess how I know you don't have applicable experience or knowledge to make that comment.

Re:Shame on you Google

[DigitAl56K]

Obviously posted by someone who doesn't work in software development, or has to deal with the fact the software needs to work in millions of configurations and with interdependencies.

Wrong, and wrong.

Plus, the bugs need to be investigated for the root cause. Patching over the flaw doesn't help things since it leaves the vulnerability open.

Yes, thanks for stating how security fixes are supposed to work, in case we all thought Microsoft was going to slap a bandaid on it and call it good.

See shellshock

No. Why are you referencing a completely different vulnerability not even managed by the company? Because they're both vulnerabilities? Because there's a risk someone didn't fully fix an issue once therefore no-one can in future? Newsflash for you: Microsoft has fixed vulnerabilities with the same root cause multiple times oflver the years.

Like say, shellshock

Do you know of any others?

(which is a design bug and now you have a problem of how to fix it because people are relying on the faulty behavior)

It was not a design bug Do you even know what you're talking about?

As for malfunctioning patches, you'll sing a different tune when you have to go fix dozens of PCs because the patch bluescreens, or you can't install software anymore.

*shrug* I guess I wouldn't roll straight to production...

Either way, millions of PCs get bricked from a bad update just to meet some company's arbitrary timeline.

Their *3 month* timeline.

And I don't know, those 3+ recalled patches were pretty serious if you were one of the affected people.

Google is between a rock and a hard place. Either they disclose and stuff gets fixed, or they don't and *we don't know if it would be fixed when MS said it would or not*.

Re:Shame on you Google

[Gravis+Zero]

Guess how I know you don't have applicable experience or knowledge to make that comment.

you are one our testers? you live in a reality constructed inside your mind? oh i just must know!

Re:Shame on you Google

[david_thornley]

I've been working in this field longer than a whole lot of /. has been alive. I have written lots of bugs in my time, and have worked with lots of very good developers who also wrote lots of bugs. Testing, proper or not, will find some bugs and not others. A good tester (and I did have a QA gig once) will find more bugs, but will inevitably miss some. Bug fixes cannot necessarily be pushed out in days. I've had bugs that I couldn't find for a long time. I knew the code was buggy, because I could reproduce bugs, but it took a long time to find what the bug was. After that, it's necessary to figure out how to fix the bug, bearing in mind that fixing bugs is one of the processes in software development that has a greater chance of introducing new bugs.

So, knowing that what you wrote was nonsense, it was a reasonable deduction that you were some combination of ignorant, inexperienced, dishonest, or stupid, and I'd much rather accuse people of lacking knowledge and experience than intelligence and honesty.

Cryptonomicon: Shanghai Banks

[handy_vandal]

I'm reminded of Neal Stephenson's description of Shanghai banks on the eve of World War 2:

Here you've got the Hong Kong and Shanghai Bank of course, City Bank, Chase Manhattan, the Bank of America, and BBME and the Agricultural Bank of China and any number of crappy little provincial banks, and several of those banks have contracts with what's left of the Chinese Government to print currency. It must be a cutthroat business because they slash costs by printing it on old newspapers, and if you know how to read Chinese, you can see last year's news stories and polo scores peeking through the colored numbers and pictures that transform these pieces of paper into legal tender.

As every chicken-peddler and rickshaw operator in Shanghai knows, the money-printing contracts stipulate that all of the bills these banks print have to be backed by such-and-such an amount of silver; i.e., anyone should be able to walk into one of those banks at the end of Kiukiang Road and slap down a pile of bills and (provided that those bills were printed by that same bank) receive actual metallic silver in exchange.

Now if China weren't right in the middle of getting systematically drawn and quartered by the Empire of Nippon, it would probably send official bean counters around to keep tabs on how much silver was actually present in these banks' vaults, and it would all be quiet and orderly. But as it stands, the only thing keeping these banks honest is the other banks.

Here's how they do it ...

Continue reading ...

YET...

[swschrad]

>> Microsoft says there's no evidence these flaws have been successfully exploited.

ever call support? everybody does it

[swschrad]

"he did it! he did it!" yeah, they're taught that song at birth.

FTFY

[CaptainDork]

I mean the whole point of doing these types of investigations is to slap the competition in the face.

Re:Reminds me on kindergarten...

[kit_triforce]

Your metaphor does not hold. As you put it, Google is inserting itself into other's business, when they should be concentrating on their own issues. In kindergarden, there are teachers and other staff to oversee the children and resolve conflicts. That does not exist here. Google has stepped up and is trying to improve their whole business environment, both in and around their area of stewardship. When researching an issue, bug, or flaw (such as security issues in this case) sometimes you find that the system you are working on does not contain the flaw, but the environment where it is being used. Normally, we accept it as a limitation and attempt to build around the flaw, leaving it for a pitfall to others. Google is calling out such flaws and letting the stewards over those flawed systems know, and giving them 90 days to fix it before they tell everyone else. This isn't whining, it's community responsibility, and I hope more companies follow suit.

And MS learns from the open source community!

"Microsoft says there's no evidence these flaws have been successfully exploited."

a.k.a. WONTFIX. I wonder if Lennart has been advising them.

Re:Reminds me on kindergarten...

[drinkypoo]

Google is inserting itself into other's business, when they should be concentrating on their own issues.

When Microsoft fails at security, it impacts Google's core business...

Re:Is that a typo?

[mrchaotica]

It should read "Google discloses more Windows bugs."

Particularly given their Android response

[Sycraft-fu]

"Oh that's an old version, we aren't going to patch the bug." Really? That's an acceptable response that something that's 3 years old is too old to patch? But somehow, taking 100 days to patch a product that's 5 years old (in 7's case) is too long? Much easier to deal with patch issues if you just declare you only support the latest greatest and require everyone to upgrade all the time, no matter the issues.

MS's response is particularly understandable given the complexity of doing regression testing on the wide variety of hardware, software, and patch sets the patch might need to be applied against. If they released it and it caused issues, well then people would cry even more about how shitty they were for not testing it.

I think you are right about the mud slinging/political office: What with Chrome books Google now wishes to directly attack MS. They want to make Windows look bad, and thus make their own product look good by comparison. This isn't motivated by being a good citizen, it is motivated by something else.

For that matter one can get all conspiracy theorist and say maybe they chose their reporting date knowing MS's patch cycle to try and create just such a situation.

Re:Particularly given their Android response

[Xylantiel]

The other option is that Microsoft could acknowledge reality - they are not fixing things fast enough to resist targeted attacks. MS's statement about it "not being seen in the wild" demonstrates that they don't understand the current state of exploits. Google's hypothetical attacker is one who will go to lengths to keep an exploit from being used specifically so that MS won't fix it. Also a monthly schedule for updates is a huge liability against such an attacker, as they know their window of opportunity. MS is stuck in the old model that an exploit is not important unless it has been seen in the wild. While that is all well and good for preventing worms from spreading (and therefore protecting MS's image) it is not good enough to protect your company's data from a targeted attack that can buy or discover a zero-day vulnerability. That is reality.

Another way to look at it is that people using MS stuff have chosen interoperability over security. Thus the longer patch testing cycle, and the once-a-month updates. Therefore they shouldn't be surprised when it is demonstrated that... they chose interoperability over security.

Re:Particularly given their Android response

[david_thornley]

Which is not a good excuse for providing guides to exploit a vulnerability when the vulnerability is being addressed by the vendor. That stuff is for vendors who ignore vulnerabilities.

It takes Microsoft time to get fixes out there, and that does have some unfortunate implications. However, being too specific about the bugs makes it easier for more people to exploit them, before the poor users can get a patch.

To put this another way, you may consider Microsoft's security inadequate, but that's hardly a reason to weaken it further.

But CERT Also Allows Variances

[mx+b]

90 days is really long. The US CERT vulnerability disclosure policy is 45 days as described in http://www.cert.org/vulnerabil... (see that more more details). The problem is that you have to balance two conflicting needs; in the words of the CERT, "the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively."

It's definitely a fine balancing act, and regardless your opinion on the Google vs Microsoft disclosure debate, I am glad that we are having a public debate about it.

Vulnerabilities cannot really be effectively categorized (look at the attempts from MITRE, for example). Some are due to simple programming errors and can be fixed and rolled out immediately. Some are deeper architectural problems that, even if an "easy" fix, have a whole ecosystem of software built around that wrong behavior. A one-size-fits-all disclosure plan is not necessarily in the public benefit, and I'm glad discussion is being had on what a reasonable timeline looks like, as well as what are extenuating circumstances for changing that timeline.

Re:But CERT Also Allows Variances

[slashdot_commentator]

Some are deeper architectural problems that, even if an "easy" fix, have a whole ecosystem of software built around that wrong behavior..

Google, or the world, do not have an obligation to tolerate Microsoft's willingness to market a fatally flawed product because a whole industry "expects" to take advantage of an insecure feature. It is no different that a fatally flawed skyscraper design. When such a building or bridge comes about, the world doesn't require architects or engineers to keep quiet about a safety flaw, because people already use it. The owner/design company is required to produce an effective correction to the problem, or the building gets condemned. Otherwise, the company is liable to be sued for the deaths and injury that can be attributed to it when the flaw is finally manifested. Do we really want an industry where companies put out shoddy products that can avoid a bad result in 10-20 years, wait for that error to harm people, and then suffer no economic consequences because they no longer exist?

Re:But CERT Also Allows Variances

[slashdot_commentator]

But what gives Google the right to do what they're doing?

What right? The right for the general public to utilize computer products SAFE from thieves and infrastructure terrorism.

They're just as guilty as Microsoft when it comes to security problems and shitty insecure software. Why should they spend their money on announcing other people's flaws, rather than fixing their own?

They are guilty of the same security problems and shitty software. And they should be punished in the commercial markets the way as Microsoft. If they commit the same crime as Microsoft, they should suffer the same penalties. NOT be complicit in covering up competitors' crimes, because they're criminals too.

Especially when Microsoft already has fixed pending and just needs a bit more time to ensure they don't cause even worse problems?

Who honestly thinks that forcing someone to rush out a less-tested patch is a good idea, just because Google has a hard-on for playing the fake superhero?

Microsoft has not always been diligent in correcting security problems, and I'm sure they're more than willing to backslide. Just like once upon a time, you could count on Microsoft putting out reliable windows update patches, but now they drop the ball as when they changed their management and protocols last year.

Re:But CERT Also Allows Variances

[sjames]

I'm no fan of MS (and I'm sure my posting history will bear that out), but there are other considerations here. No, MS shouldn't get a complete skate on this. They have proven that they need their feet held to the fire to get things to happen. BUT, there needs to be some slack in the system. If they appear to have been working on the problem in earnest and have a release plan, it's worth giving them time to complete it.

Unlike a building with a flaw, there aren't lives at stake here and releasing the details of the flaw in advance of the fix increase the chances of trouble. Further, if the likelihood of a problem in the immediate future is small enough, builders are often given the chance to make corrections before the details come out.

Re:But CERT Also Allows Variances

[Lawrence_Bird]

You really woke up on the wrong side of the bed today. Crime? There is no obligation by any of these companies to you to repair or replace any of the flaws. You license (or buy outright) the software AS IS. That you may also buy some type of "service contract" that provides for periodic ugrades, updates and fixes does not in any way oblige the software producer to fix any one specific flaw.

You may not like that system and you can certainly chose to go open source... where btw, who is guilty of the "crime" when a flaw is not fixed for months or years?

Re:But CERT Also Allows Variances

[slashdot_commentator]

Any sale of goods, provision of service, or transaction has implied requirements by the vendor to not "damage" the recipient or bystanders. When such vendor is remiss in delivering services as such, OR try to cover up malfeasance, that is a civil harm. When it physically damages individuals, or otherwise legally defined, it is a crime. In most cases, damages are resolved in the civil courts.

Microsoft's products are so pervasive in our society, their ability to be penetrated by hackers threatens bank accounts, personnel records, medical records, and in rare cases, infrastructure. Where Microsoft is "negligent", they can be sued. Its only a matter of time.

And unknown flaw lurking for years does not make Microsoft liable for negligence. A KNOWN flaw, which Microsoft does not move on, will eventually be grounds for civil damages. If it ends up killing people, its possible for it go criminal trial.

Android patent licensing and litigation ..

[lippydude]

"The licensing quest is largely a byproduct of Microsoft's unique position -- or perhaps more bluntly put, failure in the market" ref.

Re:Is that a typo?

[binarylarry]

From the bug link:

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public

.

I never thought that I would say this....

[jdawgnoonan]

I think that Microsoft has better intentions in this than Google does. Microsoft acknowledged the bugs and requested that Google delay the public release slightly so that they could patch. Google to me seems to be simply slamming Microsoft. All the while Google has extremely vulnerable versions of it's old stock browser on older but not out of support Android phones that it openly states that it will not patch.

Re:I never thought that I would say this....

[jdawgnoonan]

Have you ever worked on or maintained an operating system? It is a little more complex than writing little apps. Are you so sure that they are dragging their feet? Are you aware that all software companies do this same thing? Do you really feel that it is correct for a competitor that is not a security firm to go after another competitor like that? Google is doing the same thing on Android, Apple repeatedly has done the same thing.

Re:I never thought that I would say this....

[jdawgnoonan]

Google hurt users by announcing by publicly announcing an exploit in their competitor's operating system that was not patched, especially when Microsoft tried to do the right thing by communicating with Google regarding when it would be patched and asking them to delay the release. Google is not a security firm by the way. They are a competitor. And for all of the Microsoft hate out there, and I have been in the hate Microsoft crowd myself, Google is in reality like Facebook on steroids (albeit with much cooler products).

Re:I never thought that I would say this....

[Actually,+I+do+RTFA]

All the while Google has extremely vulnerable versions of it's old stock browser on older but still for sale Android phones that it openly states that it will not patch.

FTFY

That's a inappropriate comparison.

[tlambert]

Talk about blatant extortion... Perhaps Google should be more concerned about patching the 1,001 vulnerabilities in Android before casting stones at others.

For example, how about this: http://www.extremetech.com/mob...

That's a inappropriate comparison.

To patch that vulnerability would require the ability to update Android on existing handsets.

For this to work, the handset manufacturers would have to provide a new version of Android for the given handset.

For this to work, the Android development model of "partner, not Google, productizes Android" would have to change.

For this to work, there would have to be ongoing development on an older hardware platform.

For this to work, there would have to be carrier involvement in certification.

For this to work, the carrier revenue model of locking you into a two year contract every 18 months would have to change.

--

It's in absolutely no ones financial interest to provide updates to Android in already shipped handsets, and Google is not in a position, as an OS supplier, rather than a phone vendor (which is what Apple is), to force changes in operational model into the carrier or the partner device vendor.

U.S. Carriers are *NOT* going to change their revenue model just so people can buy ala carte devices that will work with any carrier, and cost more up front for you to go with their service, rather than rolling it into the monthly payment when you go with a competitors service. Everyone would have to change at once (collusion, a violation of both the Sherman Antitrust Act and the RICO Statutes, and definitely something that would be prosecuted), or the carrier that tried to move to the European model would find itself out of business.

Likewise, the handset vendors, whose revenue model is completely built on thin margins, but selling a new handset every 18 months, instead of you buying one and keeping it for 10 years, would have to charge higher margin on their device sales in order to keep their revenue numbers up, and to pay for the R&D ongoing on the already-sold platform. And then they'd need to change their FAS accounting to match that of Apple's, or face charges under Sarbanes-Oxley, which is what Apple had to do before it could give away the WiFi updates to 802.11g/n for iPods. You'll (maybe) remember that they got a percentage of the monthly wireless fee from the carrier for iPhones, but realized their income at time of sale on iPod Touch and non-3G iPads, and so they had to charge $5 for the update.

And seriously, would you be willing to pay $5 for a bug fix for a bug you were pretty sure wasn't impacting you anyway, and was just some security "researcher" throwing a hissy fit to get their company name in the news so they got audit contracts out of it?

Re:That's a inappropriate comparison.

[Karlt1]

That's a inappropriate comparison.

To patch that vulnerability would require the ability to update Android on existing handsets.

You mean like Apple can on iPhones and MS can on Windows Phones?

For this to work, the handset manufacturers would have to provide a new version of Android for the given handset.

I don't have to wait for Dell to provide a new version of Windows for me to patch a security vulnerability.

For this to work, the Android development model of "partner, not Google, productizes Android" would have to change.

huh?

For this to work, there would have to be ongoing development on an older hardware platform.

And my 2006 Mac running Windows 7 is still getting Windows updates from Microsoft.....

For this to work, there would have to be carrier involvement in certification.

Do you really think Apple waits for "certification" from all 160+ carriers worldwide before updating iOS?

For this to work, the carrier revenue model of locking you into a two year contract every 18 months would have to change.

And my old iPhone 4s introduced 9/2011 is still getting updates.....
-

It's in absolutely no ones financial interest to provide updates to Android in already shipped handsets, and Google is not in a position, as an OS supplier, rather than a phone vendor (which is what Apple is), to force changes in operational model into the carrier or the partner device vendor.

Microsoft is an "OS supplier", yet and still my Mac Mini running Windows 7 , Sony, Gateway, and Dell can all get OS updates, but you still have to wait for Verizon to get updates for the Google Nexus on their network?

U.S. Carriers are *NOT* going to change their revenue model just so people can buy ala carte devices that will work with any carrier,

The reason that one phone can't be used worldwide are because of the different bands that the different carriers support and the different technologies (CDMA/GSM) .

You can buy an iPhone right now that will work with varying degrees on all carriers in the US.

and cost more up front for you to go with their service, rather than rolling it into the monthly payment when you go with a competitors service. Everyone would have to change at once (collusion, a violation of both the Sherman Antitrust Act and the RICO Statutes, and definitely something that would be prosecuted), or the carrier that tried to move to the European model would find itself out of business.

All of the carriers have an option that allow you to buy your phone up front and just pay for service.

Likewise, the handset vendors, whose revenue model is completely built on thin margins,

Every heard of this little company called Apple?

And then they'd need to change their FAS accounting to match that of Apple's, or face charges under Sarbanes-Oxley, which is what Apple had to do before it could give away the WiFi updates to 802.11g/n for iPods. You'll (maybe) remember that they got a percentage of the monthly wireless fee from the carrier for iPhones, but realized their income at time of sale on iPod Touch and non-3G iPads, and so they had to charge $5 for the update.

And seriously, would you be willing to pay $5 for a bug fix for a bug you were pretty sure wasn't impacting you anyway, and was just some security "researcher" throwing a hissy fit to get their company name in the news so they got audit contracts out of it?

Not true, the law changed years ago. That's why Apple has been able to "give away" free OS upgrades for all of their devices for years.

Re:That's a inappropriate comparison.

[tlambert]

and Google is not in a position, as an OS supplier, rather than a phone vendor (which is what Apple is), to force changes in operational model into the carrier or the partner device vendor.

You're full of shit. Google has already been caught forcing all Android vendors to bundle Google's proprietary shit so that they can spy on users data.

"Just an OS Vendor" .. lol.. what a joke.

How does a trademark licence agreement for the use of the "Android(tm)" trademark conflate with them being able to magically update the firmware on phones for which the Android team at Google does not even have full source code, and which the carriers would require recertification for use on their network?

Or do you really not understand how that bundling is achieved through the trademark licensing agreement?

"To the best of our knowledge"

[gwstuff]

> Microsoft says there's no evidence these flaws have been successfully exploited.

Cleverly worded sentence intended to leave the reader with the impression:

"We don't know that there has been a breach, therefore there hasn't been a breach"

when it really means...

"We don't know squat about whether there has been a breach. Maybe all hell has broken lose, and there's no evidence to contradict that either."

Re:Playing with fire...

[TemporalBeing]

MS still holds a lot of Android patents. They can easily do an Apple and forbid use of them, which will completely paralyze Android.

What you mean all those patents that the Chinese outted and nearly the entire tech world found to be not relevant save about as many as you can count on your hands? Yeah, that's really going to stop Android...

Re:Microsoft: No evidence flaw successfully exploi

[Carewolf]

Uh, isn't that what Google's proof-of-concept does - demonstrate the flaw being successfully exploited? Does Microsoft need to see N. Korea exploiting it before they believe it's real?

If you personally create a remote account for a North Korean spy and he uses this exploit to see you power control settings. You really were asking for it, not sure what but something.

Monty Python

[Aaden42]

I’m reminded of the old “blackmail” skit from Monty Python. Just with less of Terry Jones’ ass hanging out at the piano. I like it!

Poor form by Google

[davidwr]

A countdown clock is great but at least a few weeks before it expires a human needs to review it and send a "red flag alert" to the vendor that will fix it and ask if they are working on it and if so ask when they expect to have it fixed.

If the answer is "yes" the estimated fix-it date is in the near future, keep quiet but pester them if the date passes without a fix.

If the answer is "yes, we've been working on this but it is hard" or "no, but we'll get started right away" then keep pestering them and don't release it as long as they are making good progress (you may have to take their word on whether they are making good progress though, sigh).

If the answer is silence or a plain "no" or some other indication that there is no fix coming soon, then release it on the original date.

Re:Google vs Microsoft

[jdawgnoonan]

Microsoft is the number one enterprise tech company in the world, so I think that they are more than a public relations firm. Has /. become a site for people who only know about what is popular at the moment in tech? Or maybe it was always that way and I am just experienced enough to see it now.

So I have a question

[Riplakish]

When Google finds security bugs in Android do they publish it along with proof of concept after 90 days?

Re:So I have a question

[Cro+Magnon]

No, but maybe Microsoft should. What's good for the goose.

Re:So I have a question

[Actually,+I+do+RTFA]

No, they do it immediately. While reminding everyone that that version of Android is no longer supported, and they really should buy a new device.

Re:People who live in glas houses...

[blackomegax]

Google releases android patches all the time. They're up to like 5.0something now.

Re:No evidence duhh

[tomxor]

"Microsoft says there's no evidence these flaws haven't been successfully exploited."

Regardless of their meaning that's a ridiculous things to say, obtaining evidence to show the flaws haven't been exploited is infeasible. It's like saying there is no evidence proving that god does not exist.

Re:Reminds me on kindergarten...

[drinkypoo]

If that was true, then they would be working with Microsoft to improve their security, not making it worse by automatically disclosing vulnerabilities when the patch is forthcoming.

I think waiting 90 days for the company whose last CEO said he would "fucking kill" google to fix their shit software is pretty generous.

then I fail to see why Microsoft should have to be beholden to Google's asinine 90-day cut-off when even Google doesn't fix it's security bugs within 90 days in many cases.

Yes, Google's 90-day cut-off is asinine: It's twice CERT's standard, for example. If we really want these bugs fixed, Google should be disclosing them much earlier.

Re:Reminds me on kindergarten...

[drinkypoo]

Because some jackass CEO blustered, Google has the right to fuck over MS end-users by arbitrarily demanding that MS prioritize their security reports over all others?

Well, no. Because some jackass CEO blustered, I will rub my hands together and chuckle with glee every time Google releases an old, old bug report with security ramifications for their stack of crap. It's Microsoft fucking over the end users, by dropping such a stack of crap on them and then refusing to be responsible about security. If Google can find these bugs, then so can dedicated attackers.

And of course only MS deserves this treatment, because they're MS! Google's vulnerabilities can languish for over 90 days without being disclosed, because they're Google.

If Microsoft wants to find security holes in Google software, and report them after 90 days, then I'm sure Google will make sure that someone fixes them within 90 days, or perhaps even 45. That's easy for Google to do, apparently. They roll out a new version of Play Services at the slightest opportunity.

They're never badmouthed other companies like idiots before.

Microsoft showed how they would like to be treated, and now Google is doing that: treating them like idiots. If Microsoft wants to step up their game and act responsibly with regards to security holes, they have that option available to them. Google isn't stopping them.

Why in hell is Google doing this?

[Applehu+Akbar]

Releasing Windows bugs is Microsoft's job.

Bring the beast into the light

[Kuruk]

Im all for bring this up. We need much more of it. Its long time overdue bugs where kept secret for the few.

Re:Is that a typo?

[unixisc]

More like Microsoft writes the software and Google adds on the bugs ;-)