Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Releases More Windows Bugs

Posted by Soulskill on from the speak-softly-and-carry-a-big-bugtracker dept.

An anonymous reader writes: Just days after Google angered Microsoft by releasing information about a Windows security flaw, they've now released two more. "The more serious of the two allows an attacker to impersonate an authorized user, and then decrypt or encrypt data on a Windows 7 or Windows 8.1 device. Google reported that bug to Microsoft on Oct. 17, 2014, and made some background information and a proof-of-concept exploit public on Thursday. Project Zero is composed of several Google security engineers who investigate not only the company's own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically publicly posts details and sample attack code if the bug has not been patched." Microsoft says there's no evidence these flaws have been successfully exploited.

34 of 263 comments (clear)

  1. No evidence by Anonymous Coward · · Score: 2, Funny

    Microsoft: "There's no evidence these flaws have been successfully exploited."
    Google: "Then why are you wearing that fake mustache and goatee?"

    1. Re:No evidence by RelaxedTension · · Score: 5, Insightful

      "Microsoft says there's no evidence these flaws haven't been successfully exploited."

      FTFY.

    2. Re:No evidence by v1 · · Score: 2

      Microsoft says there's no evidence these flaws have been successfully exploited.

      "...so we're going to wait until the bot herders have sucked in a few million more machines before bothering to patch it."

      WHAT is WRONG with you, ms?? If I'm reading that right, google is doing precisely what is necessary to light a fire under MS's ass to get the bugs fixed. It isn't really even that. They're basically telling us they don't consider it to be a big deal until it starts getting exploited. By making that comment, they completely justify (and encourage) Google's actions.

      --
      I work for the Department of Redundancy Department.
  2. Hope the trend continues. by 140Mandak262Jamuna · · Score: 5, Interesting
    I wish Apple would also pitch in and find and publish bugs in both Windows and Android. And Microsoft to retaliate by finding and reporting bugs in Android and Apple. In the end we as consumers will benefit. This should be come the norm. No longer minor players report possible bugs and the clock does not run till the company "accepts" that there is a bug.

    Free markets! Competition!! That is what made America, what it is.

    I wish such fierce competition exists in all spheres of the economy.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Hope the trend continues. by Anonymous Coward · · Score: 3, Insightful

      THIS is the issue. NOT finding and disclosing.

      Both times MS has had a fix ready (last time) or in the pipeline (This time, fix started but not ready due to buggyness).

      "90 days, or DIE!!!" Rules should have exceptions, especially if the companies have been responsive AND have good reasonable reasons for a delay - which does include MS.

      Disclosure for a bug that's being worked on? While refusing to fix bugs in your own software?

      Bad Google BAD! *Smacks the nose*

    2. Re:Hope the trend continues. by iggymanz · · Score: 2

      sitting on a macpro here at work, I'd say let's just have Apple fix yosemite bugs and problems. Not worrying about a dust speck in someone else's eye while they have two by four in their own

    3. Re:Hope the trend continues. by turbidostato · · Score: 5, Insightful

      "Except without the public posting of them."

      Except the menace of the public posting seems to be the only way for the vendor to move forward.

      Is my bet that if Microsoft were doing their best effort to patch the bug and keep informed Google about it and the expected resolution time, they wouldn't have released the information.

    4. Re: Hope the trend continues. by wrf3 · · Score: 2

      Those who might exploit the bug won't wait for the vendor to get its act together.

    5. Re:Hope the trend continues. by Twanfox · · Score: 3, Informative

      Someone who didn't read the article. One of the comments in the 'more serious of the two bugs' indicated that Microsoft INFORMED them that the patch was lined up for January, but was pulled and rescheduled for February. You lost your bet, by Google's own bookkeeping. Try for another?

    6. Re:Hope the trend continues. by rsmith-mac · · Score: 2, Insightful

      Bad Google BAD! *Smacks the nose*

      In all seriousness, when the hell did we vote an advertising company as the security czar for the Internet?

      Not only is releasing right now stupid - patch Tuesday isn't for another month, so they've just done maximum damage - but we've seen what happens when outside forces try to rush MS security patches. Things get broken in hilarious-but-awful ways.

      When you're dealing with a codebase as large as Windows and have to maintain compatibility across an impossibly large array of hardware configurations, 90 days (really more like 60, depending on when PT falls) is not going to be enough time to patch and fully test every flaw.

    7. Re:Hope the trend continues. by freeze128 · · Score: 4, Insightful

      Google's system for making exploits public is *AUTOMATED*. This is like a passenger in an elevator trying to convince the elevator to go back down while it's already in the middle of its trip to the top floor. You can throw a tantrum, but it's just not going to make any difference.

      Microsoft was informed of the issue, and developed a patch, but it was due to Microsoft's own internal policies that the patch could not be included in the monthly update. There was probably some internal cut-off date or some other bureaucratic bullshit that prevented it. Google doesn't care about Microsoft's internal BS. Why should it?

      Microsoft could have released the patch as an out-of-band update. Google wasn't insisting that it be released on the monthly schedule.

    8. Re:Hope the trend continues. by MightyYar · · Score: 2

      As the article you linked suggests, what good would a fix do? The whole reason that someone might still be running 4.3 or below is that the phone manufacturers do not push updates. Google could fix 4.3 and below, but the manufacturers are no more likely to push that update than they are to just push a higher (and thus supported) version. The vast majority of people installing their own firmware aren't going to cry over 4.3, either. Why install a custom ROM with an obsolete Android?

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  3. 90 days may be a little short by Lawrence_Bird · · Score: 5, Insightful

    but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.

    1. Re:90 days may be a little short by Anonymous Coward · · Score: 3, Insightful

      If it can install itself when someone doesn't have admin rights, it's malware.

      You must hate *nix.

    2. Re:90 days may be a little short by quantaman · · Score: 4, Informative

      but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.

      From the article:

      In the bug tracker for the impersonation vulnerability, Google said it had queried Microsoft on Wednesday, asking when the flaw would be patched and reminding its rival that the 90 days were about to expire.

      "Microsoft informed us that a fix was planned for the January patches but [had] to be pulled due to compatibility issues," the bug tracker stated. "Therefore the fix is now expected in the February patches."

      The next Patch Tuesday is scheduled for Feb. 10.

      So 90 days is an appropriate time to wait but not 106 days?

      It's not like MS was sitting on their hands, they made a patch but found problems in QA and had to do more work to get it working properly. I don't see the rationale for Google maintaining the hard 90 day deadline, maybe extensions allow some complacency on the part of the developer, but you're still not going to see them sitting on issues for months or even years on end. Meanwhile by publishing now Google has created one of two scenarios. 1) Users are going to be left vulnerable to unpatched zero-day expoilts, or 2) users are going to break their systems by installing broken patches.

      It's not clear to me how this is better than sitting on the issue for anther 26 days.

      --
      I stole this Sig
    3. Re:90 days may be a little short by Anonymous Coward · · Score: 5, Insightful

      This is a situation where the "slippery slope" argument really does apply. If Google is just going to sit on bugs until the vendor patches... they're going to end up with bedsores. And no one likes bedsores.

      Instead, they embarass the vendors a couple times, and once heads are pulled out of asses and people realize they're not screwing around, they start taking these things seriously.

      That's my guess, anyway.

    4. Re:90 days may be a little short by Qzukk · · Score: 3, Informative

      One with user-writable locations not mounted noexec?

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
  4. Re:Evil corporation cage match! by jellomizer · · Score: 2, Insightful

    Like Bing doesn't sell data it collected either.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. 90 days is really long by dwheeler · · Score: 5, Informative

    90 days is really long. The US CERT vulnerability disclosure policy is 45 days as described in http://www.cert.org/vulnerabil... (see that more more details). The problem is that you have to balance two conflicting needs; in the words of the CERT, "the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively."

    --
    - David A. Wheeler (see my Secure Programming HOWTO)
    1. Re:90 days is really long by whoever57 · · Score: 3, Insightful

      Then they run that test as part of their automated "Test Windows" run (which probably takes hours to do)

      I am going to nitpick on your analysis, but I have zero sympathy for Microsoft having (hypothetically) a test system that takes hours to provide a result. This is a company with billions of dollars available to it. Invest in more test hardware if the test systems take too long to run.

      --
      The real "Libtards" are the Libertarians!
  6. Re:Evil corporation cage match! by turbidostato · · Score: 2

    "And that fact negates the OPs comment how?"

    By stating that since Microsoft business practices equal those of Google and then more, it can't be followed that Google is any more evil than Microsoft.

    Signed: Captain "So I thought" Obvious

  7. Re:Evil corporation cage match! by nedlohs · · Score: 2

    Because the claim was "they're probably MORE evil" which is a relative claim and hence "they do it too" is in fact a valid argument.

  8. Cryptonomicon: Shanghai Banks by handy_vandal · · Score: 3, Interesting

    I'm reminded of Neal Stephenson's description of Shanghai banks on the eve of World War 2:

    Here you've got the Hong Kong and Shanghai Bank of course, City Bank, Chase Manhattan, the Bank of America, and BBME and the Agricultural Bank of China and any number of crappy little provincial banks, and several of those banks have contracts with what's left of the Chinese Government to print currency. It must be a cutthroat business because they slash costs by printing it on old newspapers, and if you know how to read Chinese, you can see last year's news stories and polo scores peeking through the colored numbers and pictures that transform these pieces of paper into legal tender.

    As every chicken-peddler and rickshaw operator in Shanghai knows, the money-printing contracts stipulate that all of the bills these banks print have to be backed by such-and-such an amount of silver; i.e., anyone should be able to walk into one of those banks at the end of Kiukiang Road and slap down a pile of bills and (provided that those bills were printed by that same bank) receive actual metallic silver in exchange.

    Now if China weren't right in the middle of getting systematically drawn and quartered by the Empire of Nippon, it would probably send official bean counters around to keep tabs on how much silver was actually present in these banks' vaults, and it would all be quiet and orderly. But as it stands, the only thing keeping these banks honest is the other banks.

    Here's how they do it ...

    Continue reading ...

    --
    -kgj
  9. FTFY by CaptainDork · · Score: 2, Insightful

    I mean the whole point of doing these types of investigations is to slap the competition in the face.

    --
    It little behooves the best of us to comment on the rest of us.
  10. Re:Is that a typo? by mrchaotica · · Score: 2

    It should read "Google discloses more Windows bugs."

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  11. Particularly given their Android response by Sycraft-fu · · Score: 2

    "Oh that's an old version, we aren't going to patch the bug." Really? That's an acceptable response that something that's 3 years old is too old to patch? But somehow, taking 100 days to patch a product that's 5 years old (in 7's case) is too long? Much easier to deal with patch issues if you just declare you only support the latest greatest and require everyone to upgrade all the time, no matter the issues.

    MS's response is particularly understandable given the complexity of doing regression testing on the wide variety of hardware, software, and patch sets the patch might need to be applied against. If they released it and it caused issues, well then people would cry even more about how shitty they were for not testing it.

    I think you are right about the mud slinging/political office: What with Chrome books Google now wishes to directly attack MS. They want to make Windows look bad, and thus make their own product look good by comparison. This isn't motivated by being a good citizen, it is motivated by something else.

    For that matter one can get all conspiracy theorist and say maybe they chose their reporting date knowing MS's patch cycle to try and create just such a situation.

    1. Re:Particularly given their Android response by Xylantiel · · Score: 3, Insightful

      The other option is that Microsoft could acknowledge reality - they are not fixing things fast enough to resist targeted attacks. MS's statement about it "not being seen in the wild" demonstrates that they don't understand the current state of exploits. Google's hypothetical attacker is one who will go to lengths to keep an exploit from being used specifically so that MS won't fix it. Also a monthly schedule for updates is a huge liability against such an attacker, as they know their window of opportunity. MS is stuck in the old model that an exploit is not important unless it has been seen in the wild. While that is all well and good for preventing worms from spreading (and therefore protecting MS's image) it is not good enough to protect your company's data from a targeted attack that can buy or discover a zero-day vulnerability. That is reality.

      Another way to look at it is that people using MS stuff have chosen interoperability over security. Thus the longer patch testing cycle, and the once-a-month updates. Therefore they shouldn't be surprised when it is demonstrated that... they chose interoperability over security.

  12. Re:Is that a typo? by binarylarry · · Score: 4, Informative

    From the bug link:

    This bug is subject to a 90 day disclosure deadline. If 90 days elapse
    without a broadly available patch, then the bug report will automatically
    become visible to the public

    .

    --
    Mod me down, my New Earth Global Warmingist friends!
  13. Re:Evil corporation cage match! by jdawgnoonan · · Score: 4, Insightful

    But to my knowledge that is the only way Google makes any money at all, and, since Google has a higher market cap than Microsoft who also sells a lot of for profit software, I can only assume that Google sells a lot more information. Every tool Google provides for consumers is a data mining tool that is funded solely by data mining. Microsoft actually sells stuff that you can buy and use without agreeing to allow your data to be mined.

  14. Re:MS should sue them by X.25 · · Score: 2

    This is degenerate behavior.

    Years (decades, now) ago, it was normal to publish vulnerabilities and exploits and discuss them and (try to) force vendors to act.

    What is happening now is degenerate.

  15. That's a inappropriate comparison. by tlambert · · Score: 2

    Talk about blatant extortion... Perhaps Google should be more concerned about patching the 1,001 vulnerabilities in Android before casting stones at others.

    For example, how about this: http://www.extremetech.com/mob...

    That's a inappropriate comparison.

    To patch that vulnerability would require the ability to update Android on existing handsets.

    For this to work, the handset manufacturers would have to provide a new version of Android for the given handset.

    For this to work, the Android development model of "partner, not Google, productizes Android" would have to change.

    For this to work, there would have to be ongoing development on an older hardware platform.

    For this to work, there would have to be carrier involvement in certification.

    For this to work, the carrier revenue model of locking you into a two year contract every 18 months would have to change.

    --

    It's in absolutely no ones financial interest to provide updates to Android in already shipped handsets, and Google is not in a position, as an OS supplier, rather than a phone vendor (which is what Apple is), to force changes in operational model into the carrier or the partner device vendor.

    U.S. Carriers are *NOT* going to change their revenue model just so people can buy ala carte devices that will work with any carrier, and cost more up front for you to go with their service, rather than rolling it into the monthly payment when you go with a competitors service. Everyone would have to change at once (collusion, a violation of both the Sherman Antitrust Act and the RICO Statutes, and definitely something that would be prosecuted), or the carrier that tried to move to the European model would find itself out of business.

    Likewise, the handset vendors, whose revenue model is completely built on thin margins, but selling a new handset every 18 months, instead of you buying one and keeping it for 10 years, would have to charge higher margin on their device sales in order to keep their revenue numbers up, and to pay for the R&D ongoing on the already-sold platform. And then they'd need to change their FAS accounting to match that of Apple's, or face charges under Sarbanes-Oxley, which is what Apple had to do before it could give away the WiFi updates to 802.11g/n for iPods. You'll (maybe) remember that they got a percentage of the monthly wireless fee from the carrier for iPhones, but realized their income at time of sale on iPod Touch and non-3G iPads, and so they had to charge $5 for the update.

    And seriously, would you be willing to pay $5 for a bug fix for a bug you were pretty sure wasn't impacting you anyway, and was just some security "researcher" throwing a hissy fit to get their company name in the news so they got audit contracts out of it?

  16. "To the best of our knowledge" by gwstuff · · Score: 2

    > Microsoft says there's no evidence these flaws have been successfully exploited.

    Cleverly worded sentence intended to leave the reader with the impression:

    "We don't know that there has been a breach, therefore there hasn't been a breach"

    when it really means...

    "We don't know squat about whether there has been a breach. Maybe all hell has broken lose, and there's no evidence to contradict that either."

  17. Re:Playing with fire... by TemporalBeing · · Score: 4, Interesting

    MS still holds a lot of Android patents. They can easily do an Apple and forbid use of them, which will completely paralyze Android.

    What you mean all those patents that the Chinese outted and nearly the entire tech world found to be not relevant save about as many as you can count on your hands? Yeah, that's really going to stop Android...

    --
    Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  18. Re:Evil corporation cage match! by bgarcia · · Score: 4, Informative

    I can only assume that Google sells a lot more information.

    Google collects information. Google uses that information to determine what ads to show users. But unlike other companies, Google does NOT sell that information.

    --
    I'm a leaf on the wind. Watch how I soar.