Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Releases More Windows Bugs

Posted by Soulskill on from the speak-softly-and-carry-a-big-bugtracker dept.

An anonymous reader writes: Just days after Google angered Microsoft by releasing information about a Windows security flaw, they've now released two more. "The more serious of the two allows an attacker to impersonate an authorized user, and then decrypt or encrypt data on a Windows 7 or Windows 8.1 device. Google reported that bug to Microsoft on Oct. 17, 2014, and made some background information and a proof-of-concept exploit public on Thursday. Project Zero is composed of several Google security engineers who investigate not only the company's own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically publicly posts details and sample attack code if the bug has not been patched." Microsoft says there's no evidence these flaws have been successfully exploited.

12 of 263 comments (clear)

  1. Hope the trend continues. by 140Mandak262Jamuna · · Score: 5, Interesting
    I wish Apple would also pitch in and find and publish bugs in both Windows and Android. And Microsoft to retaliate by finding and reporting bugs in Android and Apple. In the end we as consumers will benefit. This should be come the norm. No longer minor players report possible bugs and the clock does not run till the company "accepts" that there is a bug.

    Free markets! Competition!! That is what made America, what it is.

    I wish such fierce competition exists in all spheres of the economy.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Hope the trend continues. by turbidostato · · Score: 5, Insightful

      "Except without the public posting of them."

      Except the menace of the public posting seems to be the only way for the vendor to move forward.

      Is my bet that if Microsoft were doing their best effort to patch the bug and keep informed Google about it and the expected resolution time, they wouldn't have released the information.

    2. Re:Hope the trend continues. by freeze128 · · Score: 4, Insightful

      Google's system for making exploits public is *AUTOMATED*. This is like a passenger in an elevator trying to convince the elevator to go back down while it's already in the middle of its trip to the top floor. You can throw a tantrum, but it's just not going to make any difference.

      Microsoft was informed of the issue, and developed a patch, but it was due to Microsoft's own internal policies that the patch could not be included in the monthly update. There was probably some internal cut-off date or some other bureaucratic bullshit that prevented it. Google doesn't care about Microsoft's internal BS. Why should it?

      Microsoft could have released the patch as an out-of-band update. Google wasn't insisting that it be released on the monthly schedule.

  2. 90 days may be a little short by Lawrence_Bird · · Score: 5, Insightful

    but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.

    1. Re:90 days may be a little short by quantaman · · Score: 4, Informative

      but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.

      From the article:

      In the bug tracker for the impersonation vulnerability, Google said it had queried Microsoft on Wednesday, asking when the flaw would be patched and reminding its rival that the 90 days were about to expire.

      "Microsoft informed us that a fix was planned for the January patches but [had] to be pulled due to compatibility issues," the bug tracker stated. "Therefore the fix is now expected in the February patches."

      The next Patch Tuesday is scheduled for Feb. 10.

      So 90 days is an appropriate time to wait but not 106 days?

      It's not like MS was sitting on their hands, they made a patch but found problems in QA and had to do more work to get it working properly. I don't see the rationale for Google maintaining the hard 90 day deadline, maybe extensions allow some complacency on the part of the developer, but you're still not going to see them sitting on issues for months or even years on end. Meanwhile by publishing now Google has created one of two scenarios. 1) Users are going to be left vulnerable to unpatched zero-day expoilts, or 2) users are going to break their systems by installing broken patches.

      It's not clear to me how this is better than sitting on the issue for anther 26 days.

      --
      I stole this Sig
    2. Re:90 days may be a little short by Anonymous Coward · · Score: 5, Insightful

      This is a situation where the "slippery slope" argument really does apply. If Google is just going to sit on bugs until the vendor patches... they're going to end up with bedsores. And no one likes bedsores.

      Instead, they embarass the vendors a couple times, and once heads are pulled out of asses and people realize they're not screwing around, they start taking these things seriously.

      That's my guess, anyway.

  3. 90 days is really long by dwheeler · · Score: 5, Informative

    90 days is really long. The US CERT vulnerability disclosure policy is 45 days as described in http://www.cert.org/vulnerabil... (see that more more details). The problem is that you have to balance two conflicting needs; in the words of the CERT, "the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively."

    --
    - David A. Wheeler (see my Secure Programming HOWTO)
  4. Re:No evidence by RelaxedTension · · Score: 5, Insightful

    "Microsoft says there's no evidence these flaws haven't been successfully exploited."

    FTFY.

  5. Re:Is that a typo? by binarylarry · · Score: 4, Informative

    From the bug link:

    This bug is subject to a 90 day disclosure deadline. If 90 days elapse
    without a broadly available patch, then the bug report will automatically
    become visible to the public

    .

    --
    Mod me down, my New Earth Global Warmingist friends!
  6. Re:Evil corporation cage match! by jdawgnoonan · · Score: 4, Insightful

    But to my knowledge that is the only way Google makes any money at all, and, since Google has a higher market cap than Microsoft who also sells a lot of for profit software, I can only assume that Google sells a lot more information. Every tool Google provides for consumers is a data mining tool that is funded solely by data mining. Microsoft actually sells stuff that you can buy and use without agreeing to allow your data to be mined.

  7. Re:Playing with fire... by TemporalBeing · · Score: 4, Interesting

    MS still holds a lot of Android patents. They can easily do an Apple and forbid use of them, which will completely paralyze Android.

    What you mean all those patents that the Chinese outted and nearly the entire tech world found to be not relevant save about as many as you can count on your hands? Yeah, that's really going to stop Android...

    --
    Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  8. Re:Evil corporation cage match! by bgarcia · · Score: 4, Informative

    I can only assume that Google sells a lot more information.

    Google collects information. Google uses that information to determine what ads to show users. But unlike other companies, Google does NOT sell that information.

    --
    I'm a leaf on the wind. Watch how I soar.