Google Discloses Exploited Windows Vulnerability 10 Days After Telling Microsoft

An anonymous reader writes: Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild. That means attackers have already written code for this specific security hole and are using it to break into Windows systems.In a blog post, security researchers at Google write, "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

Re:Neel Mehta is a real crumbum

[swillden]

If you disagree, and you're a programmer, then answer this: do your managers give you extra time on your tasks to make sure your code is secure? Have they ever encouraged you to care about security, or is it the opposite? Do the encourage you to treat user-input carefully, and as a potential exploit?

Yes, yes and yes.

Further, there are explicit security review processes at the concept, design and implementation stages (there are also privacy reviews which have a similar structure but a different focus). There are mandatory internal training courses that all developers must attend which train developers about user input validation as well as considerably more sophisticated security issues. There are teams whose entire focus is security, to build secure infrastructural components which make it difficult for the general developer population to build insecure software. There are other teams whose whole job is to find vulnerabilities. There are large systems that do nothing but automated fuzz testing of our products. Third party penetration testing teams are regularly hired to attempt to find vulnerabilities, and those teams are given the wholehearted support of the development teams, and full access to all relevant information. External researchers are paid hefty bug bounties for reports of vulnerabilities in our products. Discovery of security vulnerabilities provokes a post-mortem process to analyze how the vulnerability was created and to identify what changes to tooling, processes or training could have prevented the vulnerability from being created.

And you know what? There are still security bugs.

Yes, software companies should make a serious attempt to write secure code. No, it is not reasonable to expect that they'll succeed, not in the general case, not without increasing the cost of software by two or three orders of magnitude. Reasonable effort in design and implementation, defense in depth, actively seeking vulnerabilities and aggressive patch deployment are the best we know how to do in the general case.