Google Discloses Exploited Windows Vulnerability 10 Days After Telling Microsoft

An anonymous reader writes: Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild. That means attackers have already written code for this specific security hole and are using it to break into Windows systems.In a blog post, security researchers at Google write, "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

America must go Communist!

[For+a+Free+Internet]

Before the bourgeoisie slaughters us all!

If you want capitalism, and all its attendant racism, inequality, oppression, war, and brutality, vote Green, Libertarian, Democrat or Republican!

Re:America must go Communist!

You don't seem to realize that by using something completely unrelated to your cause as a soap box, you make yourself and your cause look incredibly stupid

Re: America must go Communist!

[ArmoredDragon]

He's deliberately creating mayhem. He's a member of GNAA.

Re:America must go Communist!

You don't seem to realize that by using something completely unrelated to your cause as a soap box, you make yourself and your cause look incredibly stupid

What I don't get is why an account with nothing but 0 and -1 scores on every single comment for years isn't just deleted. Wait, yeah I do. If you let the idiot use the same account, they can feel like people are actually reading it and it's "changing their lives" or some BS. It keeps them from creating more accounts to do the same. If they do that, IPs get targeted.

dirty cow vs patch tuesday

Linux ones get special names. Windows ran out of names long ago

So Windows 10 is not affected?

[jader3rd]

I found the final sentance a little confusing. Does this affect all versions of Windows, or just older ones?

Re:So Windows 10 is not affected?

Sounds like:

Use our browser, it's better.

Re:So Windows 10 is not affected?

[zlives]

looks like all and chrome mitigates it in win10 (from how i read it)

Re:So Windows 10 is not affected?

[squiggleslash]

I think it's "If you're using Chrome under Windows 10, and someone tries to hack you using, say, a hacked plugin, Chrome will be able to sandbox this. In any other configuration, you're screwed."

Re:So Windows 10 is not affected?

The bug is only present on modern ones and this API is not in older windows versions from XP SP3 going down to Windows 3.1
I wonder why this important bit of info was left out. New versions introduce newer bugs which are not in older versions.

Re:So Windows 10 is not affected?

i used win xp and opera presto
I do no care)

Re:So Windows 10 is not affected?

this is m$)

Re: So Windows 10 is not affected?

SetWindowLong exists in all versions since Win95

Neel Mehta is a real crumbum

I suggest you read up on this guys history of less than ethical disclosures. This isn't his first dangerous disclosure in his quest for fame.

Re:Neel Mehta is a real crumbum

[AK+Marc]

With no exploit in the wild, Google should quietly inform MS. With an exploit in the wild, it has already been publicly disclosed, but to a limited audience, so Google should disclose widely, so everyone is informed of the exploits.

What in that behavior do you find unethical?

Re:Neel Mehta is a real crumbum

[XparXnoiaX]

Not only that, the arguably ethical thing to do is to always disclose. In most cases the exploits are being actively used (see previous link).

Re:Neel Mehta is a real crumbum

Wow, APL gets 70 days to patch with an extension. Microsoft gets 11 days.

Re:Neel Mehta is a real crumbum

"Arguably" being the operative word. That attitude is extremely naive and borderline criminal. The exploits may or may not be under active exploitation before, but after releasing the exploit information you GUARANTEE that the exploit will be used.

First of all, the fix won't be instantaneous. It'll have to go through several layers of testing and reviewing, a patch will need to be prepared, then tested, then deployed. This takes time, and during this time, users are in danger because you decided to just throw a live hand-grenade in the room and yell "Take cover!".

Arguing that users can adopt mitigation strategies is a moot point. Some exploits can't be mitigated. They can only be fixed, hopefully permanently. But even in the best case scenario, you are assuming that users even KNOW how to mitigate the danger or that they even know about the danger in the first place. Only geeks like us frequent technical sites and know that these vulnerabilities exist and how to fix them.

Most users couldn't even log in with the caps-lock key on, what chances are there that they'll be able to mitigate a local privilege escalation vulnerability? Or even pronounce it? The only mitigation they'll get is when their OS (forcibly) installs the next update that fixes this vulnerability.

Releasing the exploit early does not aid in the goal of fixing the exploit, and does not help users. All it will do is ensure that users are in increased danger.

The only situations I envisage where disclosure is immediately required is when there is an immediate danger to life or when the vendor does not seem inclined to fix the bug. Otherwise, you're just an asshole.

Re:Neel Mehta is a real crumbum

[XparXnoiaX]

"Arguably" being the operative word. That attitude is extremely naive and borderline criminal.

The criminal was the company that wrote the vulnerability in the first place.

If you disagree, and you're a programmer, then answer this: do your managers give you extra time on your tasks to make sure your code is secure? Have they ever encouraged you to care about security, or is it the opposite? Do the encourage you to treat user-input carefully, and as a potential exploit? If your company doesn't do this, then they are negligent.

Remember there are companies who store passwords in plaintext. That is not only idiotic, anyone with half a brain knows not to do that.

Re:Neel Mehta is a real crumbum

An immediate danger to life and you'd immediately disclose? Really? And when people start dying the next day you'd be OK with that?

Re:Neel Mehta is a real crumbum

Not that simple...even if the managers gave programmers extra time to "make sure that the code is secure", would the person who wrote insecure code in the first place even know that it was insecure, let alone find the flaws, fix them, and retest? Methinks not. Especially if the security flaw is in the design, rather than the coding.

Re:Neel Mehta is a real crumbum

Unlike the Apple vulnerability, Google knew that the Microsoft vulnerability was currently being exploited. This looks like it's more of a case of making an active exploit known to the public at large, instead of disclosing an otherwise unknown vulnerability.

Re:Neel Mehta is a real crumbum

Once you get some real world experience working with large software packages with a very large user base, you'll understand why the more experienced people consider your position naive.

Re:Neel Mehta is a real crumbum

[phantomfive]

I notice you failed to answer the question. I take it to mean you've never worked in a company that gave their programmers time to make sure the software was secure.
In most companies it's the opposite: the "rush to market" is so important that security can "wait until later."

Re:Neel Mehta is a real crumbum

You may be right. I read their comment and concluded that they knew as much about the topic as I know about the game of cricket - which is close to nil. It didn't occur to me that they be suffering from the hubris of youth and inexperience.

Re:Neel Mehta is a real crumbum

[LinuxIsGarbage]

Remember there are companies who store passwords in plaintext. That is not only idiotic, anyone with half a brain knows not to do that.

My mind always boggles when I click a recover password link, and get my old password emailed to me in plain-text.

Re:Neel Mehta is a real crumbum

First of all, the fix won't be instantaneous.

We all full know that most companies will not put any priority into fixing security issues, unless it is public knowledge they know about it and aren't doing anything to solve it. Many will even ignore the first few alerts completely.

In the absence of an independent organization managing all this, with legal force of punishment for inaction, reporters have to be the judge on what to do. And when repetitively facing reluctance to do things right, quickly, even as data is being leaked or attacks are underway, it is very understandable that some people would take a much stricter stance on this, particularly when dealing with big companies with zero excuse.

We can discuss consequences all we want, none of us are all-knowing. There are positives and negatives in most decisions, and it is often difficult to balance everything out. But if facing inaction, you do nothing either, well, here's another one of your guarantee: nothing will ever get done.

Often in life you'll have to put your foot in it. If you cannot, you shouldn't blame yourself too much, but don't try to justify yourself by promoting apathy to others.

The only situations I envisage where disclosure is immediately required [...] when the vendor does not seem inclined to fix the bug.

97% of cases, if you include the matter of priority, and the fact many alerts won't even get to the proper persons until you fight their entire organization structure for hours, days, weeks, or even months... (we live in such stupidly insane society...).

Great we agree though.

Re:Neel Mehta is a real crumbum

[swillden]

If you disagree, and you're a programmer, then answer this: do your managers give you extra time on your tasks to make sure your code is secure? Have they ever encouraged you to care about security, or is it the opposite? Do the encourage you to treat user-input carefully, and as a potential exploit?

Yes, yes and yes.

Further, there are explicit security review processes at the concept, design and implementation stages (there are also privacy reviews which have a similar structure but a different focus). There are mandatory internal training courses that all developers must attend which train developers about user input validation as well as considerably more sophisticated security issues. There are teams whose entire focus is security, to build secure infrastructural components which make it difficult for the general developer population to build insecure software. There are other teams whose whole job is to find vulnerabilities. There are large systems that do nothing but automated fuzz testing of our products. Third party penetration testing teams are regularly hired to attempt to find vulnerabilities, and those teams are given the wholehearted support of the development teams, and full access to all relevant information. External researchers are paid hefty bug bounties for reports of vulnerabilities in our products. Discovery of security vulnerabilities provokes a post-mortem process to analyze how the vulnerability was created and to identify what changes to tooling, processes or training could have prevented the vulnerability from being created.

And you know what? There are still security bugs.

Yes, software companies should make a serious attempt to write secure code. No, it is not reasonable to expect that they'll succeed, not in the general case, not without increasing the cost of software by two or three orders of magnitude. Reasonable effort in design and implementation, defense in depth, actively seeking vulnerabilities and aggressive patch deployment are the best we know how to do in the general case.

Re:Neel Mehta is a real crumbum

The "asshole" is the company that wrote the bug ridden OS. How many zero days has this POS OS had so far?

Microsoft would rather the public continue being infected by an active zero day exploit then inform them. That's criminal and irresponsible - otherwise known as "par for the course for Microsoft"

Re:Neel Mehta is a real crumbum

I have many years of experience working with software security, so I'll try to add to the discussion.

You seem to be asking the obvious question of "should software developers be held accountable to release secure software?" when the topic is the less obvious "how should we disclose vulnerabilities of software already released?"

Even if the software developer took every precaution and followed current methodologies to prevent vulnerabilities in their software, there is still a chance that a vulnerability exists. Good development (including release) practice goes a long way to reduce the likelihood of a vulnerability, but it can't be eliminated. Especially if you are talking about an OS that runs on a large number of different hardware configurations.

The question is when should a vulnerability be disclosed and what steps should be taken to ensure that the software developer has enough time to mitigate the vulnerability? It's accepted practice to notify the software developer and negotiate a time frame for public disclosure taking known exploits and software complexity into account.

Immediate disclosure of vulnerabilities may be viable in open source projects, but it doesn't mean it's viable for all software. The idea of immediately disclosing any vulnerability to the public regardless of circumstance needlessly places people at risk in a sophomoric attempt to pressure the developers into releasing patches more frequently.

Re:Neel Mehta is a real crumbum

[XparXnoiaX]

Even if the software developer took every precaution and followed current methodologies to prevent vulnerabilities in their software, there is still a chance that a vulnerability exists.

My point is that when disclosing, you should take into consideration whether the software developers were following best practices or not. 99% of the time, the answer is: not.

Different from the Kid Gloves They Used for Apple

[Luthair]

Interesting this comes mere days after the story that Google sat on an Apple vulnerability for 5-months? Though maybe given this is being actively exploited the treatment is justifiably different...

Fuck you Google!

[Master5000]

You only make shitty decisions lately. Looks like we're gonna have to put you down. Pixel, no Nexus updates for Nexus 5, Hello and other shit and now this? Google has outlived its usefulness. The government should provide the google search service as now it's like a public utility and the rest of Google can be safely shut down. For the good of everybody.

Re: Fuck you Google!

It looks like you have so much interesting things to say you don't know what to start with ...

Security is a partnership...

Everyone has vulnerabilities, because there are just too many inconceivable ways that protective measures might be bypassed. As such, teamwork between providers is the key; just because the other guy's platform is doesn't mean yours can't also be sunk, especially in this interconnected world of botnets.

If this vulnerability wasn't part of the fixes in last patch Tuesday Google - OR anyone - should keep their mouths shut until the provider has had a chance to patch it, and patch it right. There's nothing worse than a rushed patch that fixes the specific problem but leaves the family of vulnerability open, resulting in more exploits and patches down the road.

Google must think their computing platform is sitting pretty, what with Chromebooks seemingly not having these problems. I'm just waiting for the first ChromeOS/cloud propagated malware to make them look foolish.
g=

Re:Security is a partnership...

It's been 18 years and still nothing. Maybe it's because Google doesn't use Windows? So it looks like you'll be waiting for a very long time.

Re:Security is a partnership...

[LinuxIsGarbage]

It's been 18 years and still nothing. Maybe it's because Google doesn't use Windows? So it looks like you'll be waiting for a very long time.

I remember reading... some time 8-10 years a go... that Google was desperately trying to get their employees off Windows. Something like 66% were using Windows XP internally on their desktops.

Re:Security is a partnership...

You'd be surprised how many people will jump ship when you give them the choice of a Mac.

Re:Security is a partnership...

[Sun]

That's true. I, for one, will jump ship from a company as soon as the only choice they give me is a Mac. Shachar

Re:Security is a partnership...

[Sun]

They should keep their mouth shut or else what? The bad guys will start exploiting it?

Read the summary. The bad guys are already exploiting it.

Shachar

What In The Fuck?????

[bev_tech_rob]

"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

How in the hell does anyone find this shit to start with? Where does one begin when trying to find bugs and vulnerabilities? Do these folks spend day in and day out sitting on a shitbucket, eating Cheetos and Monster and have absolutely no freakin' life???? SMH....

Oh well, keeps me busy in my line of work...

Re:What In The Fuck?????

[Greyfox]

Oh, that's easy. When the companies audit their code to get their security ratings for government contracts, they report their findings to the NSA. Then, the Chinese and Russian hackers hack the NSA and download the reports. Then, when the Russian and Chinese hackers defect to Europe, they bring those reports and hand them over to the GHCQ. Along with, I'm going to say, plutonium. Hi guys! Anywhoo, then the GHCQ outsources writing the code to exploit the weaknesses detailed in the reports to India or Pakistan. You know, because why not? So basically by the time you hear about a security flaw being exploited, pretty much everyone in the world already knows about it anyway.

Re:What In The Fuck?????

The line of work that takes what the cheetos and shitbucket people build, and then pretend you know what you are talking about , but in reality you just google for something a cheetos and shitbucket person wrote?

Re:What In The Fuck?????

[twistedcubic]

My guess: they probably have the source code to Windows.

Re:What In The Fuck?????

[Sarten-X]

First it starts with having an understanding of what's going on. Then it continues with realizing that an assumption isn't necessarily true, and finishes with finding a means to force that assumption to be invalid.

One of my favorite exploits is a privilege-escalation issue on very old Linux systems. In short, you run a program that crashes and drops raw memory into cron's job folder, and when cron looks at the dump, it sees something that looks like a job spec, so cron happily runs whatever was in that memory dump, as root.

This exploit existed because Linux would assume that dropping a file would always be a safe thing to do, while cron assumed that only root would be able to drop files in its job folder. Together, they made a vulnerability.

Re:What In The Fuck?????

It's not that hard to get into. Start modding video games, figure out where certain pointers go to and how they can be modified, start understanding where those modifications can cause trouble.

Then you're right, success will depend on amount of monster / time spent on it. Some people think it's a better life than whatever bullshit you think is a good life. Some don't. Don't worry about it too much.

Re:What In The Fuck?????

[techno-vampire]

Then it continues with realizing that an assumption isn't necessarily true, and finishes with finding a means to force that assumption to be invalid.

Back in the mid 80s, I did some work at JPL with the late Dan Alderson. Generally speaking, an if/else if sequence ends without another if because all possible cases have been listed. Dan, however, would use a final if, specifying what should be the only possible situation, with an else aborting the program with the comment "1 = 2" to indicate an unexpected situation rather than continue. I never saw it come up, but he did tell me once that it had happened a few times.

Is the policy

Vulns. already being exploited in the wild are published 7 days after reporting it to the vendor. This is nothing new and is Google's policy on this (dated 2013).
See: https://security.googleblog.com/2013/05/disclosure-timeline-for-vulnerabilities.html

Sleazy attempt to paint Google in a bad way. This flaw is already being exploited, the bad guys already know about it!

Re:Is the policy

Yeah, I was kinda upset, then I read it was already being actively exploited.

Yeah, if its already out there, the damnage is done.

Re:Different from the Kid Gloves They Used for App

[bigdady92]

Apple Market Share: 3-5%
Windows Market Share: 90%
Everything else: Math%

Google wants to put as much pressure on MS to get them to fix the problem as quickly as possible as this vulnerability affects the largest market share of Google's Product.

We all know all those windows users will blame Chrome for infecting their machine Because Reasons(TM) so let Google force MS into fixing this issue ASAP.

Apple's vulnerability? Who cares, it affects a microcosm of Google's user base.

The evil maid strikes again!

Of course, someone with local access could just type format c: in command mode too.

Re:The evil maid strikes again!

Of course, someone with local access could just type format c: in command mode too.

I see that you don’t know shit about how stuff like local escalation exploits actually works, and yet have chosen to comment anyway. How fascinating. Entertain us some more.

There's "AtomBombing" Windows too

See subject & this https://www.helpnetsecurity.co...

* Which thank goodness only means someone has to be ignorant enough to download & execute a malware for it to work @ all in the 1st place...

APK

P.S.=> HOWEVER - that's what I built this for to prevent that happening:

APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...

Blocking out known maliciously scripted sites or bad executables on them (for more security, speed, reliability & anonymity for LESS than other "so-called 'solutions'", w/ what you already have, natively)... apk

Re:There's "AtomBombing" Windows too

Which thank goodness only means someone has to be ignorant enough to download & execute a malware for it to work

... proceeds to link to some EXE file ...

Re:There's "AtomBombing" Windows too

[UnknownSoldier]

OT: Which version of Firefox did you say was safe? Version 43? 44? or 45?

Thanks.

Re:Fuck you Microsoft

Please child, Microsoft is a has been. Windows is a cesspool of viruses, malware and ransomware. The sooner Microsoft get's put down the better it is for computing and society in general.

There's "AtomBombing" Windows too

See subject & this https://www.helpnetsecurity.co...

* Which thank goodness only means someone has to be ignorant enough to download & execute a malware for it to work @ all in the 1st place...

APK

P.S.=> HOWEVER - that's what I built this for to prevent that happening:

APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...

Blocking out known maliciously scripted sites or bad executables on them (for more security, speed, reliability & anonymity for LESS than other "so-called 'solutions'", w/ what you already have, natively)... apk

Typical MS fanboys

Only fucked up Microsoft fanboys would try to defend an exploit that's been in the wild and infecting Windows computers. They would rather the public not know how shitty their OS and security are.

Re:Typical MS fanboys

Yes, because if not for Google, no one would ever have heard that Windows has vulnerabilities.

Microsoft's statement

The VentureBeat article has been updated with a response from Microsoft:

"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," a Microsoft spokesperson told VentureBeat. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

What the hell are they smoking? Apple, the various Linux distributions, and the BSDs all are committed to "investigating reported security issues and proactively updating impacted devices as soon as possible." They all routinely release immediate updates for critical exploits. I think even Cisco's IOS has a better track record than Windows in time-to-fix for critical vulnerabilities.

Re:Microsoft's statement

[Etcetera]

The VentureBeat article has been updated with a response from Microsoft:

"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," a Microsoft spokesperson told VentureBeat. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

What the hell are they smoking? Apple, the various Linux distributions, and the BSDs all are committed to "investigating reported security issues and proactively updating impacted devices as soon as possible." They all routinely release immediate updates for critical exploits. I think even Cisco's IOS has a better track record than Windows in time-to-fix for critical vulnerabilities.

I might be wrong, but it seems like that's a crack at the security issues within Google's Android ecosystem...

MS isn't the one that let it get to a point where a bazillion hacked devices without updates are in the field a mere year or two after hardware was released.
XP had support for 10 years.

Re:Microsoft's statement

[techno-vampire]

What the hell are they smoking? Apple, the various Linux distributions, and the BSDs all are committed to "investigating reported security issues and proactively updating impacted devices as soon as possible."

True. Very true. However, strictly speaking, only Apple and RHEL have customers.

Re:Microsoft's statement

What the hell are they smoking? Apple, the various Linux distributions, and the BSDs all are committed to "investigating reported security issues and proactively updating impacted devices as soon as possible."

But Microsoft is buzzword compliant. The rest of them just do it. Big difference in the corporate world.

Re:Different from the Kid Gloves They Used for App

[tlhIngan]

Interesting this comes mere days after the story that Google sat on an Apple vulnerability for 5-months? Though maybe given this is being actively exploited the treatment is justifiably different...

Probably because it's exploited.

If it wasn't exploited, Microsoft has a full 90 days. As it is exploited, well, telling doesn't really hurt anyone - they gave Microsoft a heads up and well, telling people about it doesn't really hurt anyone.

The Apple one probably wasn't exploited so Google gave extra time knowing it's a tricky bug to fix.

But once a bug is exploited, there's no advantage to holding back. Microsoft got 10 days to find a mitigation (and for an active exploit, probably reasonable) before it would be revealed to all.

It's safe & verified safe code... apk

See subject (keep blowing your "downmod points" I'm happy to exhaust you of 'em) https://www.virustotal.com/en/...

AND

Verified by Malwarebytes' S. Burn "I've seen the code & it's safe" http://forum.hosts-file.net/vi...

APK

P.S.=> Eat your words idiot - eat your words (lol)... apk

There's "AtomBombing" Windows too

See subject & this https://www.helpnetsecurity.co...

* Which thank goodness only means someone has to be ignorant enough to download & execute a malware for it to work @ all in the 1st place...

APK

P.S.=> HOWEVER - that's what I built this for to prevent that happening:

APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...

Blocking out known maliciously scripted sites or bad executables on them (for more security, speed, reliability & anonymity for LESS than other "so-called 'solutions'", w/ what you already have, natively)

VERIFIED SAFE - https://www.virustotal.com/en/... + Verified by Malwarebytes' S. Burn "I've seen the code & it's safe" http://forum.hosts-file.net/vi... ... apk

Cool

Mutually assured destruction of proprietary platforms. Let the games begin!

Re:Different from the Kid Gloves They Used for App

[AmiMoJo]

No, the difference is that the Windows exploit is being actively used in the wild by malware. It's better to know about it so we can mitigate the risk as much as possible.

In Apple's case no-one was taking advantage of the flaw, as far as we know, so it was better to keep it quiet while they fixed it.

Zero day exploit

[JonathanP.Bennett]

Once actively exploited, the proper response is to publicly announce the exploit. This is standard and acceptable practice. Someone is grinding an anti-google axe on this non-story.

Exploits in the wild

[l2718]

The goal of keeping mum on security vulnerability until the vendor fixes it is to prevent potential attackers from learning about the vulnerability. The discoverer decides that users of the software are better off not knowing about the problem because they'd rather attackers don't know either.

Here, according to TFA, there are already exploits in the wild. In that situation MS users are already at risk; Google keeping mum can only hurt them (by keeping them ignorant of the vulnerability) but won't help (because the attackers already know).

Re:Exploits in the wild

because the attackers already know

Not all potential attackers knew. Now everybody knows and the attacks will multiply in numbers, affecting many more users. No, Google's project zero scums definitely need to get a fucking grip.

Re:Exploits in the wild

[rtb61]

Technically speaking also there is the problem of criminal negligence and the culpability that arises from that ie you knew about the fault, you did not tell me and I suffered as a result, that fault now lies with those who kept the risk secret from me. Now that really brushes up super close to wilful culpable criminal negligence. Face the reality, software programmers have got away with a shit bucket ton of stuff they should never have got away with and the law is catching up to them.

Re:Exploits in the wild

[drakaan]

If there are attacks in the wild, then all attackers know (or *can* easily know). Now, all IT professionals can *also* know and decide what to do about it until there's a patch. Responsible disclosure isn't just about when not to say anything, it's also about when to say something.

Re:Exploits in the wild

Microsoft's announcement shows the opposite. The attackers were related to the Russian military and they were keeping this to themselves.

Microsoft has singled out Sofacy, an APT group long thought to have ties to Russia’s military intelligence arm GRU, as the entity behind targeted attacks leveraging Windows kernel and Adobe Flash zero days in targeted attacks.

See more at Kaspersky's blog.

I didn't (I don't even use FF)... apk

See subject: You must be confusing me w/ someone else man - as again, I don't use FireFox in any form (for years now). It's that or someone is "impersonating me" again (no 1st by any means, lol).

* On this "atombomb" stuff though: It's been known & out for days now - I was really, Really, REALLY surprised /. didn't do a writeup on it... it's "big news" (exploiting OLD stuff like DDE communication to do its dirty-work...).

APK

P.S.=> "Onwards & UPWARDS"... apk

Re:I didn't (I don't even use FF)... apk

It's that or someone is "impersonating me" again (no 1st by any means, lol).

If only there were some way to "authenticate" a user on a forum website, so everybody could be sure that a particular person is posting...

APK

Re:I didn't (I don't even use FF)... apk

[UnknownSoldier]

OK, thanks for the clarification. Must have been another AC. :-/

10 or 30 days, will it be fixed at all?

[Darkness+Of+Course]

Chance that MSFT fixing W* that isn't W10 is zero. They want their telemetry damn it!

Dear effete loser 'impersonating' me

See subject: Did I run you dry of 'downmodpoints' again that you're weakly attempting to 'impersonate me' again? LMAO - yes!

APK

P.S.=> It's a pity "your kind" (no talent scumbag trolls) has to be around - so, grow up, do something useful w/ your wasted life instead please... apk

Re:Dear effete loser 'impersonating' me

See again: I'm mildy retarded

APK

P.S.=> lol

What is a 0-day?

The article says
"A 0-day vulnerability is a publicly disclosed security flaw that wasn’t known before. In other words, the company that makes the software has not yet issued a patch for it."

Wiki says
  It is known as a "zero-day" because it is not publicly reported or announced before becoming active, leaving the software's author with zero days in which to create patches or advise workarounds to mitigate its actions.[2]

The article is bull, I'm going with wiki on this. On the 21st, it was a 0-day which was being exploited.
On the 22nd, Microsoft had known for a day, so it was a 1-day being exploited and so on.

Hopefully, Google publishing now will prevent it from becoming a 30, or 60, or 100-day bug being exploited.
Does anyone have statistics to say something shorter would have been more likely?

Re:Fuck you Microsoft

[Master5000]

Microsoft didn't start the trend of spying on your users. Google did. Google is much worse than Microsoft ever dreamed of becoming.

Outta "downmod points" loser? Yes, lmao

I see you're ALL OUT OF "DOWNMOD" POINTS (awww, too bad) & I ran you outta 'em, hahaha https://tech.slashdot.org/comm...

* Always a pleasure showing EVERYONE how effete & WEAK you truly are which IS your own fault for being a no talent scumbag (that all you have is giving others doing well like myself shit, but we can ALWAYS shit on "your kind" easily with the truth of what you are & you KNOW it)... lol!

APK

P.S.=> I can't IMAGINE what it's like being a punk like you - a TOTAL loser who I've gotten the best of SO MANY TIMES you now must stalk me by unidentifiable ac posts OR 'impersonate' me as there's NO WAY you could ever, EVER technically get the better of me - butthurt as you are stupid, you need PREPARATION H, hahaha... apk

Re:Different from the Kid Gloves They Used for App

[OneHundredAndTen]

Apple Market Share: 3-5% Windows Market Share: 90% Everything else: Math%

Not in phones, tablets, servers, supercomputers, etc.

exploit requires unpatched Flash

[doug141]

FTA: "A source close to the company also shared that the exploit Google describes requires the Adobe Flash vulnerability. Since Flash has been patched, the Windows vulnerability is mitigated."

Re:Fuck you Microsoft

[Miamicoastguard]

Yup

Re:Different from the Kid Gloves They Used for App

a microcosm of Google's user base.

I don't think that word means what you think it means.

How does that make matters worse?

[Sun]

To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild.

How does that make matters worse? Exploit being used in the wild is the standard reason to expedite public disclosure. If the bad guys already know about the bug, there is no sense in keeping the legitimate users in the dark.

Shachar

It's safe & verified safe code... apk

See subject (keep blowing your "downmod points" I'm happy to exhaust you of 'em) https://www.virustotal.com/en/...

AND

Verified by Malwarebytes' S. Burn "I've seen the code & it's safe" http://forum.hosts-file.net/vi...

NOTICE YOU BLEW MORE OF YOUR MODPOINTS A DAY LATER TRYING TO HIDE LAST TIME I POSTED THIS (lol, to your dismay & no avail) too https://tech.slashdot.org/comm...

APK

P.S.=> Eat your words idiot - eat your words (lol) & KEEP BLOWING AWAY YOUR "DOWNMOD POINTS" - You'll run DRY AGAIN today courtesy of "yours truly" getting you to EXHAUST THEM (but I can always repost again, as I have now, & you'll lose again as usual vs. me, lol)... apk

There's "AtomBombing" Windows too

See subject & this https://www.helpnetsecurity.co...

* Which thank goodness only means someone has to be ignorant enough to download & execute a malware for it to work @ all in the 1st place...

APK

P.S.=> HOWEVER - that's what I built this for to prevent that happening:

APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...

Blocking out known maliciously scripted sites or bad executables on them (for more security, speed, reliability & anonymity for LESS than other "so-called 'solutions'", w/ what you already have, natively)

VERIFIED SAFE - https://www.virustotal.com/en/... + Verified by Malwarebytes' S. Burn "I've seen the code & it's safe" http://forum.hosts-file.net/vi... ... apk

LOL

look into windows ten telemetry some time chump

XP and lower don't have this API in user32.dll

This bug is only on modern bloated Windows versions. Probably from Vista going up to Windows 10.
I disassembled user32.dll and win32k.sys on my XP to fix this bug manually, but the function NtSetWindowLongPtr() is just not there in user32 lib.

Re:XP and lower don't have this API in user32.dll

Old is gold.

Re:Different from the Kid Gloves They Used for App

> In Apple's case no-one was taking advantage of the flaw

AH-HAH.

So, basically Dirty CoW for Windows?

To all M$ fanbois, This clearly shows closed source clearly has more security than open source.

Irresponsible

Only ten days from alerting Microsft of the bug to alerting the potential victims.

That's like waiting only ten days from alerting condom manufacturers that there is a rapist in the neighborhood to informing the public.

It's safe & verified safe code... apk

See subject (keep blowing your "downmod points" I'm happy to exhaust you of 'em) https://www.virustotal.com/en/...

AND

Verified by Malwarebytes' S. Burn "I've seen the code & it's safe" http://forum.hosts-file.net/vi...

NOTICE YOU BLEW MORE OF YOUR MODPOINTS A DAY LATER TRYING TO HIDE LAST 2 TIMES I POSTED THIS (lol, to your dismay & no avail) too https://tech.slashdot.org/comm...

APK

P.S.=> Eat your words idiot - eat your words (lol) & KEEP BLOWING AWAY YOUR "DOWNMOD POINTS" (twice already!) - You'll run DRY AGAIN today courtesy of "yours truly" getting you to EXHAUST THEM (but I can always repost again, as I have now, & you'll lose again as usual vs. me, lol)... apk

There's "AtomBombing" Windows too

See subject & this https://www.helpnetsecurity.co...

* Which thank goodness only means someone has to be ignorant enough to download & execute a malware for it to work @ all in the 1st place...

APK

P.S.=> HOWEVER - that's what I built this for to prevent that happening:

APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?...

Blocking out known maliciously scripted sites or bad executables on them (for more security, speed, reliability & anonymity for LESS than other "so-called 'solutions'", w/ what you already have, natively)

VERIFIED SAFE - https://www.virustotal.com/en/... + Verified by Malwarebytes' S. Burn "I've seen the code & it's safe" http://forum.hosts-file.net/vi... ... apk

what the...

[sad_]

this security issue is found, reported, confirmed to be exploited in the wild.
yet MS will release a patch next week...

no comments on this? i mean, that local exploit on linux (dirty cow) was patched in an instant and every major distro had the patch available within a day.

Re:Different from the Kid Gloves They Used for App

[Luthair]

Depends on how widespread it seems to be really, if there are relatively few instances then it might make sense to not publish it make the entire world aware of it.

In honor of 1 of my boyhood hero's day today

See subject: DORMAMMU? I dabbled w/ such PUNY tricks when I was but a child (lol) -> http://www.supermegamonkey.net...

* :)

(NOW, you're caught in a time loop that I always win... see below)

APK

P.S.=> See the film Dr. Strange (rocks, I just did + own the very 1st issues of "Strange Tales" too (should skyrocket in value)) & of course, this (which made my words true, you ran outta bullets (lol)) -> https://tech.slashdot.org/comm... (as I said)... apk