Slashdot Mirror
Google Discloses Exploited Windows Vulnerability 10 Days After Telling Microsoft (venturebeat.com)
An anonymous reader writes: Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild. That means attackers have already written code for this specific security hole and are using it to break into Windows systems.In a blog post, security researchers at Google write, "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."
With no exploit in the wild, Google should quietly inform MS. With an exploit in the wild, it has already been publicly disclosed, but to a limited audience, so Google should disclose widely, so everyone is informed of the exploits.
What in that behavior do you find unethical?
Learn to love Alaska
Interesting this comes mere days after the story that Google sat on an Apple vulnerability for 5-months? Though maybe given this is being actively exploited the treatment is justifiably different...
Not only that, the arguably ethical thing to do is to always disclose. In most cases the exploits are being actively used (see previous link).
Irresponsible disclosure is responsible
Vulns. already being exploited in the wild are published 7 days after reporting it to the vendor. This is nothing new and is Google's policy on this (dated 2013).
See: https://security.googleblog.com/2013/05/disclosure-timeline-for-vulnerabilities.html
Sleazy attempt to paint Google in a bad way. This flaw is already being exploited, the bad guys already know about it!
Apple Market Share: 3-5%
Windows Market Share: 90%
Everything else: Math%
Google wants to put as much pressure on MS to get them to fix the problem as quickly as possible as this vulnerability affects the largest market share of Google's Product.
We all know all those windows users will blame Chrome for infecting their machine Because Reasons(TM) so let Google force MS into fixing this issue ASAP.
Apple's vulnerability? Who cares, it affects a microcosm of Google's user base.
Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
I think it's "If you're using Chrome under Windows 10, and someone tries to hack you using, say, a hacked plugin, Chrome will be able to sandbox this. In any other configuration, you're screwed."
You are not alone. This is not normal. None of this is normal.
Yes, because if not for Google, no one would ever have heard that Windows has vulnerabilities.
First it starts with having an understanding of what's going on. Then it continues with realizing that an assumption isn't necessarily true, and finishes with finding a means to force that assumption to be invalid.
One of my favorite exploits is a privilege-escalation issue on very old Linux systems. In short, you run a program that crashes and drops raw memory into cron's job folder, and when cron looks at the dump, it sees something that looks like a job spec, so cron happily runs whatever was in that memory dump, as root.
This exploit existed because Linux would assume that dropping a file would always be a safe thing to do, while cron assumed that only root would be able to drop files in its job folder. Together, they made a vulnerability.
You do not have a moral or legal right to do absolutely anything you want.
I notice you failed to answer the question. I take it to mean you've never worked in a company that gave their programmers time to make sure the software was secure.
In most companies it's the opposite: the "rush to market" is so important that security can "wait until later."
"First they came for the slanderers and i said nothing."
The VentureBeat article has been updated with a response from Microsoft:
"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," a Microsoft spokesperson told VentureBeat. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
What the hell are they smoking? Apple, the various Linux distributions, and the BSDs all are committed to "investigating reported security issues and proactively updating impacted devices as soon as possible." They all routinely release immediate updates for critical exploits. I think even Cisco's IOS has a better track record than Windows in time-to-fix for critical vulnerabilities.
I might be wrong, but it seems like that's a crack at the security issues within Google's Android ecosystem...
MS isn't the one that let it get to a point where a bazillion hacked devices without updates are in the field a mere year or two after hardware was released.
XP had support for 10 years.
Hire a Linux system administrator, systems engineer,
No, the difference is that the Windows exploit is being actively used in the wild by malware. It's better to know about it so we can mitigate the risk as much as possible.
In Apple's case no-one was taking advantage of the flaw, as far as we know, so it was better to keep it quiet while they fixed it.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Once actively exploited, the proper response is to publicly announce the exploit. This is standard and acceptable practice. Someone is grinding an anti-google axe on this non-story.
The goal of keeping mum on security vulnerability until the vendor fixes it is to prevent potential attackers from learning about the vulnerability. The discoverer decides that users of the software are better off not knowing about the problem because they'd rather attackers don't know either.
Here, according to TFA, there are already exploits in the wild. In that situation MS users are already at risk; Google keeping mum can only hurt them (by keeping them ignorant of the vulnerability) but won't help (because the attackers already know).
If you disagree, and you're a programmer, then answer this: do your managers give you extra time on your tasks to make sure your code is secure? Have they ever encouraged you to care about security, or is it the opposite? Do the encourage you to treat user-input carefully, and as a potential exploit?
Yes, yes and yes.
Further, there are explicit security review processes at the concept, design and implementation stages (there are also privacy reviews which have a similar structure but a different focus). There are mandatory internal training courses that all developers must attend which train developers about user input validation as well as considerably more sophisticated security issues. There are teams whose entire focus is security, to build secure infrastructural components which make it difficult for the general developer population to build insecure software. There are other teams whose whole job is to find vulnerabilities. There are large systems that do nothing but automated fuzz testing of our products. Third party penetration testing teams are regularly hired to attempt to find vulnerabilities, and those teams are given the wholehearted support of the development teams, and full access to all relevant information. External researchers are paid hefty bug bounties for reports of vulnerabilities in our products. Discovery of security vulnerabilities provokes a post-mortem process to analyze how the vulnerability was created and to identify what changes to tooling, processes or training could have prevented the vulnerability from being created.
And you know what? There are still security bugs.
Yes, software companies should make a serious attempt to write secure code. No, it is not reasonable to expect that they'll succeed, not in the general case, not without increasing the cost of software by two or three orders of magnitude. Reasonable effort in design and implementation, defense in depth, actively seeking vulnerabilities and aggressive patch deployment are the best we know how to do in the general case.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
How does that make matters worse? Exploit being used in the wild is the standard reason to expedite public disclosure. If the bad guys already know about the bug, there is no sense in keeping the legitimate users in the dark.
Shachar