Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Discloses An Unpatched Windows Bug (Again) (bleepingcomputer.com)

Posted by EditorDavid on from the presents-from-Project-Zero dept.

An anonymous reader writes: "For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement," reports BleepingComputer. "The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll)..." According to Google, the issue allows an attacker to read the content of the user's memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

"According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable." He later resubmitted the bugs in November 2016. The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.
Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".

122 comments

  1. Control vs. Security by ZP-Blight · · Score: 4, Insightful

    This is what happens when control overtakes security as a priority.

    --
    Zoom Player Lead Dev.
    1. Re:Control vs. Security by Anonymous Coward · · Score: 0

      Spoken like someone who has absolutely zero knowledge of the operational side of the business.

    2. Re:Control vs. Security by Anonymous Coward · · Score: 2, Informative

      Microsoft could always, you know, fix their goddamn bugs.

    3. Re: Control vs. Security by jackspenn · · Score: 2

      An honest question, why does Google drop bugs about MS at or before 90 days, while giving Apple 1+ year to fix bugs in past. I'm arguing what position Google should take, but rather suggesting Google be uniform in the standard they apply to everyone. Whatever they do regarding OS X, iOS or the Linux kernel should be the same way they treat Windows and vis versa.

      --
      Respect the Constitution
    4. Re: Control vs. Security by Threni · · Score: 1

      The linux kernel is open source. Why would you treat that the same way as a closed-source, proprietary product?

    5. Re: Control vs. Security by Anonymous Coward · · Score: 4, Informative

      My perception is that, for the prior MS bug and this one, the difference between Apple and Microsoft was that Microsoft didn't ask Google to delay disclosure.

      If you look at, say, this one: https://bugs.chromium.org/p/project-zero/issues/detail?id=837#c3

      You'll see that Apple had to request an extension, get denied it, then set up meetings to explain why they needed it, get denied a partial disclosure extension AGAIN, and then it escalated before they got a further extension.

      I would have expected that MSFT could have at least gotten the 14d extension on the 90d disclosure deadline, even if they couldn't push it all the way to the next Patch Tuesday.

    6. Re:Control vs. Security by Anonymous Coward · · Score: 2

      Yes, because users don't have the right to know what is wrong with their operating system so that they can take action to defend against it.

      Blissfully ignorant people like you are the reason why viruses and worms get spread around.

    7. Re: Control vs. Security by Anonymous Coward · · Score: 3, Insightful

      10 months isn't long enough to fix something?
      Specially something Microsoft supposedly fixed 8 months ago?

    8. Re: Control vs. Security by Anonymous Coward · · Score: 0

      Or Google can just not be a dick about everything.

    9. Re: Control vs. Security by whoever57 · · Score: 1

      Perhaps it was intended to be in the now-cancelled February patch Tuesday.

      --
      The real "Libtards" are the Libertarians!
    10. Re: Control vs. Security by ArmoredDragon · · Score: 4, Informative

      How is Google being a dick? They're following common industry practices. Public disclosure does two things:

      - Deadlines put pressure on the software vendor to patch their shit sooner rather than later (without a deadline, or an unenforced deadline, they tend to just sit on bugs for a long time.)
      - If the software vendor fails to patch their product, then at least the end users can come up with their own countermeasures (i.e. adding IDS signatures, switching to different software, suspending services, creating workarounds, etc) before some rogue actor takes advantage of them.

      If Google didn't stick to these timelines, and/or delayed them on a whim, then there may as well be none.

    11. Re: Control vs. Security by Zaelath · · Score: 2

      How far in the past? https://arstechnica.com/securi...

    12. Re: Control vs. Security by Anonymous Coward · · Score: 0

      Google does what Google wants, sometimes with little or no regard for others. Not new at all.

    13. Re: Control vs. Security by Anonymous Coward · · Score: 0

      Code is code, regardless of open or closed. Google should either give microsoft 1 year, or give apple 90 days. Same with unix.

    14. Re: Control vs. Security by Anonymous Coward · · Score: 0

      I think it's because Windows bugs are more threatening.. just saying.

    15. Re: Control vs. Security by Anonymous Coward · · Score: 1

      Except Google didn't create the flaw in Windows. Microsoft alone did that and is responsible for what happens with it.

      Google just made sure that instead of only the bad guys using this exploit, that the good guys can now fix what Microsoft refuses to.

    16. Re: Control vs. Security by Anonymous Coward · · Score: 1

      Depends on how many other things the "fix" breaks.

      While most software fixes are simple, many are not as simple as people think. Why do you think companies delay patching something for month?

    17. Re:Control vs. Security by Anonymous Coward · · Score: 0

      This is what happens when control overtakes security as a priority.

      This is what happens when chasing unicorns overtakes security as a priority.

      There, FTFY.

    18. Re:Control vs. Security by gweihir · · Score: 1

      More like greed and stupidity. Both qualities MS has amply demonstrated in the past and is continuing to push as core values.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    19. Re:Control vs. Security by gweihir · · Score: 1

      Funny. Not even remotely true, of course. It is just a dishonest excuse for not caring about their customers at all.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    20. Re: Control vs. Security by gweihir · · Score: 1, Troll

      You are either stupid or trolling.

      First, MS did actually get something like a year here. And second: The policy is simple: Get 90 days unless there are some special circumstances. There were none (except gross incompetence by MS), hence the bug got published after they failed again (!) to fix it and it was already being exploited.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    21. Re: Control vs. Security by gweihir · · Score: 1, Troll

      Because these morons do not actually want to do anything about the problem, they are just looking for excuses for MS. How somebody can be this stupid is beyond me, but "happy slaves" are apparently a reality.

      Incidentally, for serious security vulnerabilities, the Linux kernel has time-to-fix considerably less than 90 days. Times of below 12h after reporting have been observed. There is no issue to be fixed here, the Linux folks are doing their job. The problem is that MS is not doing theirs and are endangering hundreds of millions of people in the process.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    22. Re: Control vs. Security by gweihir · · Score: 1

      Indeed. MS did not even manage to ask for an extension. Apparently they are now completely dysfunctional when it comes to security.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    23. Re: Control vs. Security by gweihir · · Score: 1

      Very old, very well known to anybody that bothered to find out. Yet these clueless morons that are claiming differently crop up time and again. It is a disgrace and just shows that some people are utterly disconnected from reality.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    24. Re:Control vs. Security by gweihir · · Score: 1

      In particular, unicorns nobody needs like their progressive destruction of a reasonable GUI.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    25. Re: Control vs. Security by mugurel · · Score: 1
      You ask:

      ... why does Google drop bugs about MS at or before 90 days, while giving Apple 1+ year to fix bugs in past?

      Microsoft appears to give the answer to that question itself in the blog referenced by TFA:

      Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. And we take this responsibility very seriously.

      https://blogs.technet.microsof...

    26. Re: Control vs. Security by Anonymous Coward · · Score: 0

      An honest question, why does Google drop bugs about MS at or before 90 days, while giving Apple 1+ year to fix bugs in past.

      Google personnel is using MacBooks extensively, that's why. It was in the news about 1-2 years ago that Google began switching employees from Chromebooks to MacBooks.

      I think Project Zero is a disgrace and the project head needs to spend some time in jail for disclosing unpatched vulnerabilities.

    27. Re:Control vs. Security by Anonymous Coward · · Score: 0

      and you know this is the case because...?

    28. Re:Control vs. Security by Z00L00K · · Score: 1

      Security has never been a strong point by Microsoft, they have always been in a situation of one or two steps behind.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    29. Re: Control vs. Security by Anonymous Coward · · Score: 0

      As much as I want to be pro Linux, Microsoft is a company that must concern itself with app crashes.

      In 12 hours, little to no testing of external apps that could have issues develop. MS has to worry about corporate clients and noobs alike, blaming Windows for crashing (and not because of a broken app depending on a broken component)

    30. Re: Control vs. Security by Anonymous Coward · · Score: 0

      Security fixes are simple once you know about the problem because someone reported it. At worst, if the underlying problem is so hard, you disable and ship reduced functionality until it is fixed. That puts even more pressure on the fixing team.

      Fixing performance problems, clunkiness & design bugs - now that could be slow. But adding a few "if"s to immediately sidestep a security problem isn't hard. Properly fixing a security problem is usually not that hard either.

    31. Re: Control vs. Security by gweihir · · Score: 1

      I am not asking for them to do it in 12h. But if they cannot make 90 days, then they are utterly incompetent or their product is so borked it should never have been put on the market.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    32. Re: Control vs. Security by Anonymous Coward · · Score: 0

      So every security researcher should be in jail then? By definition a vulnerability is unpatched.
      If it's patched it's no longer vulnerable. How do you suggest they disclose vulnerabilities then?

    33. Re: Control vs. Security by nehumanuscrede · · Score: 1

      Sometimes you have to hold their feet to the fire before they will take action.

      Better to know of a vulnerability and force MS to fix it as a priority rather than letting it stay a secret known to only a few and have MS fix it whenever they get around to it.

    34. Re:Control vs. Security by TemporalBeing · · Score: 1

      Microsoft could always, you know, fix their goddamn bugs.

      Microsoft has had a long history of fixing and unfixing bugs - where one update would fix a bug, and another would undo the fix. The had a nasty WMF (Windows Metafile Format) that was patched and unpatched for 20+ years; I think they finally got it patched without any rollbacks when they patched it in Windows 8 or 8.1 (at least, that's the last time I heard about it; wouldn't surprise me if it showed up in Windows 10 again).

      IOW, they have really bad patch management and QA/QE processes. It's amazing they get anything out the door at all.

      --
      Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
    35. Re: Control vs. Security by Anonymous Coward · · Score: 0

      > Why do you think companies delay patching something for month[s]?

      Because they hope that if they ignore it long enough then it's not news anymore and everyone forgets that the problem exists. That way, they don't have to fix it ever (fixing would cost money and why spend money when you can also not spend it?)

    36. Re:Control vs. Security by nontwit · · Score: 1

      yes but why fix them if they can offer a whole new OS.....win11.....job security

    37. Re: Control vs. Security by Anonymous Coward · · Score: 0

      They probably couldn't find a phone number on Google's website.

    38. Re:Control vs. Security by Anonymous Coward · · Score: 0

      Just go away

    39. Re: Control vs. Security by Anonymous Coward · · Score: 0

      Lol just go away, hop off M$'s cock you dick-rider.

    40. Re: Control vs. Security by Anonymous Coward · · Score: 0

      Sorry but how are they making sure that the good guys are protected, there being no patches for the moment? At best more bad guys know the bug now and that will be the case until there's a patch from Microsoft. Honestly both are to blame here - Google for releasing while a patch is non-existent and Microsoft for delaying the patch release. We don't know what happened behind the doors so the rest is speculation.

  2. Wrong Headline by Anonymous Coward · · Score: 5, Insightful

    Shouldn't the headline be "Microsoft fails to fix exploit for months"?

    1. Re:Wrong Headline by Anonymous Coward · · Score: 0

      90 days = 3 months. Thought I agree, a company like Microsoft should be able to fix this issue in days, maybe weeks including extensive testing.

    2. Re: Wrong Headline by Anonymous Coward · · Score: 0

      90 days to escalate the issue internally, approve the ticket, get a fix in the pipe, test it thoroughly and release it? Yea, sure, plenty of time.

    3. Re:Wrong Headline by moronoxyd · · Score: 4, Informative

      Microsoft was first informed about these bugs in June 2016. That is a lot more than 90 days. They didn't manage to fix all the bugs and basically got an extension when Google resubmitted the still open bugs in November. Yet they still didn't manage to fix the bugs.

    4. Re:Wrong Headline by Anonymous Coward · · Score: 0

      That's not news

    5. Re: Wrong Headline by Anonymous Coward · · Score: 1

      90 days to escalate the issue internally, approve the ticket, get a fix in the pipe, test it thoroughly and release it? Yea, sure, plenty of time.

      Yes, that is more than enough time for a competent software development company to provide a fix.

    6. Re:Wrong Headline by Sir+Holo · · Score: 1

      Shouldn't the headline be "Microsoft fails to fix exploit for months"?

      Technically, yes, you are correct.

      But if this were applied in reality, there would be so many news articles of the same name – each tranche covering yet another un-patched MS exploit, that it would become impossible to follow any individual one.

      There are just so many of these things. . . We need a way of telling one from another.

    7. Re:Wrong Headline by Solandri · · Score: 3, Interesting

      TFA (which summary quotes) implies the fix was in the February update which Microsoft delayed. So the courteous thing to do would've been to extend disclosure beyond 90 days until after the March update.

      OTOH, the entire reason Microsoft had to delay the February update was because they insisted on lumping all the patches into one huge mega-update. If they'd stuck with individual updates as before, then the crucial security patches would've gone out on time, while only the problem patch would've been delayed. So it's still Microsoft's fault.

    8. Re: Wrong Headline by Anonymous Coward · · Score: 0

      You act like that's a lot of work. This should have taken, at most, one month to do.

      If you worked at my company, you'd have been fired for slacking off.

    9. Re:Wrong Headline by gweihir · · Score: 1

      Indeed. And add to that "which was already being exploited".

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    10. Re: Wrong Headline by gweihir · · Score: 1

      If you do software security this way, then you are unfit to provide software with any security criticality. 90 days is already stretching it considerably. 2-4 weeks would be reasonable.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    11. Re: Wrong Headline by Anonymous Coward · · Score: 0

      What Operating System does your company make?

    12. Re:Wrong Headline by rot16 · · Score: 1

      Can you people please upvote this one?

    13. Re:Wrong Headline by RyoShin · · Score: 1

      So the courteous thing to do would've been to extend disclosure beyond 90 days until after the March update.

      And if the March update becomes the April update...?

  3. Ironic by Anonymous Coward · · Score: 0

    Doesn't Google have it's own bugs to look after?

    1. Re: Ironic by mrscorpio · · Score: 1

      It's almost like companies can have different functions being tackled by different teams.

  4. Microsoft deserved it by bongey · · Score: 5, Informative

    The bug was actively being used to exploit windows. Letting people know there is active exploit is more important than bad PR for Microsoft.

    1. Re:Microsoft deserved it by Anonymous Coward · · Score: 0

      This exactly!

    2. Re: Microsoft deserved it by chaboud · · Score: 5, Insightful

      Which is why a 90 day disclosure to public announcement deadline is a reasonable measure. If a bug can be discovered by a nice engineer, it can also be discovered and exploited by a malicious one.

      People being mad about this announcement would be akin to people being angry about leaks from Trump's administration rather than the malfeasance uncovered, which would be, you know... Ludicrous.

      Or Snowden, etc...

    3. Re: Microsoft deserved it by Anonymous Coward · · Score: 0

      i second

    4. Re: Microsoft deserved it by Anonymous Coward · · Score: 0

      mee too!

    5. Re: Microsoft deserved it by Anonymous Coward · · Score: 0

      the malfeasance uncovered

      Gonna be a looooong 8 years for you guys if you insist on keeping the manufactured outrage needle pegged at 11 the whole time.

    6. Re:Microsoft deserved it by Anonymous Coward · · Score: 2, Insightful

      Because Google does such a great job ensuring the same for their Android users. /sarcasm

      If patches can't make it to end users, they're just as culpable. They created their situation.

    7. Re: Microsoft deserved it by Anonymous Coward · · Score: 0

      Trump's third term doesn't end until 2029.

    8. Re: Microsoft deserved it by Anonymous Coward · · Score: 0

      Jah, das is güt jah

    9. Re: Microsoft deserved it by Anonymous Coward · · Score: 0

      In case you haven't heard, it's legal to be homosexual. You might want to come out of the closet, it'll release a lot of the self-hatred you have boiling inside.

    10. Re: Microsoft deserved it by Anonymous Coward · · Score: 0

      Being legal doesn't make you any less dead when some neo-nazi Klan member decides to bludgeon you to death, spurned on by his president's words of encouragement legitimising his views.

    11. Re: Microsoft deserved it by silentcoder · · Score: 0

      " manufactured outrage" ... so you mean the scandals aren't real ? Trump didn't use money from his foundation to bribe two state DA's not to prosecute him for fraud ? Trump didn't brag about grabbing women by the pussy without asking permission ? Michael Flynn did NOT resign in disgrace possibly setting the record for briefest cabinet tenure in history just last week?

      I can only conclude that you live in a different universe to the rest of us. Where Flynn wasn't fired because he was never hired because your president hired competent people to help pursue his entirely sane policies. Well good luck to President Sanders and I hope he makes your reality even more advanced - from the fact that you can now browse the web in entirely different universes I would say his policies are already paying off since you must be several decades ahead of us technologically !

      --
      Unicode killed the ASCII-art *
    12. Re:Microsoft deserved it by Anonymous Coward · · Score: 0

      And now even more criminals can exploit it to target even more Windows users. Hurray for Google fuckers.

    13. Re:Microsoft deserved it by Anonymous Coward · · Score: 0

      Yeah but you see Android security issues are not really bugs, they are a feature for greedy Google to get even richer on its users' personal information.

    14. Re:Microsoft deserved it by slashrio · · Score: 1

      Then buy a Jolla, or any other phone/tablet with Sailfish OS.

      --
      "Trump!!", the new Godwin.
    15. Re: Microsoft deserved it by bongey · · Score: 1, Offtopic

      people being angry about leaks from Trump's administration.

      IT'S A TRAP !!!!
      Don't fall for the Trump trigger trap, dammit I said T**** again.

  5. Disappointing? by danhuby · · Score: 5, Insightful

    > Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".

    I would describe Microsoft's ability to patch these bugs within a reasonable timeframe as "disappointing".

    1. Re:Disappointing? by Gravis+Zero · · Score: 2

      I would describe Microsoft's pattern of constantly distributing deeply flawed software as "inexcusable".

      --
      Anons need not reply. Questions end with a question mark.
    2. Re:Disappointing? by wbr1 · · Score: 4, Funny
      The correct verbiage now is as follows:

      So-called tech company releases fake news. SAD!

      --
      Silence is a state of mime.
    3. Re:Disappointing? by Luthair · · Score: 1

      I have this recollection that Google delayed publishing an Apple vulnerability for quite a while.

    4. Re:Disappointing? by Anonymous Coward · · Score: 0

      To be fair who knows how long the testing process is at MS. Hopefully it doesn't take that long but thousands of hardware configurations and thousands of software configurations to test .... there problem is much harder than testing a web app on single architecture servers that you control. Part of this might be a valid point in favor of Google's offerings but at the same time it might be a big FU from a company dealing with much simpler problems when it comes to deployment of new code. Similar to Apple's bragging about how quickly new releases get adopted vis windows at the same time of not giving two turds to the enterprise market. At some level the diversity of your ecosystem and the acceptance of change of your customers are real valid factors.

    5. Re:Disappointing? by Anonymous Coward · · Score: 0

      This is a bug in GDI... the scope of what is affected and how is potentially ridiculous. It could go back to Windows 3.1.

    6. Re:Disappointing? by Zaelath · · Score: 1

      What, like these? https://arstechnica.com/securi...

    7. Re: Disappointing? by Anonymous Coward · · Score: 1

      LOL... you have no idea how testing works at Microsoft now. These days, the candidate software is given to an intern and if he can boot his machine and play Solitaire then it's deemed ready for release.

    8. Re:Disappointing? by Anonymous Coward · · Score: 0

      I'm so glad it was "disappointing".

      Yes.

      Much better than "...disturbing"

    9. Re:Disappointing? by SuperDre · · Score: 1

      Sometimes it's not that simple to fix bugs, a lot of other applications depend on systemwide features, so you cannot change the workings (if they have followed the API as it was intended) to fix security bugs. It also has to be tested thoroughly, and that just takes time. And as I say, some 'bugs' maybe aren't even fixable due to how the API works.
      Also this team are a bunch of hypocrites, because they have extended publication beyond the 90 days of google software themselves..
      It's a security flaw, but it doesn't mean it's an actual bug, it may work as intended, but is now seen as a potential security threat.

    10. Re: Disappointing? by silentcoder · · Score: 1

      They replaced the intern with a badly trained and quite incontinent labradoodle last week.

      --
      Unicode killed the ASCII-art *
    11. Re:Disappointing? by slashrio · · Score: 1

      And there you have it: The back-door NSA has been using for a long time.

      --
      "Trump!!", the new Godwin.
    12. Re:Disappointing? by Anonymous Coward · · Score: 0

      Believe me I have patched this gdi32.dll bug on my machine without the source. Nothing escapes IDA and Hex-Rays. This is a very simple bug, boundscheck and sanitation of the data. Even an undergrad can fix this, I think this is what M$ gets for hiring incompetent programmers who grew up coding in VB.

      captcha: disagree

  6. Poor spin on what actually happened by Anonymous Coward · · Score: 3, Insightful

    This is a pretty disappointing spin on what sounds like actually happened.

    So... March 2016 they found it and suggested a fix. The June patch by Microsoft was insufficient, so they told them (again) in November 2016 they need to fix it. Microsoft had an additional 90 days to patch the bug (which is pretty standard practice in the industry), and didn't fix a YEAR OLD bug

    What was Microsoft expecting here? I would expect the same to happen to Google, Apple, or any other big company if it took them that long to fix a bug that's been known for that long.

    1. Re:Poor spin on what actually happened by Anonymous Coward · · Score: 0

      The same doesn't happen to google though, google hide their vulnerabilities behind a veil of secrecy. As much as it is nice to see everyones issues revealed I wish google would actually get their shit in order first as even Microsoft look good compared to them.

    2. Re:Poor spin on what actually happened by Anonymous Coward · · Score: 0

      If a 3rd party like Microsoft was reporting a bug to Google, how would that be behind a veil of secrecy?

    3. Re:Poor spin on what actually happened by gweihir · · Score: 1

      MS is blatantly riding their exception from liability for what in all other tech products would be called gross negligence and would make the manufacture criminally and civilly liable. Until they do get that liability, like they should, nothing is going to change.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Poor spin on what actually happened by Anonymous Coward · · Score: 0

      That's kind of a good idea. Then they can trade liability for their source code. Then everybody wins. :D

  7. They dont wanna fix bugs by Anonymous Coward · · Score: 0

    I mean Wifi has been susceptible to SSID spoofing for all these years, and nobody will implement a solution because people don't want to believe it's a problem.

    1. Re: They dont wanna fix bugs by Anonymous Coward · · Score: 3, Informative

      That's a design flaw that affects all platforms. Microsoft can't single handedly fix SSID spoofing. This article however describes a bug in Microsoft code.

    2. Re:They dont wanna fix bugs by Anonymous Coward · · Score: 0

      The fix for this is client certs. It is just that no one uses them.

    3. Re:They dont wanna fix bugs by Anonymous Coward · · Score: 0

      They use them at DefCon :)

  8. Re: Do I need to restart wudhu after windpassing? by Anonymous Coward · · Score: 0

    Unlike all those sensible religions.

  9. LibreOffice? by TheOuterLinux · · Score: 3, Interesting

    It would be interesting to see if this security issue also affects LibreOffice on a Window$ system since it also opens docx files. Anyone know? I'm a Linux user (duh), but even I will admit to how much nicer M$ Office is. I like Apple's iWork stuff too, but having to save a document in a strictly Apple format to keep the cool stuff it'll do isn't work it vs. practicality. The day LibreOffice supports Google Drive out-of-the-box and has a mobile version, Office 365 doesn't have a chance. Also, something to note on Linux and LibreOffice, there are a whole bunch of command line cheats you can use with LibreOffice, so no GUI needed if you have enough patience. Type a doc with nano or pico and convert to a PDF with "soffice --headless --convert-to : file_to_convert.xxx" There's a lot more you can do with LibreOffice than you can M$ Office, but eye candy gets people every time.

    1. Re:LibreOffice? by fuzzyfuzzyfungus · · Score: 5, Informative

      You can definitely embed Windows Metafile images in LibreOffice on Windows; but I'm not entirely sure if that is enough to make it vulnerable. WMF is dangerous because it is basically a package of GDI function calls, which might be good for efficiency or compactness; but has led to a number of creative and executable things being shoehorned in(as in this case; and repeatedly over the years).

      However, there are several image handling libraries that can render or convert WMF images without access to GDI; so in those cases GDI bugs wouldn't be a problem(though you probably have other things to worry about).

      This Libreoffice VCL documentation suggests that LibreOffice uses its own VCL WMF filters; but I sure wouldn't bet anything remotely important on that without testing it first; or knowing rather more about how LibreOffice is put together.

    2. Re:LibreOffice? by Anonymous Coward · · Score: 1

      WMF's bad security record isn't because it's a list of GDI calls, after all many file format parsers use separate functions or classes for the records in the file and in WMF the calls basically act as drawing primitives.
      No, it's because when loading / playing a WMF file, Windows fails to properly sanitise the file before use. This has historically been one of the two main causes of datafile delivered exploits, the other one being running untrusted code.
      Case in point is the current vulnerability, which is again a sanitisation failure: if a WMF file contains an embedded bitmap, no check is done if there is enough bitmap data present to account for all the pixels given the stated width and height of the bitmap.
      I'm reminded of the early days of PNG. People in the OSS community were heavily pushing for its adoption, but the code quality of the standard PNG decoder was really bad, essentially early alpha quality. And it had a number of serious security vulnerabilities, one of which quite similar to the WMF vulnerability presented here.

  10. M$ in bed with NSA (NSA Embedded in MS) by Anonymous Coward · · Score: 0

    But, they are so 'disappointed'
    because they do not want to fix the bugs
    in the first place and Google is pissing
    them off.

    Fuck you Microsoft! You have always
    been in bed with NSA.

    And there are more exploits to come.

    1. Re:M$ in bed with NSA (NSA Embedded in MS) by Anonymous Coward · · Score: 0

      If they're in bed with the NSA, wouldn't Microsoft want fewer bugs so more people use Windows and it correctly reports the information to the NSA?

  11. Microsoft dropping Patch Tuesday is disappointing by MoarSauce123 · · Score: 1

    Microsoft dropping Patch Tuesday is disappointing!

  12. Committed to the least they can get away with by jbn-o · · Score: 2

    Microsoft, owner of Skype (which Microsoft changed specifically for spying, not that Skype was trustworthy under its previous owner either as The Guardian tells us, "Eight months before being bought by Microsoft, Skype joined the Prism program in February 2011.") and NSA "provider" since 2007-09-11 (the NSA's first PRISM provider) wants us to understand their "commitment to our customers' security". Apparently that commitment is as little as they can get away with.

    That's true of every software proprietor, Google included. The problem is the lack of software freedom which is designed to leave users at the mercy of the only programmers allowed to inspect, alter, and publish improvements to the proprietary software—these are the very programmers users couldn't trust with their security in the first place.

    --
    Digital Citizen
    1. Re:Committed to the least they can get away with by FeelGood314 · · Score: 1

      I'm frustrated by your generalization "That's true of every software proprietor"
      The very large and very visible company that I work for, works hard to make sure we stay on top of vulnerabilities. If my team discovers one in any product, nothing else in that product line goes out till the bug is fixed. Also I don't know of any back doors in our products or even any requests for back doors in our products. I do know of requests for back doors or underhanded feature requests that have gone into other companies products but I've quietly informed them of the true malicious intent of these requests and they have been removed.
      I find it hard to believe good programmers who can easily find new jobs would ever put back doors in their products. Maybe the quality of the code is a good indication of whether or not something was allowed to be slipped in.

  13. It is funny how people are hammering MS's record by Anonymous Coward · · Score: 0

    Not defending Microsoft, but it is kind of funny that people are complaining about MS record .... when Google's Android is the new Windows ME ... full of security holes, unstable, full of built-in spyware and (for the most past) not getting patches.

  14. Other files? by SeaFox · · Score: 1

    The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

    Can we hear about other attack methods? So far this sounds like an issue that isn't going to impact people not using Microsoft Office or DOCX files.

  15. 'Disappointing', eh? by fuzzyfuzzyfungus · · Score: 4, Insightful

    So, yet another exploit in GDI; an initial attempt at a fix that didn't actually work; a second attempt that was delayed a month(along with a reasonably juicy SMB issue; and probably some other stuff); and the disclosure is the 'disappointing' part? How eminently plausible.

    1. Re:'Disappointing', eh? by gweihir · · Score: 2, Interesting

      MS needs to be either kicked hard until they get that they have a responsibility, or they need to be made completely obsolete. 90 days is plenty. I say we call not fixing reported security-bugs in 90 days gross negligence and make them per default liable for all hacks of their "OS" that happen afterwards until they patch and with no possibility to prevent that liability in the TOU.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  16. So MS is still unable to patch within 90 days? by gweihir · · Score: 3, Interesting

    Why are we are trusting these people to provide widely-used software, again?

    A reasonable time-frame to patch security vulnerabilities is like 2...4 weeks. 90 days is already stretching it considerably and they still are too incompetent or uncaring to make that long deadline. Google is doing the right thing here. If incompetent and lazy vendors are not forced to fix security vulnerabilities, they will never do it. It is just utterly pathetic that we allow MS to be one of these worst offenders.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:So MS is still unable to patch within 90 days? by Anonymous Coward · · Score: 0

      Stop giving them your money and/or sue them. Those are the only two options that will get you results.

      Or just keep complaining on Slashdot. I'm sure that will teach them a lesson.

    2. Re:So MS is still unable to patch within 90 days? by Anonymous Coward · · Score: 0

      Yeah ... because everything works perfectly and no patch has ever broken 10 million other things in the process.

      Some patches are easy to fix. Others are easy to fix, but not to patch.

  17. Re:It is funny how people are hammering MS's recor by gweihir · · Score: 1

    So you are advocating that because one house is burning to ignore the other one that is also burning? Sounds stupid.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  18. Bug wars by Anonymous Coward · · Score: 0

    I think Microsoft should find 0-day security flaws in Google's services and announce them.

  19. Google Pride by Anonymous Coward · · Score: 0

    What a proud step for Google.

    Attacking Grandmothers and the common man. Lashing out at the world for not bowing down to their awesome power and making sure the boot of google power firmly holds down anyone disloyal or unwilling to be a google toady.

    Gleefully taking a historic situation of a technical issue with a regular security update, and attempting to hurt as many people as possible. You can almost smell the burnt flesh in Google cafeterias this week. Lunching of the dead carcasses of their opponent.

    Nothing quite so proud as a company using defenseless victims to enrich its already rich taskmasters.

    Meanwhile encouraged by a horde of loyal foot-soldiers, giddy at a taste of blood, unable to see past their hate of everyone more successful than them, the Google apologists will be out in full force, their pride evident. What a glorious company to support. What fools anyone opposed to them are.

    What a proud day to be a Google supporter.

  20. 15 minutes for a patch by Anonymous Coward · · Score: 0

    I patched my gdi32.dll in just 15 minutes without the source. Fire-up your IDA debugger and Softice then trace all related to EMF calls to track the location of those buggy codes then hexedit. More than 1 year is a lot for insiders with source code.

  21. damn microsoft by Anonymous Coward · · Score: 0

    ...make sure you upgrade to windows 10. It's the most secure operating system ever....lol. That's laughable. Surely, microsoft is supporting the other versions that are still relevant?

  22. Microsoft, YOU are the disappointment. by geekmux · · Score: 1

    Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing"...

    Perhaps if Microsoft wasn't so focused on making the Microsoft Telemetry OS (a.k.a. Windows 10) to feed unethical revenue channels, they would be more concerned about Security in their products.

    In short, Screw You, Microsoft, for having the unmitigated gall to make such a statement after having months to fix your shit. I would suggest that you should start taking Security seriously, but you've failed to do that for decades now. Don't even know what to say about your new-and-improved patch process other than par for the course.

  23. fuck google by Anonymous Coward · · Score: 0

    these days I'm much more inclined to trust M$

  24. because forced windows 10 ? by Anonymous Coward · · Score: 0

    because forced windows 10 ?because forced windows 10 ?because forced windows 10 ?

  25. Re:It is funny how people are hammering MS's recor by Zxern · · Score: 1

    I don't know about you, but I'd focus on putting all the fires out at my home, before wandering the neighborhood looking for other fires.