Slashdot Mirror
Google Discloses An Unpatched Windows Bug (Again) (bleepingcomputer.com)
An anonymous reader writes: "For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement," reports BleepingComputer. "The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll)..." According to Google, the issue allows an attacker to read the content of the user's memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.
"According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable." He later resubmitted the bugs in November 2016. The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.
Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".
"According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable." He later resubmitted the bugs in November 2016. The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.
Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".
You are either stupid or trolling.
First, MS did actually get something like a year here. And second: The policy is simple: Get 90 days unless there are some special circumstances. There were none (except gross incompetence by MS), hence the bug got published after they failed again (!) to fix it and it was already being exploited.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Because these morons do not actually want to do anything about the problem, they are just looking for excuses for MS. How somebody can be this stupid is beyond me, but "happy slaves" are apparently a reality.
Incidentally, for serious security vulnerabilities, the Linux kernel has time-to-fix considerably less than 90 days. Times of below 12h after reporting have been observed. There is no issue to be fixed here, the Linux folks are doing their job. The problem is that MS is not doing theirs and are endangering hundreds of millions of people in the process.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.