Google just disclosed a major Windows bug — and Microsoft isn’t happy

[Jtbrig7390]

http://www.theverge.com/2016/10/31/1...oft-disclosure

Today, Google’s Threat Analysis group disclosed a critical vulnerability in Windows in a public post on the company’s security blog. The bug itself is very specific — allowing attackers to escape from security sandboxes through a flaw in the win32k system — but it’s serious enough to be categorized as critical, and according to Google, it’s being actively exploited. As a result, Google went public just 10 days after reporting the bug to Microsoft, before a patch could be coded and deployed. The result is that, while Google has already deployed a fix to protect Chrome users, Windows itself is still vulnerable — and now, everybody knows it.

Google’s disclosure provides only a general description of the bug, giving users enough information to recognize a possible attack without making it too easy for criminals to replicate. Exploiting the bug also depends on a separate exploit in Adobe Flash, for which the company has also released a patch. Still, simply knowing that the bug exists will likely spur a lot of criminals to look for viable ways to exploit it against computers that have yet to update Flash.

First reached by VentureBeat, Microsoft harshly criticized the disclosure. “Today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said. “We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

On Tuesday, Microsoft followed up with more detail in a post by Executive VP Terry Myerson. Myerson attributed the exploitation of the bug to a group called Strontium, a Russia-linked group also called Fancy Bear. Myerson emphasized that Windows 10 users browsing with Edge would be protected from the attack, and promised a system-wide patch to be shipped on November 8th.

The brief grace period is in accordance with a policy Google put in place in 2013, allowing critical vulnerabilities to be disclosed only seven days after they’re reported to the vendor. At the time, a number of researchers criticized the policy as overly harsh, arguing that seven days was not enough time to properly respond to a complex vulnerability. This is the first major invocation of the policy in the three years since it was put in place, although Google’s engineers defended it as necessary given the active exploitation of the bug.

“We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not,” Google’s post recommends, “and to apply Windows patches from Microsoft when they become available.”

[I Push Buttons]

Yeah Google's actions seem counter productive. I would understand going public if Microsoft was doing nothing and leaving people vulnerable, but that wasn't happening. What does this release accomplish beyond letting those who would exploit such a flaw know that it exists, where to find it, and that it is still vulnerable?

Its not like this aids the consumer in anyway, it doesn't tell them how to protect themselves or anything and people can't just stop using their PC for several weeks in this day and age, nor can they just stop using Windows on the fly.

[Merie]

Yeah Google's actions seem counter productive. I would understand going public if Microsoft was doing nothing and leaving people vulnerable, but that wasn't happening. What does this release accomplish beyond letting those who would exploit such a flaw know that it exists, where to find it, and that it is still vulnerable?

Your system is at risk! Microsoft has no fix for it! Better use Chrome!!

[Mormolyce]

Probably shouldn't publish those details publicly... you know I remember reading ages ago that the number of exploits of any given security vulnerability spike dramatically after each patch is deployed, because the patch contains details of what the exploit was...

We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.

*Dies laughing*

[Barael]

Flash is cancer and people still making content for it should be dragged out on the street and shot.

[ati87]

Flash is cancer and people still making content for it should be dragged out on the street and shot.

Flash is what the internet was build upon and their are still allot of older content that uses flash.

https://www.statista.com/chart/3796/...s-using-flash/

[Eleccybubb]

Nice to see Microsoft are doing something about it... oh wait. Meanwhile Adobe had this shit sorted just a few days later. Not sure if I should be worried since I have a game with a launcher that uses IE as it's base.

[Masark]

What does this release accomplish beyond letting those who would exploit such a flaw know that it exists, where to find it, and that it is still vulnerable?

Given that it was already being actively exploited in the wild, that argument is null. The bad actors already know all about that info.

What this does is light a fire under Microsoft to get it fixed ASAP.

[Collegeguy]

Flash is what the internet was build upon and their are still allot of older content that uses flash.

https://www.statista.com/chart/3796/...s-using-flash/

Lots of new content uses it as well like HBO GO. Would be nice to be rid of it though.

[ati87]

Lots of new content uses it as well like HBO GO. Would be nice to be rid of it though.

I once read that technically flash may have security wholes in it but it's easier to develop for partly because of experience but also because of technical capabilities.

[Slant]

Yeah Google's actions seem counter productive. I would understand going public if Microsoft was doing nothing and leaving people vulnerable, but that wasn't happening. What does this release accomplish beyond letting those who would exploit such a flaw know that it exists, where to find it, and that it is still vulnerable?

Its not like this aids the consumer in anyway, it doesn't tell them how to protect themselves or anything and people can't just stop using their PC for several weeks in this day and age, nor can they just stop using Windows on the fly.

It puts pressure on MS to fix the thing. That's a good thing. It's also an active exploit that the criminals are already using. Not disclosing it doesn't actually help anyone, while disclosing it doesn't hurt anyone further. The damage is being done whether we know it or not. At least this way, everyone knows that MS didn't fix it while knowing about it for 7 days. The clock is running on them now. That's a good thing, mate.

- - - Updated - - -

Given that it was already being actively exploited in the wild, that argument is null. The bad actors already know all about that info.

What this does is light a fire under Microsoft to get it fixed ASAP.

Exactly. And I love Google for playing hardball on this.

[namecraft]

Flash is cancer and people still making content for it should be dragged out on the street and shot.

ok let's shoot some people bro

[Slant]

I'm almost certain I removed it on my computer for this very reason (holes for hackers). It was some step by step thing I followed.

I think getting rid of it isn't the problem. It's that every website and their mother still seems to use that cancer.

[Eleccybubb]

So I don't get it should I avoid anything that involves using IE for a week and just use Edge or Chrome? Feel free to call me stupid. Just find it a bit retarded a company like Adobe fixed an issue in 4 days and its taking Microsoft nearly 2 weeks.

[Slant]

You should avoid IE to begin with, regardless of security holes or not. IE is to browsers what flash is to the internet.

[Eleccybubb]

You should avoid IE to begin with, regardless of security holes or not. IE is to browsers what flash is to the internet.

Just a game I play uses IE as a backend in it's launcher is all. Just wondering should I avoid that till the 8th? Sorry for the concern just I tend to have them and like I said feel free to call me a moron

[dextersmith]

Microsoft would've dragged their feet if it wasn't for the announcement.

[Slant]

Just a game I play uses IE as a backend in it's launcher is all. Just wondering should I avoid that till the 8th? Sorry for the concern just I tend to have them and like I said feel free to call me a moron

Oh, you're fucked then. Is it EvE Online? I was shocked to hell to discover that they use IE as their ingame browser. No wonder it's slow as fuck. No idea if they still do.

[Eleccybubb]

Oh, you're fucked then. Is it EvE Online? I was shocked to hell to discover that they use IE as their ingame browser. No wonder it's slow as fuck. No idea if they still do.

FF14. I'm sure it uses IE or something along the lines of it on it's launcher. Ah well can just go on my PS4 version if that is the case.

[Slant]

FF14. I'm sure it uses IE or something along the lines of it on it's launcher.

You could try starting it directly, circumventing the launcher. Might have to enter your login data manually, though.