Google and MicroSoft butt heads again over disclosing seccurity vulnerability

[zMeul]

source: https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html

 

Quote

After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.

The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.

 

on October 21st, Google contacted MicroSoft over a known and actively exploited Windows vulnerability - they asked them to either acknowledge it or fix it, MicroSoft did neither

so, Google made the existence of the vulnerability public, MicroSoft isn't happy and they're crying foul - this is not the 1st time Google discovered critical vulnerabilities in Windows and made them public after MicroSoft failed to acknowledge and/or fix them

MicroSoft defense is that vulnerabilities should not be disclosed [personally, I believe it's bullshit even more so when the vulnerability is actively exploited]; and 10 days is not enough time to issue a fix

 

thing is, Google notified Adobe over a Flash vulnerability same day as they did with MicroSoft - Adobe fixed their issue on October 26th: https://helpx.adobe.com/security/products/flash-player/apsb16-36.html

[LucidMew]

Security by obscurity is a shit way to do security and has been proven in the past to not work. If a vulnerability exists, hackers will find it, before or after a researcher finds it and properly discloses to the parent company.

 

Seriously, Microsoft has to get its shit together and issue a patch ASAP.

[Lurick]

What's funny is there was another article about how Google hid a vulnerability in Apple products for several months to give Apple enough time to fix it.

[zMeul]

1 minute ago, Lurick said:

What's funny is there was another article about how Google hid a vulnerability in Apple products for several months to give Apple enough time to fix it.

if Apple acknowledged it and asked for time, why not?!

but from what Google tells, MS did neither

[Camofelix]

4 minutes ago, Lurick said:

What's funny is there was another article about how Google hid a vulnerability in Apple products for several months to give Apple enough time to fix it.

source? if true would be an interesting dynamic

[Lurick]

3 minutes ago, Camofelix said:

source? if true would be an interesting dynamic

https://thestack.com/security/2016/10/26/task_t-google-apple-os-vulnerability/

 

[dfsdfgfkjsefoiqzemnd]

There's a difference of course between a potential vulnerability and one that's actively exploited.  In the latter case, the dev should drop everything else and sort out the vulnerability first. 

10 days is plenty of time if you throw enough resources at the problem.

[Tech_Dreamer]

What's the foul play here?  pointing out the gas tank that was leaking?

[Doobeedoo]

This again. But they could act differently and yeah kinda put more effort into it to release fix sooner.

[suicidalfranco]

microsoft defence force to the rescue!

/s

 

Don't see where's the foul play here, they've been warned about it and MS did nothing to fix, putting pressure on them by making it public seems to be the best solution to force them on releasing a fix

[silberdrachi]

I see no problem with doing this if there is total radio silence working with another company. I have no sympathy for microsoft if they were given a week to even say "oh hey thanks for the info we are going to look into that."

 

Its even worse when its a known active exploit, thats just sticking your head in the sand and pretending the world isnt on fire because you cant see it. And releasing it to the public clearly isnt a big deal other than getting press on it, because if 1 hacker is using it, you can bet way more know about it.

 

Microsoft wanted their platform being super secure with everyone on the latest software with forced updates, but that only works if they fix the problems people are having.

[Blade of Grass]

Google only discloses the vulnerabilities if the company either doesn't acknowledge it, or does little to fix it in an appropriate amount of time. Google in the past has given companies time to fix their software, assuming that they actually acknowledge that the vulnerability exists. 

[AlTech]

16 minutes ago, Blade of Grass said:

Google only discloses the vulnerabilities if the company either doesn't acknowledge it, or does little to fix it in an appropriate amount of time. Google in the past has given companies time to fix their software, assuming that they actually acknowledge that the vulnerability exists. 

But nobody asked Google to do this!

[goodtofufriday]

3 minutes ago, AluminiumTech said:

But nobody asked Google to do this!

No body needs to. If google wants to, they can do it. Free will and all.

[OptimisticRealist]

Jesus another one...

 

It is Microsoft! WHERE do you find that capital S????????

[OptimisticRealist]

1 hour ago, zMeul said:

source: https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html

 

 

on October 21st, Google contacted MicroSoft over a known and actively exploited Windows vulnerability - they asked them to either acknowledge it or fix it, MicroSoft did neither

so, Google made the existence of the vulnerability public, MicroSoft isn't happy and they're crying foul - this is not the 1st time Google discovered critical vulnerabilities in Windows and made them public after MicroSoft failed to acknowledge and/or fix them

MicroSoft defense is that vulnerabilities should not be disclosed [personally, I believe it's bullshit even more so when the vulnerability is actively exploited]; and 10 days is not enough time to issue a fix

 

thing is, Google notified Adobe over a Flash vulnerability same day as they did with MicroSoft - Adobe fixed their issue on October 26th: https://helpx.adobe.com/security/products/flash-player/apsb16-36.html

Microsoft************

[Blade of Grass]

13 minutes ago, AluminiumTech said:

But nobody asked Google to do this!

And your point is?

[LAwLz]

I was about to side with Microsoft on this, but assuming that it is true that Microsoft did not acknowledge it (as in, did not ask Google for more time nor made an effort to fix the issue as quickly as possible), and on top of that the fact that the exploit is/was already being used in the wild, I think Google did the right thing.

 

By the way, the exploit Google published relies on Flash to be executed in its current form. Since Adobe already released a patch it is kind of fixed. The problem is that the underlying issue (in Windows) is not yet fixed and it might be possible to use it without relying on Flash.

 

So it's not like Google just went "hey Microsoft, you got a security hole in Windows. <10 days later>. Lol, let's tell everyone about the security hole".

Supposedly,

1) Microsoft ignored/did not make an effort to fix the issue after Google told them about it.

2) The exploit was already being used, so attackers already knew about it.

3) Flash, which the exploit relied on had been fixed, so the attack in its current form does not work.

 

 

 

20 minutes ago, AluminiumTech said:

But nobody asked Google to do this!

To do what? Find exploits in code? Plenty of people, organizations and companies ask Google to do it. Finding exploits is a great thing. It makes everyone more safe and secure.

[Master Disaster]

24 minutes ago, AluminiumTech said:

But nobody asked Google to do this!

Nobody asked the hackers to do it either but they still did, they're now actively exploiting it and MS are totally ignoring it so GJ Google I say.

[Mira Yurizaki]

I don't really blame Microsoft entirely for their problems.

 

I blame developers who rely on undocumented and deprecated behavior of the OS and demand that Microsoft keep the "feature" for the next release (which Microsoft has to because there's a non-trivial user base who relies on said software).

 

Also please don't be an armchair developer and think that any software problem is "easy" to fix.

[Blade of Grass]

6 minutes ago, huilun02 said:

Usually a company would pay or reward bug/exploit reporting, but MS has it backwards.

To be fair, so does much of the world, especially banks and governments. 

[tlink]

21 minutes ago, Blade of Grass said:

To be fair, so does much of the world, especially banks and governments. 

a lot of governments in europe have a really open mind about reporting bug's and exploits, my local government holds a hacker competition before launching new systems so the civilians can try pentesting it, i know some baltic states are pushing for complete open source software on every layer of government etc. banks are a different story though...

[klh2000]

The Microsoft defense taskforce hasn't said anything yet...

[zMeul]

3 hours ago, OptimisticRealist said:

It is Microsoft! WHERE do you find that capital S????????

[AxelRantila]

 

This post from an earlier discussion about a similar subject is why I'm not 100% happy about Google doing these kind of things. It may describe a worse-case scenario, but it is an important point nonetheless