Google exposes security flaw in Microsoft Edge before a patch is ready

[Guest]

3 minutes ago, Sauron said:

Yes, yes it does. If they didn't, MS would be under no pressure to EVER fix this until someone with less than noble intentions finds it and exploits it, with the user being none the wiser until years later when the exploit is finally identified in the wild by some affected company's security experts. This has happened countless times in the past. Now developers get a grace period of 3 months and if they don't fix their garbage in that time, too bad for them - at least people can make the decision of not using that product if they care about security.

I guess thats true but they should probably pressure Microsoft behind closed doors, they are working on it nevertheless. I don't think it really benefits anyone to reveal it to the world. I'm really thinking of businesses who would use Edge on their work PC's and aren't that tech savvy.

[mr moose]

2 hours ago, SC2Mitch said:

It's their Zero Day policy to disclose the bug after 90 days, I didn't even say that google should dictate? 

They should put pressure on companies to have it fixed to a degree.  That is good for consumers, however if that time comes and the company in question has been working on it and has shown there to be a legitimate reason for a delay (it's not like they have anything to gain from doing nothing), then google should not be cunts about it and give them more time.   Let's be honest,  that 90 days thing is an arbitrary number that would be more than enough in some cases but no where near enough in others.

 

3 hours ago, SpaceGhostC2C said:

It's not the first time someone discloses an unpatched vulnerability after deciding enough time without action has passed. However, I wonder if there's any difference between such step being taken by an independent security researcher, and the same action being taken by the producer of a direct competitor to the software in question. I genuinely don't know what to think: should that matter, or the ethics are the same regardless of who discovers the vulnerability?

 

It does concern me too, especially given MS aren't exactly dragging their feet or ignoring the problem.  This situation does have elements of "vested interest".

 

[paddy-stone]

3 hours ago, Zodiark1593 said:

We should play a game. How many opportunities are presented for security to be compromised between loading up Edga on a freshly installed OS, and downloading Chrome/Firefox/other browser of choice?

Not sure if you're agreeing with me, or arguing against?

 

[mrchow19910319]

bill gates right now: 

 

[mrchow19910319]

also, this :

 

 

[dalekphalm]

9 hours ago, Captain Chaos said:

What is there to communicate about?  Project Zero found a flaw, went through the appropriate channels to inform Microsoft and then waited 90 days as they usually do. 

If 3 months isn't enough to fix a flaw in your own software, perhaps you shouldn't be in the software business to begin with. 

 

The side of Edge's dev team ... well ... who determines the size of that team?  Microsoft. 

So who should have hired more people to begin with so that they could make a browser worth a damn?  Microsoft. 

The 90 number is entirely arbitrary. 

 

You are being either naive or intentionally misleading by saying that all patches can be created in 90 days. 

 

Some patches can be made very quickly. Others will take much longer. 

 

I think a more appropriate thing for Google to do is allow Microsoft to propose an alternate date for the release of their patch. 

 

Once Microsoft has scheduled the patch release, then release the details after that. 

 

If Microsoft gives an insane number (eg: it’ll take a year!) or if they fail to release the patch on time without reason? Then drop the vulnerability to the public. 

[captain_to_fire]

So many people are pissed with Google Project Zero’s 90 day disclosure policy. I’d let one of their security researchers Tavis Ormandy to respond. Just look at this Twitter conversation. 

 

[JoostinOnline]

This whole Edge discussion made me think of the Bing Maps thing from Family Guy:

 

[dalekphalm]

5 hours ago, hey_yo_ said:

So many people are pissed with Google Project Zero’s 90 day disclosure policy. I’d let one of their security researchers Tavis Ormandy to respond. Just look at this Twitter conversation. 

 

Wow... Tavis sounds like an arrogant asshole - what a dismissive fuck. Can he get any more condescending?

 

Just because someone isn't well versed, doesn't mean you should be a complete douche bag to them. He should educate them, if their position has flaws. Not basically say "lol you either know that's wrong or you're an idiot for not knowing it's wrong".

[SpaceGhostC2C]

41 minutes ago, dalekphalm said:

Wow... Tavis sounds like an arrogant asshole - what a dismissive fuck. Can he get any more condescending?

At Google? Impossible! When have you ever seen a member of Google dismissing questions as an arrogant asshole?

 

Quote

 

Just because someone isn't well versed, doesn't mean you should be a complete douche bag to them. He should educate them, if their position has flaws. Not basically say "lol you either know that's wrong or you're an idiot for not knowing it's wrong".

"The future^TM isn't educating".

[captain_to_fire]

1 minute ago, dalekphalm said:

Wow... Tavis sounds like an arrogant asshole - what a dismissive fuck. Can he get any more condescending?

 

Just because someone isn't well versed, doesn't mean you should be a complete douche bag to them. He should educate them, if their position has flaws. Not basically say "lol you either know that's wrong or you're an idiot for not knowing it's wrong".

Well he's condescending and a jerk no doubt about it but I think it's him defending Google's 90-days of no disclosure policy and some people are accusing him and Project Zero of some sort of conspiracy so that people will switch to Google Chrome when in fact Microsoft once exposed Chrome vulnerabilities as well.

He's one of the people who once studied and published bugs with many anti-virus programs and yet no one complained that Project Zero is being unfair with their 90 days non disclosure policy. I'm guessing Tavis is somehow splitting hairs in some of his Twitter debates and yeah he does sound kind of a jackass.

[SpaceGhostC2C]

26 minutes ago, hey_yo_ said:

Well he's condescending and a jerk no doubt about it but I think it's him defending Google's 90-days of no disclosure policy ind of a jackass.

The problem is that in the paragraph you quoted there is no explanation or defense of anything. It's all attitude, no content: after reading it, I'm not more informed about the reasons to have their 90-day policy.

[captain_to_fire]

7 minutes ago, SpaceGhostC2C said:

The problem is that in the paragraph you quoted there is no explanation or defense of anything. It's all attitude, no content: after reading it, I'm not more informed about the reasons to have their 90-day policy.

This tweet from him encapsulates the one I put in bold above:

 

He reminds me of a a number of people in the forum which I'm not going to name

[Sauron]

18 hours ago, RorzNZ said:

I guess thats true but they should probably pressure Microsoft behind closed doors, they are working on it nevertheless. I don't think it really benefits anyone to reveal it to the world. I'm really thinking of businesses who would use Edge on their work PC's and aren't that tech savvy.

Regardless of how hard they're trying, the vulnerability is there and it's just a matter of time before it gets out. It's important to let the user know they are at risk.

[bowrilla]

If there's a security flaw then it will be found eventually. If it was found by one person it will be found by others eventually. Waiting indefinitely for a fix won't help since others will find it as well and they might not be so ethical. Yes, 90 days is an arbitrary timeframe. It could just be 100 days or 80 days. The longer you wait though the higher the possibility of someone else finding out about it as well. Maybe they have a 90 day period of notice in their contracts at Google?

The point is: in order to minimize risks you have to expose vulnerabilites after some time so users can avoid insecure software. It's fair to wait a while and to give developers the opportunity to fix their bugs but after a while they NEED to be published. If they weren't able to fix that bug in 90 days + 14 days of grace period then the flaw is enormous and Edge should be avoided at this point. 

[sof006]

23 hours ago, deXxterlab97 said:

Microsoft Edge is the browser you use to download Google Chrome

I still laugh when I search for Chrome in Microsoft Edge and it recommends itself over Chrome at the top of the search results

[Guest]

3 hours ago, Sauron said:

Regardless of how hard they're trying, the vulnerability is there and it's just a matter of time before it gets out. It's important to let the user know they are at risk.

Theres probably many vulnerabilities but it sure doesn't help the users risk now that everyone knows about it. Google knows exactly what its doing by hiring these people to look for vulnerabilities. 

[Sauron]

50 minutes ago, RorzNZ said:

Theres probably many vulnerabilities but it sure doesn't help the users risk now that everyone knows about it.

It does, because the user can stop using it and sysadmins can take precautions.

51 minutes ago, RorzNZ said:

Google knows exactly what its doing by hiring these people to look for vulnerabilities. 

It's making computing a little more secure.

[dalekphalm]

1 minute ago, Sauron said:

It does, because the user can stop using it and sysadmins can take precautions.

It's making computing a little more secure.

Normally yes. But in this context, with Meltdown and Spectre, no. You'd have to literally stop using basically any computer, before the patches were available, since basically any CPU in the past 20-ish years was vulnerable to at least one of the variants.

[Guest]

1 minute ago, Sauron said:

It does, because the user can stop using it and sysadmins can take precautions.

It's making computing a little more secure.

Thats assuming the users have a choice and the admins can efficiently change it. Quite a lot of computers just don't get updated for a while due to inconvenience or just being left. Its more common than you think. 

What I mean by the latter is people will shift to another browser, and Chrome is by far the most advertised. By looking for vulnerabilities in other browsers and making them known to the media people will most likely shift to an alternative that gets pushed in their faces the most. Its not actually making it more secure, theres more than likely vulnerabilities in Chrome as well (As with any software), but you can bet Google has a different disclosure policy for its own products. 

[Sauron]

9 minutes ago, RorzNZ said:

Thats assuming the users have a choice and the admins can efficiently change it. Quite a lot of computers just don't get updated for a while due to inconvenience or just being left. Its more common than you think. 

If you don't update regularly you don't care about security, and if you do you're already out of luck anyway as outdated software is vulnerable in a number of ways, not least of which the meltdown bug that makes this one look like a picnic.

11 minutes ago, RorzNZ said:

What I mean by the latter is people will shift to another browser, and Chrome is by far the most advertised. By looking for vulnerabilities in other browsers and making them known to the media people will most likely shift to an alternative that gets pushed in their faces the most. Its not actually making it more secure, theres more than likely vulnerabilities in Chrome as well (As with any software), but you can bet Google has a different disclosure policy for its own products. 

Google hasn't really been targeting edge or browsers specifically, they just pay people to break systems and then tell the developer what to do to fix it. If you're saying you can't make exploits public when they're in a competing product, I strongly disagree.

 

If you find a bug in chrome you're welcome to publish it, in fact a large chunk of chrome is open source so you could even go and fix it yourself, just give them a 3 month warning. It happens all the time, what's special about this case is that somehow it's taking over 3 months to patch a browser vulnerability... taking 90+ days to fix an arbitrary code execution vulnerability is bad.

[Sauron]

21 minutes ago, dalekphalm said:

Normally yes. But in this context, with Meltdown and Spectre, no. You'd have to literally stop using basically any computer, before the patches were available, since basically any CPU in the past 20-ish years was vulnerable to at least one of the variants.

This isn't spectre or meltdown though...? And in that case pretty much everyone was involved, including Google themselves, so I find it hard to believe it was published in bad faith.

[ItsMitch]

1 minute ago, Sauron said:

If you find a bug in chrome you're welcome to publish it, in fact a large chunk of chrome is open source so you could even go and fix it yourself, just give them a 3 month warning. It happens all the time, what's special about this case is that somehow it's taking over 3 months to patch a browser vulnerability... taking 90+ days to fix an arbitrary code execution vulnerability is bad.

Adding onto this, Google even gave them a extra 15 days to sort their shit out, MSFT could of just kindly asked in a NDA not to publish until it's fixed.

[dalekphalm]

3 minutes ago, Sauron said:

This isn't spectre or meltdown though...? And in that case pretty much everyone was involved, including Google themselves, so I find it hard to believe it was published in bad faith.

Oh my bad - I'm in the midst of two different conversations, one here and the other on the Intel lawsuit thread. Got them mixed up.

[Cole5]

MS Should probably fix it right quick then