Google and MicroSoft butt heads again over disclosing seccurity vulnerability

[GoodBytes]

Microsoft says in a statement that the security issue reported by Google was actually already fixed for Windows 10 Anniversary Update users.

 

Neowin says:

Quote

Myerson said that a group called STRONTIUM performed a spear-phishing attack, but before we go any further, users on the Windows 10 Anniversary Update using the Edge browser should already be protected from it. It used two zero-day vulnerabilities in Flash and the Windows kernel to do the following:

1. Exploit Flash to gain control of the browser process

2. Elevate privileges in order to escape the browser sandbox

3. Install a backdoor to provide access to the victim’s computer

So it looks like other Windows users need to update Flash plug-in, or wait until Microsoft to get around to try and patch the exploit around Flash.

 

https://www.neowin.net/news/microsoft-responds-to-google-releasing-security-vulnerability-will-patch-it-next-week

 

 

[dfsdfgfkjsefoiqzemnd]

6 minutes ago, GoodBytes said:

already fixed for Windows 10 Anniversary Update users

Only for those using Edge, it looks like they patched the OS vulnerability at the browser level.  Use any other browser and Win10 is about as secure as an open door in a ghetto.

[GoodBytes]

5 minutes ago, Captain Chaos said:

Only for those using Edge, it looks like they patched the OS vulnerability at the browser level.  Use any other browser and Win10 is about as secure as an open door in a ghetto.

Update Flash?

[jagdtigger]

10 minutes ago, GoodBytes said:

Update Flash?

The hole is in windows itself. Even if you update it nothing prevents hackers from exploiting it with different approach...

[dfsdfgfkjsefoiqzemnd]

14 minutes ago, GoodBytes said:

Update Flash?

" a local privilege escalation in the Windows kernel "

 

The exploit may rely on Flash to trigger the escalation and the sandbox escape, but the vulnerability itself is in the Windows kernel.

 

While it's easier to patch Flash and the browser than it is to fix the kernel, it still leaves a vulnerability in the OS itself, one that hackers are aware of. 

What do you think is easier, finding a new way to exploit a known vulnerability or digging through an entire OS to find a new vulnerability? 

 

[LAwLz]

Just now, GoodBytes said:

Update Flash?

The problem is that the underlying security hole (which allows for privilege escalation and is part of win32k.sys) is not patched. It's just that the exploit that is current out in the wild used Flash to take advantage of the hole. It might be possible to use some other attack vector to take advantage of the same security hole.

It means that a small security hole in flash, office, chrome, whatever, might go from a minor issue to a full blown, admin privilege, sandbox escaping exploit.

[Sakkura]

Patching a kernel could take a lot more work than patching Flash. So if Microsoft needed more time than Adobe, I don't entirely blame them. But if it's true that they didn't even acknowledge Google's message, let alone ask for more time, well...

[AlTech]

8 hours ago, LAwLz said:

I was about to side with Microsoft on this, but assuming that it is true that Microsoft did not acknowledge it (as in, did not ask Google for more time nor made an effort to fix the issue as quickly as possible), and on top of that the fact that the exploit is/was already being used in the wild, I think Google did the right thing.

 

By the way, the exploit Google published relies on Flash to be executed in its current form. Since Adobe already released a patch it is kind of fixed. The problem is that the underlying issue (in Windows) is not yet fixed and it might be possible to use it without relying on Flash.

 

So it's not like Google just went "hey Microsoft, you got a security hole in Windows. <10 days later>. Lol, let's tell everyone about the security hole".

Supposedly,

1) Microsoft ignored/did not make an effort to fix the issue after Google told them about it.

2) The exploit was already being used, so attackers already knew about it.

3) Flash, which the exploit relied on had been fixed, so the attack in its current form does not work.

 

 

 

To do what? Find exploits in code? Plenty of people, organizations and companies ask Google to do it. Finding exploits is a great thing. It makes everyone more safe and secure.

Why should they ask for more time? This is unorthodox and frankly Google is asking to be sued at this point.

[suicidalfranco]

2 minutes ago, AluminiumTech said:

Why should they ask for more time? This is unorthodox and frankly Google is asking to be sued at this point.

on what basis?

 

Or you seriously that blind of a fanboy?

[AlTech]

Just now, suicidalfranco said:

on what basis?

 

Or you seriously that blind of a fanboy?

if Microsoft knows there's an issue, I can count on them to try and fix it. If Google knows there's an issue with one of their services, I can count on them to fix it.

 

There's no need to have such a big dramatic situation. they can work on a fix without starting world war 3.

 

 

Jesus. People these days.........

[Dabombinable]

2 minutes ago, suicidalfranco said:

on what basis?

 

Or you seriously that blind of a fanboy?

He is seriously that much of a fanboy. He actually hopes to have a job with MS at some point.

[Tiuqu]

6 minutes ago, AluminiumTech said:

Why should they ask for more time? This is unorthodox and frankly Google is asking to be sued at this point.

"Dear sir, if you don't leave the toilet or tell us you're okay, we're gonna have to open the door and force you out, did you hear me? Sir?" - Google (waiter) vs Microsoft (the customer)

[AlTech]

2 minutes ago, Dabombinable said:

He is seriously that much of a fanboy. He actually hopes to have a job with MS at some point.

No I don't. If I happen to have a job with them in the future, then that will be fine. but it'd be just as happy to work for some other respected tech company.

 

1 minute ago, Tiuqu said:

"Dear sir, if you don't leave the toilet or tell us you're okay, we're gonna have to open the door and force you out, did you hear me? Sir?" - Google (waiter) vs Microsoft (the customer)

I don't see Microsoft showing Google all the flaws in Android.......

[suicidalfranco]

2 minutes ago, AluminiumTech said:

if Microsoft knows there's an issue, I can count on them to try and fix it. If Google knows there's an issue with one of their services, I can count on them to fix it.

 

There's no need to have such a big dramatic situation. they can work on a fix without starting world war 3.

 

 

Jesus. People these days.........

they knew there was an issue after google told them, they decided to do jack shit to fix it. As simple as that.

The exploit was already being used by who knows what kind of people, might as well make it public and force MS to fix their shit. But no, please do tell me how this is wrong 

[Tiuqu]

1 minute ago, AluminiumTech said:

I don't see Microsoft showing Google all the flaws in Android.......

*spoilers*
THEY SHOULD.

[suicidalfranco]

4 minutes ago, AluminiumTech said:

No I don't. If I happen to have a job with them in the future, then that will be fine. but it'd be just as happy to work for some other respected tech company.

 

I don't see Microsoft showing Google all the flaws in Android.......

Cause Google already has a bounty program that rewards people who finds bug and security holes in Android and Chrome, also every bug reported by security firms and researchers get promptly patched and made public soon after  

[zMeul]

4 hours ago, GoodBytes said:

Microsoft says in a statement that the security issue reported by Google was actually already fixed for Windows 10 Anniversary Update users.

 

Neowin says:

So it looks like other Windows users need to update Flash plug-in, or wait until Microsoft to get around to try and patch the exploit around Flash.

 

https://www.neowin.net/news/microsoft-responds-to-google-releasing-security-vulnerability-will-patch-it-next-week

so MS actually fixed shit

[IAEInferno]

8 hours ago, zMeul said:

 

Not signed in

Would be a bad brand for a product that's related to the genital area of men.

[Blade of Grass]

4 hours ago, AluminiumTech said:

Why should they ask for more time? This is unorthodox and frankly Google is asking to be sued at this point.

It's not unorthodox at all, in fact it's relatively common in the industry for researches to do. Vulnerability disclosure is very much a necessary thing and makes everyone better off http://www.heinz.cmu.edu/~rtelang/disclosure_jan_06.pdf

On what grounds would Google be sued? 

[zMeul]

14 minutes ago, Blade of Grass said:

On what grounds would Google be sued? 

on the grounds of fanboyism 

 

@AluminiumTech Google's Project Zero runs since 2014, it's goal: finding zero-day exploits https://security.googleblog.com/2014/07/announcing-project-zero.html

remember the "Heartbleed" vulnerability? this is why the Project Zero was formed

[zMeul]

want to see a list of vulnerabilities MS was notified about and said they won't fix? https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=windows status=WontFix&colspec=ID Type Status Priority Milestone Owner Summary

[apm]

full disclosure is always the way to go imo, but something like this is obviously better for the company.

if they dont even acknowledge it within a decent timeframe, fuck them and release it.

[OptimisticRealist]

21 hours ago, zMeul said:

Wtf is that?

[zMeul]

2 minutes ago, OptimisticRealist said:

Wtf is that?

MicroSoft's logo from 1975, that was their logo when they were founded

[OptimisticRealist]

30 minutes ago, zMeul said:

MicroSoft's logo from 1975, that was their logo when they were founded

It is Microsoft, use modern logos FFS, or have you not known about Apple's first logo????