Google exposes security flaw in Microsoft Edge before a patch is ready

[Guest]

14 minutes ago, Sauron said:

If you don't update regularly you don't care about security, and if you do you're already out of luck anyway as outdated software is vulnerable in a number of ways, not least of which the meltdown bug that makes this one look like a picnic.

It depends on the infrastructure, it doesn't depend on whether they care about security. 

14 minutes ago, Sauron said:

Google hasn't really been targeting edge or browsers specifically, they just pay people to break systems and then tell the developer what to do to fix it. If you're saying you can't make exploits public when they're in a competing product, I strongly disagree.

Seems like they really dropped the ball on telling Microsoft on how to fix it then. 

14 minutes ago, Sauron said:

If you find a bug in chrome you're welcome to publish it, in fact a large chunk of chrome is open source so you could even go and fix it yourself, just give them a 3 month warning. It happens all the time, what's special about this case is that somehow it's taking over 3 months to patch a browser vulnerability... taking 90+ days to fix an arbitrary code execution vulnerability is bad.

That depends on the vulnerability on how long to fix. Its pretty obvious MS are on the case. 

[mr moose]

11 hours ago, hey_yo_ said:

So many people are pissed with Google Project Zero’s 90 day disclosure policy. I’d let one of their security researchers Tavis Ormandy to respond. Just look at this Twitter conversation. 

 

That statement is called an either/or fallacy or a false dichotomy.   The insinuation that you have to be at either end of the knowledge pool to make a moral decision.  If you wish to judge on a technical level (I.E the relevance of the technical nature) then sure, you need to understand the technical side of the issue, however you don't need to understand the technical side of the exploit to to read MS responses and requests and googles claims and accusations.  Either the act was fair or it wasn't, this tweet says to me this is about oneupmanship and not security.

 

42 minutes ago, Sauron said:

It does, because the user can stop using it and sysadmins can take precautions.

It's making computing a little more secure.

 

Not everyone can, many website are IE only, and making computing more secure is working together, not against each other.  If google truly put security before everything else they would have granted MS a few more weeks on the balance of evidence.

[Sauron]

3 minutes ago, RorzNZ said:

It depends on the infrastructure, it doesn't depend on whether they care about security. 

Again, if they're still running windows xp they're vulnerable no matter what. Even with more recent software, the security in their case will have to come from firewalls and other layers of protection, because keeping mum on new vulnerabilities isn't a solution.

4 minutes ago, RorzNZ said:

Seems like they really dropped the ball on telling Microsoft on how to fix it then. 

It's not their job to fix code they can't see... all they have to say is how the exploit works and roughly why it works. And it really speaks to the extremely low quality of the edge codebase if they can't figure out a fix. Either way, since it's not open source Google couldn't fix it for them even if they wanted to.

7 minutes ago, RorzNZ said:

That depends on the vulnerability on how long to fix. Its pretty obvious MS are on the case. 

Yeah, MS themselves categorized this as a "medium" severity problem so there's no justification for it not being fixed yet other than they simply don't care enough, or the codebase was so horrible it needed scrapping anyway. They even got an extra 15 days to get their crap together.

[Sauron]

1 minute ago, mr moose said:

Not everyone can, many website are IE only, and making computing more secure is working together, not against each other.  If google truly put security before everything else they would have granted MS a few more weeks on the balance of evidence.

IE is not edge though, and either way as I said if you use this sort of legacy components your security must come from elsewhere.

[ItsMitch]

6 minutes ago, Sauron said:

Yeah, MS themselves categorized this as a "medium" severity problem so there's no justification for it not being fixed yet other than they simply don't care enough, or the codebase was so horrible it needed scrapping anyway. They even got an extra 15 days to get their crap together.

If they classed it as Medium then I fucking fear what Severe must be for MSFT.....

[dalekphalm]

24 minutes ago, Cole5 said:

MS Should probably fix it right quick then

They are actively working on a patch and have a tentative patch date (March 13th).

6 minutes ago, Sauron said:

Yeah, MS themselves categorized this as a "medium" severity problem so there's no justification for it not being fixed yet other than they simply don't care enough, or the codebase was so horrible it needed scrapping anyway. They even got an extra 15 days to get their crap together.

This is a false equivalency though.

 

The ease of fixing a bug can vary extremely. And the fact that they categorized it as "medium" severity has in no way, a bearing on how easy it is to fix.

 

Furthermore, the code being "good or not" also has no bearing on how easy it is to fix.

 

Great code can have really strange bugs that take a long time to fix. That's just how it works sometimes.

 

It was discovered on or around November 17th. Microsoft states they should have a patch ready for March 13th. That's 116 days.

 

That means they were only 26 days over the normal 90-day window, and furthermore, they're only 12 days over the 14-day extension.

 

Google could have easily given Microsoft another 12 days to meet the March 13th patch target.

[mr moose]

10 minutes ago, Sauron said:

IE is not edge though, and either way as I said if you use this sort of legacy components your security must come from elsewhere.

Sorry I meant to say edge.  Either way, the consumer still doesn;t have a choice while google does.

 

1 minute ago, dalekphalm said:

 

Google could have easily given Microsoft another 12 days to meet the March 13th patch target.

Which requires little technical understanding of the threat to understand that 12 days is long enough for someone to exploit.

[Bananasplit_00]

better take some of that edge off

[Sauron]

1 minute ago, mr moose said:

Sorry I meant to say edge.  Either way, the consumer still doesn;t have a choice while google does.

 

Can you name a single website a regular consumer needs that only runs on edge? And again, security through obscurity doesn't work.

[Sauron]

7 minutes ago, dalekphalm said:

They are actively working on a patch and have a tentative patch date (March 13th).

This is a false equivalency though.

 

The ease of fixing a bug can vary extremely. And the fact that they categorized it as "medium" severity has in no way, a bearing on how easy it is to fix.

 

Furthermore, the code being "good or not" also has no bearing on how easy it is to fix.

 

Great code can have really strange bugs that take a long time to fix. That's just how it works sometimes.

 

It was discovered on or around November 17th. Microsoft states they should have a patch ready for March 13th. That's 116 days.

 

That means they were only 26 days over the normal 90-day window, and furthermore, they're only 12 days over the 14-day extension.

 

Google could have easily given Microsoft another 12 days to meet the March 13th patch target.

Maybe so, but ignoring it is not a solution.

[dalekphalm]

9 minutes ago, Sauron said:

Maybe so, but ignoring it is not a solution.

But Microsoft isn't ignoring it. They have a tentative patch date scheduled.

 

Now, if they hadn't done that? Sure, I'd be on board with you.

[Sauron]

4 minutes ago, dalekphalm said:

But Microsoft isn't ignoring it. They have a tentative patch date scheduled.

 

Now, if they hadn't done that? Sure, I'd be on board with you.

I'm saying that we shouldn't expect Google to just shut up about it. I'm sure they considered the circumstances and decided more time was not warranted.

[dalekphalm]

3 minutes ago, Sauron said:

I'm saying that we shouldn't expect Google to just shut up about it. I'm sure they considered the circumstances and decided more time was not warranted.

But how do they make that decision?

 

That's the thing. If this is all about transparency, then where's the transparency about Google's decision to ignore Microsoft's stated patch date and release the info anyway?

 

We seem to be taking Google's word that more time was "not warranted", but we're not taking Microsoft's word that it'll be patched on a specific date they've specified?

 

Seems rather biased, to me. If Google wants to release the info anyway, even after Microsoft has committed to a date, they should have to justify that decision.

[Sauron]

4 minutes ago, dalekphalm said:

But how do they make that decision?

 

That's the thing. If this is all about transparency, then where's the transparency about Google's decision to ignore Microsoft's stated patch date and release the info anyway?

 

We seem to be taking Google's word that more time was "not warranted", but we're not taking Microsoft's word that it'll be patched on a specific date they've specified?

 

Seems rather biased, to me. If Google wants to release the info anyway, even after Microsoft has committed to a date, they should have to justify that decision.

Should we take MS' word instead? (pun intended)

 

Google has a precise policy and this is the reason they have it - to make sure they can't be called out for preferential treatment. Once you're notified about the bug, you have 90 days to fix it and then it's up to google (or whomever found the bug) todecid what to do.

[dalekphalm]

5 minutes ago, Sauron said:

Should we take MS' word instead? (pun intended)

 

Google has a precise policy and this is the reason they have it - to make sure they can't be called out for preferential treatment. Once you're notified about the bug, you have 90 days to fix it and then it's up to google (or whomever found the bug) todecid what to do.

We either shouldn't take either of their word, or we should take both.

 

My point is that on the surface, what Google has done seems unethical.

 

They've decided 90 days is the arbitrary period. Microsoft said they would need 116 days. Google would only give them 104 days (an arbitrary 90 days + an arbitrary 14 day extension).

 

Google did not (at least, not that I can see) explain why they thought giving Microsoft an extra 12 days was unacceptable.

 

Having a rigid no exceptions system is bad for everyone, entirely because it's arbitrary. It doesn't promote other devs to fix their bugs because if the devs need more time, they won't get it.

[Sauron]

12 minutes ago, dalekphalm said:

We either shouldn't take either of their word, or we should take both.

 

My point is that on the surface, what Google has done seems unethical.

 

They've decided 90 days is the arbitrary period. Microsoft said they would need 116 days. Google would only give them 104 days (an arbitrary 90 days + an arbitrary 14 day extension).

 

Google did not (at least, not that I can see) explain why they thought giving Microsoft an extra 12 days was unacceptable.

 

Having a rigid no exceptions system is bad for everyone, entirely because it's arbitrary. It doesn't promote other devs to fix their bugs because if the devs need more time, they won't get it.

I see what you mean but I disagree. I think there have been enough horror stories about known vulnerabilities being left to rot for years to be anything less than strict with this sort of thing. Google already extended their default grace period for MS, I think they have played as fairly as they should have.

[dalekphalm]

56 minutes ago, Sauron said:

I see what you mean but I disagree. I think there have been enough horror stories about known vulnerabilities being left to rot for years to be anything less than strict with this sort of thing. Google already extended their default grace period for MS, I think they have played as fairly as they should have.

But they didn't extend their grace period. At least, not in the way you're saying.

 

Microsoft said "We can get the patch out on this date", and Google said "Nah, sorry, we'll only give you an extra 14 days".

 

It just seems spiteful and pointless.

 

Had Microsoft not given a strict and specific date? I would agree with you. But that's not the reality of the situation.

 

Yes we have to hold them to it, but if a dev comes back with a specific patch date, there really should be no reason not to honour their patch date.

[Sauron]

11 minutes ago, dalekphalm said:

But they didn't extend their grace period. At least, not in the way you're saying.

 

Microsoft said "We can get the patch out on this date", and Google said "Nah, sorry, we'll only give you an extra 14 days".

 

It just seems spiteful and pointless.

 

Had Microsoft not given a strict and specific date? I would agree with you. But that's not the reality of the situation.

 

Yes we have to hold them to it, but if a dev comes back with a specific patch date, there really should be no reason not to honour their patch date.

What if they said the patch would be ready next year on a precise date? Where do you draw the line?

[dalekphalm]

3 hours ago, Sauron said:

What if they said the patch would be ready next year on a precise date? Where do you draw the line?

I don't know where you would draw the line. But 12 days after the standard 14-day extension doesn't seem like the reasonable place to draw said line.

[mr moose]

8 hours ago, Sauron said:

Can you name a single website a regular consumer needs that only runs on edge? And again, security through obscurity doesn't work.

It's not security through obscurity though, It's about not telling everyone about a flaw that is yet to be patched.  

 

[LAwLz]

On 2/19/2018 at 7:20 PM, porina said:

Mostly non-news, but this surprised me a bit. I kinda wondered about that, given that MS routine security patch schedule is on 2nd Tuesday of each month, that could mean if Google notified them just after patch day, worst case they only realistically have 2 months to fix it to not have an unpatched exposure gap.

 

Then again, MS have also in the past offered out of cycle updates too, so that could remain a last resort.

No, you're looking at this the wrong way.

Yes, a few days after patch Tuesday Microsoft were informed. However, that does not mean they only had 2 months to fix it. They still had 3 months plus the grace period on them to fix it. What they did "only" have 2 months + grace period to do was deploy the update.

The timing of the information made their deployment period shorter, but not the allocated development time.

 

And like you said, they do out of cycle updates too on the fourth Tuesday of the month, which would actually have lined up quite nicely if they had applied for the 14 day grace period.

 

 

On 2/19/2018 at 7:28 PM, RorzNZ said:

Not really any of Google's business to dictate how long Microsoft should fix their bugs.

Yes it is. This is standard practice in the field of security. It is extremely important that exploits are given SLAs in order to put pressure on developers to actually fix issues.

 

 

On 2/19/2018 at 7:38 PM, RorzNZ said:

Google shouldn't dictate. Requesting it to be fixed within 90 days is a bad policy to then reveal the flaw to everyone who doesn't know. It is allotting a certian time for them to fix it or they reveal the flaw. Its not a good policy at all and its blatant scare tactics for people to switch to chrome.

They also have several grace periods you can apply for which extends the 90 day time limit.

Microsoft did not do this however.

 

 

On 2/19/2018 at 8:15 PM, RagnarokDel said:

Super dick move by GPZ.

You know what would have been a bigger dick move? Not putting any pressure on developers to fix issues.

Not following through and posting it when the time expired would also have been a terrible move because then developers know that the threat of public disclosure is not real, and they can drag their feet with updates.

[porina]

1 minute ago, LAwLz said:

Yes, a few days after patch Tuesday Microsoft were informed. However, that does not mean they only had 2 months to fix it. They still had 3 months plus the grace period on them to fix it. What they did "only" have 2 months + grace period to do was deploy the update.

The timing of the information made their deployment period shorter, but not the allocated development time.

Coffee hasn't kicked in yet but I think we're saying the same thing, maybe using different words.

[Guest]

1 minute ago, LAwLz said:

Yes it is. This is standard practice in the field of security. It is extremely important that exploits are given SLAs in order to put pressure on developers to actually fix issues.

Seeing as they are fixing the issues presumable as fas as possible within their timeline its not going to make a shred of difference in availability, but now its out there for people to exploit and how to. 

1 minute ago, LAwLz said:

They also have several grace periods you can apply for which extends the 90 day time limit.

Microsoft did not do this however.

People at Google are a bit thick. If they can't fix it in 90 days what makes anyone think 15 days will make a difference. It will be fixed when its fixed. If Google continue to do this, then regulations are necessary. The 90 day limit is impost entirely by Google. Its not an industry standard or regulation. 

This isn't so much Google rubbing it in Microsofts face that concerns me or risk of stock or anything like that, its risk to the consumer. There are obviously proper internal channels of communication between Google and Microsoft, Google need to use that instead of chucking it out into the public. Its great of course that these exploits are found but its completely stupid to reveal them to the public instead of the official channels. Its just not that hard to make everyone happy about this situation. 

As of this article we know:

 

- Google has been in touch with MS for at least 90 days on this without the public knowing. This is a lesser risk while they work on the exploit as its not widely known

- Microsoft are working on it (Priority is a pretty abstract concept in this term; there will be people on the clock working on it)

- Microsoft are releasing a fix on the 13th of March

- Google released info on the exploit anyway, putting users at more risk than before. 

If Google did not release information about the exploit to the public, there would be a lot less riff-raff about the whole thing and no one, including hackers, would know about this exploit (Assuming they didn't discover it themselves, which is a lot less likely if Google didn't put it up on their forums)

This is a ridiculous move by Google only, not a fault of anyone else.

 

[Eniqmatic]

10 hours ago, dalekphalm said:

We either shouldn't take either of their word, or we should take both.

 

My point is that on the surface, what Google has done seems unethical.

 

They've decided 90 days is the arbitrary period. Microsoft said they would need 116 days. Google would only give them 104 days (an arbitrary 90 days + an arbitrary 14 day extension).

 

Google did not (at least, not that I can see) explain why they thought giving Microsoft an extra 12 days was unacceptable.

 

Having a rigid no exceptions system is bad for everyone, entirely because it's arbitrary. It doesn't promote other devs to fix their bugs because if the devs need more time, they won't get it.

See the link here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1435#c6

 

The comment from 2/3 days ago is: 

MSRC reached out to me to to clarify that, because of the complexity of the fix, they do not yet have a fixed date set as of yet.

So seems that they backtracked again on meeting the deadline that they asked for, March 13th, how many times do you let them keep extending the deadline?

[mr moose]

8 minutes ago, Eniqmatic said:

See the link here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1435#c6

 

The comment from 2/3 days ago is: 

MSRC reached out to me to to clarify that, because of the complexity of the fix, they do not yet have a fixed date set as of yet.

So seems that they backtracked again on meeting the deadline that they asked for, March 13th, how many times do you let them keep extending the deadline?

MS asked for an extension to march 13,  that wasn't granted. How do they back track on an extension that wasn't granted?