Google exposes security flaw in Microsoft Edge before a patch is ready

[Nicnac]

savage google

[Eniqmatic]

1 minute ago, mr moose said:

MS asked for an extension to march 13,  that wasn't granted. How do they back track on an extension that wasn't granted?  

 

 

The latest update says "they do not have a fixed date set as of yet". I'm not saying they backtracked on an extension that they didn't get (sorry if it seemed that way), I was just pointing out that that is why there is hard deadlines set, because if Google had granted MS the deadline to March 13th, and 3 days later MS says "Yeah you know that extension we asked for that you gave us....gonna need a little bit longer". 

[LAwLz]

On 2/19/2018 at 9:53 PM, RorzNZ said:

I guess thats true but they should probably pressure Microsoft behind closed doors, they are working on it nevertheless. I don't think it really benefits anyone to reveal it to the world. I'm really thinking of businesses who would use Edge on their work PC's and aren't that tech savvy.

The disclosure itself does not benefit anyone, but what does benefit people is threatening companies into action by putting time limits on them.

This is how things work in the security world.

 

Security updates are to most companies seen as 100% losses. They take time and money to fix and does not bring in any additional revenue. Therefore there is a tremendous tremendous resistance to fix security issues in general.

That's why it is standard practice in the computer security world to put time limits before public disclosures. That way companies are forced into action.

 

If you then don't follow through with the disclosures companies will learn that the disclosure threat doesn't have to be taken seriously, and they will go back to dragging their feet.

 

 

On 2/19/2018 at 10:04 PM, mr moose said:

They should put pressure on companies to have it fixed to a degree.  That is good for consumers, however if that time comes and the company in question has been working on it and has shown there to be a legitimate reason for a delay (it's not like they have anything to gain from doing nothing), then google should not be cunts about it and give them more time.   Let's be honest,  that 90 days thing is an arbitrary number that would be more than enough in some cases but no where near enough in others.

Google also has a grace period you can apply for in those situations, but Microsoft chose not do it do.

If you show Google that you are working on a fix and are soon ready to deploy it they extend the time by 14 days, making it 104 days in total.

They also have different disclosures for things like Spectre and Meltdown which requires more work.

The problem is that Microsoft classified this as a medium issue, and it looks like they will have taken almost 1/3 of a year to fix it.

 

 

11 hours ago, RorzNZ said:

Seems like they really dropped the ball on telling Microsoft on how to fix it then. 

Google are unable to tell Microsoft how to fix the issues because Edge is closed source.

They have however provided Microsoft with a very detailed description of what happens and how it can be exploited.

It is detailed here: Microsoft Edge: ACG bypass using UnmapViewOfFile

Microsoft has most likely been able to contact Google for more information about the issue too, if they needed more assistance with fixing it.

 

 

11 hours ago, dalekphalm said:

Google could have easily given Microsoft another 12 days to meet the March 13th patch target.

You have to draw the line somewhere. If Google constantly gave companies time extensions then the purpose of the deadline would lose some of its edge.

The entire purpose of the timed disclosure is to make sure companies allocate the resources necessary to have security issues fixed. By being soft on this companies will just drag their feet more.

 

11 hours ago, mr moose said:

Sorry I meant to say edge.  Either way, the consumer still doesn;t have a choice while google does.

Consumers has a choice. They are now informed that Edge is vulnerable and they can take appropriate actions to avoid this issue.

For example they can switch to another browser such as Internet Explorer or Firefox. 

 

 

11 hours ago, dalekphalm said:

My point is that on the surface, what Google has done seems unethical.

Nothing unethical about it. Like I have said before this is standard practice in the security industry and the purpose is to make sure companies allocate the necessary resources to fix issues, rather than drag their feet.

 

 

11 hours ago, dalekphalm said:

They've decided 90 days is the arbitrary period. Microsoft said they would need 116 days. Google would only give them 104 days (an arbitrary 90 days + an arbitrary 14 day extension).

And what if Microsoft on day 114 say that they are only 10 days away from the patch being deployed? What if they once that date comes say they are sooo close to releasing it but they need a bit more time?

You need to draw the line somewhere, and in this case that line was draw just shy of the time Microsoft estimates that they need.

Project Zero already gives developers some wiggle room, but when not even that wiggle room is enough companies I think it is appropriate to go through with your threat. Again, otherwise the entire idea behind timed disclosures falls apart.

 

I don't follow all exploits found by project zero, but I'd guess that the vast majority are fixed within the 90 days disclosure time. If @AluminiumTech is to be believed, the Edge team has fairly limited resources. If that is the case then it is a conscious decision Microsoft has made to not allocate enough resources to this issue to have it fixed in a reasonable time frame.

[MrDynamicMan]

On 2/19/2018 at 7:24 PM, deXxterlab97 said:

Microsoft Edge is the browser you use to download Google Chrome

or vivaldi

[mr moose]

17 minutes ago, LAwLz said:

 

 

Google also has a grace period you can apply for in those situations, but Microsoft chose not do it do.

If you show Google that you are working on a fix and are soon ready to deploy it they extend the time by 14 days, making it 104 days in total.

They also have different disclosures for things like Spectre and Meltdown which requires more work.

The problem is that Microsoft classified this as a medium issue, and it looks like they will have taken almost 1/3 of a year to fix it.

According to the link posted just above they did t least inform google that they were confident to have it done by mar. 13th.  But google automatically derestricted it.

 

Quote

 

 

 

You have to draw the line somewhere. If Google constantly gave companies time extensions then the purpose of the deadline would lose some of its edge.

The entire purpose of the timed disclosure is to make sure companies allocate the resources necessary to have security issues fixed. By being soft on this companies will just drag their feet more.

Absolutely, I have no problem with that, but we are talking about an exploit that requires edge to already be exploited and 14 days grace to get the patches finalized and into the update system.  We are not talking about taking years to fix an exploit that has wannacry potential.

 

 

Quote

Consumers has a choice. They are now informed that Edge is vulnerable and they can take appropriate actions to avoid this issue.

For example they can switch to another browser such as Internet Explorer or Firefox. 

I was referring to all those house mums who bought a win 10 machine and don't know what firefox or chrome is.  The ones that use notepad as their word processor and think facebook is the internet.

 

EDIT: which I imagine is 3.7% of internet users, given edge has 3.8% market share.

 

[LAwLz]

17 minutes ago, RorzNZ said:

If they can't fix it in 90 days what makes anyone think 15 days will make a difference. It will be fixed when its fixed.

No, this is a horrible way of looking at security. The mentality that "it will be fixed when its fixed" does not belong in the world of security.

Things need to be fixed and pressure needs to be applied to developers in order for them to fix things. Otherwise they will drag their feet.

 

 

22 minutes ago, RorzNZ said:

The 90 day limit is impost entirely by Google. Its not an industry standard or regulation. 

What do you mean? The specific 90 day period might not be an industry standard (most companies have their own timers) but the idea of responsible disclosure is. Releasing an exploit to the public after a set amount of time, if the developers haven't fixed the issue is something even Microsoft agree with.

 

Cisco Talos also has a 90 day period before disclosures (used to be 60 days).

The 90 day number was arrived at by talking to multiple vendors as well as analyzing a large set of data regarding average patch times.

According to Talos' data, the average patch time is 78 days.

42 days for open source applications and above 80 for closed source applications.

However, that 80 day number is because while a lot of the larger companies that cares about security offers patches in average of 38 days after being informed, there are a large portion of companies that drag their feet and has an average patch time of 113 days. 

 

People seem to think that the 90 day number was something Google grabbed out of thin air, but in reality it is actually a fairly well researched subject which aligns very well with what it sets out to achieve (stop companies from dragging their feet).

You can read more about it here: Talos Responsible Disclosure Policy Update

Something you might be interested in too @dalekphalm.

[Guest]

1 minute ago, LAwLz said:

No, this is a horrible way of looking at security. The mentality that "it will be fixed when its fixed" does not belong in the world of security.

Things need to be fixed and pressure needs to be applied to developers in order for them to fix things. Otherwise they will drag their feet.

 

 

What do you mean? The specific 90 day period might not be an industry standard (most companies have their own timers) but the idea of responsible disclosure is. Releasing an exploit to the public after a set amount of time, if the developers haven't fixed the issue is something even Microsoft agree with.

 

Cisco Talos also has a 90 day period before disclosures (used to be 60 days).

The 90 day number was arrived at by talking to multiple vendors as well as analyzing a large set of data regarding average patch times.

According to Talos' data, the average patch time is 78 days.

42 days for open source applications and above 80 for closed source applications.

However, that 80 day number is because while a lot of the larger companies that cares about security offers patches in average of 38 days after being informed, there are a large portion of companies that drag their feet and has an average patch time of 113 days. 

 

People seem to think that the 90 day number was something Google grabbed out of thin air, but in reality it is actually a fairly well researched subject which aligns very well with what it sets out to achieve (stop companies from dragging their feet).

You can read more about it here: Talos Responsible Disclosure Policy Update

Something you might be interested in too @dalekphalm.

A horrible way of looking at security is assuming that Microsoft isn't working on it. They are working on it and Google know that. 
MS is in no way dragging their feet about this issue. To have a solid date and assume they could have fixed it within the timeframe is ridiculous, especially if it is closed source. 

 

This will affect people for no real reason other than the timeframe Google set was up. It doesn't matter whether Google researched it as a 90 day period. 

[LAwLz]

1 hour ago, mr moose said:

According to the link posted just above they did t least inform google that they were confident to have it done by mar. 13th.  But google automatically derestricted it.

Wait, what link are you talking about?

Microsoft reached out to Google 47 hours ago and said that they do not know when the fix will be ready. Microsoft also said that it won't be ready within the 14 day grace period.

That's all I can find about it. 

 

From what I can tell, Microsoft did not even request the 14 day grace period since they knew they would not make it in time anyway.

 

 

1 hour ago, mr moose said:

Absolutely, I have no problem with that, but we are talking about an exploit that requires edge to already be exploited and 14 days grace to get the patches finalized and into the update system.  We are not talking about taking years to fix an exploit that has wannacry potential.

We are not talking about a 14 day grace period. Microsoft has said that they are positive that the patch will be ready for deployment on march 13. That would be a 26 days grace period, not 14 days.

You have to draw the line somewhere, and when developers start missing their deadlines by almost a month I think it's time to put your foot down.

Especially when it's an issue like this which isn't all too serious.

 

 

1 hour ago, mr moose said:

I was referring to all those house mums who bought a win 10 machine and don't know what firefox or chrome is.  The ones that use notepad as their word processor and think facebook is the internet.

 

EDIT: which I imagine is 3.7% of internet users, given edge has 3.8% market share.

Look at it this way.

Imagine if I walked up to you and said

"Hi! I noticed that you have a <insert model of car>. Did you know that if you leave the steering wheel in that position, the locks on the car doesn't work and you can start it without needing the keys? I contacted the car manufacturer about it 4 months ago but they still haven't done anything about it. I recommend you carefully put it in a different position until the manufacturer does something".

would you not get pissed at the manufacturer? Not sure about you, but I would be happier if I was informed about this issue so that I could do something about it. I most certainly wouldn't get mad at the person who told me about it.

[LAwLz]

2 minutes ago, RorzNZ said:

MS is in no way dragging their feet about this issue.

Nobody except Microsoft knows that.

You don't know it. I don't know it. Not even Google knows it.

 

For all we know, Microsoft could have been able to fix this earlier if they allocated more resources to it.

[Sniperfox47]

29 minutes ago, LAwLz said:

Nobody except Microsoft knows that.

You don't know it. I don't know it. Not even Google knows it.

 

For all we know, Microsoft could have been able to fix this earlier if they allocated more resources to it.

Or just to expand on this, we have 0 evidence that they even allocated resources to it when they were informed. For all we know their work on it could have been entirely in the past few days before hitting the "oh shit, we can't fix this on time!" button.

 

LAwlz is totally right here in that we have no evidence to support the idea that Microsoft wouldn't have dragged this out of the deadline was pushed back.

[mr moose]

11 hours ago, LAwLz said:

Wait, what link are you talking about?

Microsoft reached out to Google 47 hours ago and said that they do not know when the fix will be ready. Microsoft also said that it won't be ready within the 14 day grace period.

That's all I can find about it. 

The statement from 47 hours ago is not a quote from MS, it is just a comment about MS reaching out to them, it does not say when this reaching out occurred.  The first post in that link is a direct quote where MS claims they will be ready but it will be after the 14 day grace period:

Quote

The team IS positive that this will be ready to ship on March 13th, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays."

 

 

MS did ask for an extension and clearly gave google a date they expect it to ship.

Quote

From what I can tell, Microsoft did not even request the 14 day grace period since they knew they would not make it in time anyway.

 

That maybe true or it not, I don't know and there is no way we can know without seeing such interchanges for ourselves. But from the post linked above it reads like they did apply.  Why else would they say "however this is beyond the 90-day SLA and 14-day grace period" if they never asked for one?

 

Quote

We are not talking about a 14 day grace period. Microsoft has said that they are positive that the patch will be ready for deployment on march 13. That would be a 26 days grace period, not 14 days.

My understanding is they already had a 12 day grace period. 12+14 =26 days.

 

Quote

You have to draw the line somewhere, and when developers start missing their deadlines by almost a month I think it's time to put your foot down.

Especially when it's an issue like this which isn't all too serious.

That's more a subjective perspective, I think if it is less serious they can be more generous with grace periods so long as MS aren't taking the piss and are actually committing to fixing it.  We don't know how hard it was to fix. 

 

Quote

 

Look at it this way.

Imagine if I walked up to you and said

"Hi! I noticed that you have a <insert model of car>. Did you know that if you leave the steering wheel in that position, the locks on the car doesn't work and you can start it without needing the keys? I contacted the car manufacturer about it 4 months ago but they still haven't done anything about it. I recommend you carefully put it in a different position until the manufacturer does something".

would you not get pissed at the manufacturer? Not sure about you, but I would be happier if I was informed about this issue so that I could do something about it. I most certainly wouldn't get mad at the person who told me about it.

I''m just saying here is a significant number of people who by their very nature will not change or cannot change the browser they use.  Surely it's not a foreign concept that people have this mindset?  I mean I hear people arguing this is why all telemetry needs to be opt in.   No one is suggesting anyone should get mad at google, except maybe if they tell everyone about a flaw and that leads to unnecessary exploits.

 

10 hours ago, Sniperfox47 said:

Or just to expand on this, we have 0 evidence that they even allocated resources to it when they were informed. For all we know their work on it could have been entirely in the past few days before hitting the "oh shit, we can't fix this on time!" button.

 

LAwlz is totally right here in that we have no evidence to support the idea that Microsoft wouldn't have dragged this out of the deadline was pushed back.

We have zero evidence of lots of things. I have zero evidence NK is a humanitarian state, does that mean it is?

 

Having zero evidence of something isn't proof of the opposite, Believe it or not it's just nothing.  Not an argument, not proof, having zero evidence barely supports an hypothesis let alone a theory.

 

[dalekphalm]

13 hours ago, LAwLz said:

Look at it this way.

Imagine if I walked up to you and said

"Hi! I noticed that you have a <insert model of car>. Did you know that if you leave the steering wheel in that position, the locks on the car doesn't work and you can start it without needing the keys? I contacted the car manufacturer about it 4 months ago but they still haven't done anything about it. I recommend you carefully put it in a different position until the manufacturer does something".

would you not get pissed at the manufacturer? Not sure about you, but I would be happier if I was informed about this issue so that I could do something about it. I most certainly wouldn't get mad at the person who told me about it.

Not exactly.

 

It would be like, if in your example, the car thief was standing behind you looking over your shoulder, as said random person told you about the flaw.

It would be one thing if individual users were notified (I realize such a system is likely improbable if not impossible) about said exploit, but what is actually happening is not comparable to your example.

 

I get what you're saying, but it's not quite the same thing.

 

 

[Sniperfox47]

7 hours ago, mr moose said:

We have zero evidence of lots of things. I have zero evidence NK is a humanitarian state, does that mean it is?

 

Having zero evidence of something isn't proof of the opposite, Believe it or not it's just nothing.  Not an argument, not proof, having zero evidence barely supports an hypothesis let alone a theory.

 

You're right. Which means we need to make an assumption. When conducting inquiry which assumption do you make? The one you want to see or the one you don't want to?

 

At the end of the day, the only rational way to look at security is to assume the worst. That no system is safe, that everyone is a lazy asshole, and that nobody's going to update their systems. That will lead to at least some people being partially safe.

 

The alternative is to base your security principles on this idea that people will do work and update things and keep them secure out of the goodness of their heart, and if years and years of history have taught us anything it's that that is rarely if ever the case. It would result in a lot of people being far more insecure than they already are.

 

Security should be pushed. It should be forced. Because if it's not, the alternative is a lack of any security.

[mr moose]

1 minute ago, Sniperfox47 said:

You're right. Which means we need to make an assumption. When conducting inquiry which assumption do you make? The one you want to see or the one you don't want to?

 

You are assuming I have to make an assumption.  We have enough information for me to make the claims I did.    I don't see how making assumptions is necessary in this unless you want to form an opinion that is counter to the information.

 

 

 

[LAwLz]

12 hours ago, mr moose said:

The statement from 47 hours ago is not a quote from MS, it is just a comment about MS reaching out to them, it does not say when this reaching out occurred.  The first post in that link is a direct quote where MS claims they will be ready but it will be after the 14 day grace period:

Just so that we are on the same page, you believe that Microsoft reached out to Google and said that they did not have a date yet, and then at some point after that Microsoft got confident that they would have time to release it on March 13?

 

This is not what it seems like to me, because according to the logs, Microsoft made the statement about the March 13 release on, or before, February 15. Then at some point between February 15 and February 19, they reached out again to clarify that the issue is more complex than they had anticipated, and could not promise any date for the fix.

 

So the comment about them not having a set date is more recent information than the one where they said it would be ready for March 13.

 

13 hours ago, mr moose said:

MS did ask for an extension and clearly gave google a date they expect it to ship.

We have no evidence for this, at all.

 

13 hours ago, mr moose said:

That maybe true or it not, I don't know and there is no way we can know without seeing such interchanges for ourselves. But from the post linked above it reads like they did apply.  Why else would they say "however this is beyond the 90-day SLA and 14-day grace period" if they never asked for one?

I don't think you understand what the grace period is for.

The grace period is not to give developers more time on fixing the issue. It is there so that in the event that the disclosure date falls slightly before the scheduled rollout of a finished update, the disclosure can be delayed until after the patch is pushed out with other scheduled updates.

 

To me it seems like Microsoft does not have a patch ready, nor do they know when it will be ready.

All they knew was that it would not be ready within the 90 day deadline, and that even if they were given the extension they would not be able to align the release with their scheduled patch Tuesday.

So Microsoft's estimate is that the patch will be ready sometime between the deadline ending (including the grace period) and their patch Tuesday.

 

So to me it seems logical for them to not even request the grace period, because they do not fulfill the requirements to have it granted, and even if they did the update would still not be out before the disclosure happened.

 

13 hours ago, mr moose said:

My understanding is they already had a 12 day grace period. 12+14 =26 days.

Nope

The issue was reported November 17 and it was made public February 15. That's exactly 90 days.

 

 

13 hours ago, mr moose said:

That's more a subjective perspective, I think if it is less serious they can be more generous with grace periods so long as MS aren't taking the piss and are actually committing to fixing it.  We don't know how hard it was to fix. 

I disagree.

It's when the issues aren't perceived as serious that developers are the most likely to drag their feet. That's when they need real threats of public disclose the most.

It's with things like Meltdown and Spectre that more flexible rules needs to apply, because of the severity of the situations. 

 

The problem with your line of thinking is that there is no way to verify that "MS aren't taking the piss and are actually committing to fixing it".

The only ones that know how much resources they are dedicating to fixing the issue are Microsoft themselves. Since there is no way for Google or other security groups to know how seriously the issue gets treated at the companies, they have to assume the worst.

Security should not be based on faith that companies are willing to spend money to do the right things. Companies sees security updates as black holes where they throw in money to never see it again, and that's why they most of the time don't prioritize it.

 

13 hours ago, mr moose said:

I''m just saying here is a significant number of people who by their very nature will not change or cannot change the browser they use.  Surely it's not a foreign concept that people have this mindset?  I mean I hear people arguing this is why all telemetry needs to be opt in.   No one is suggesting anyone should get mad at google, except maybe if they tell everyone about a flaw and that leads to unnecessary exploits.

I legitimately have no idea what you're talking about. I don't understand how you are saying has any relevance to the section you quoted.

Maybe I am being stupid, but I really don't get it. Sorry. Can you please elaborate on what you mean?

What mindset do people have exactly? How is telemetry being opt in related to this?

[LAwLz]

11 hours ago, dalekphalm said:

Not exactly.

 

It would be like, if in your example, the car thief was standing behind you looking over your shoulder, as said random person told you about the flaw.

It would be one thing if individual users were notified (I realize such a system is likely improbable if not impossible) about said exploit, but what is actually happening is not comparable to your example.

 

I get what you're saying, but it's not quite the same thing.

My example is comparable though.

Imagine if there were several people on the street who had the same type of car, and everyone parked in the same parking lot. The person would have to go around telling everyone about it. By warning everyone (you can not just warn the affected people which also has good intentions, such a system is impossible) the affected people gets notified, but there is a risk that someone with malicious intentions got warned as well.

 

Would you rather live in ignorance of the security issue that thieves are potentially aware of, or would you rather be informed so that you could do something to protect yourself?

Just because Google published this now doesn't mean others haven't been aware of it since earlier. Google aren't always first with discovering security issues.

[dalekphalm]

7 hours ago, LAwLz said:

My example is comparable though.

Imagine if there were several people on the street who had the same type of car, and everyone parked in the same parking lot. The person would have to go around telling everyone about it. By warning everyone (you can not just warn the affected people which also has good intentions, such a system is impossible) the affected people gets notified, but there is a risk that someone with malicious intentions got warned as well.

 

Would you rather live in ignorance of the security issue that thieves are potentially aware of, or would you rather be informed so that you could do something to protect yourself?

Just because Google published this now doesn't mean others haven't been aware of it since earlier. Google aren't always first with discovering security issues.

But the example you gave before is not the example you gave just now.

 

Your current example is much more apt. You tell a parking lot ("everyone"), and the malicious folks also get notified.

 

I don't have a problem with this example, as it's accurate. I do have a problem with your initial example, because it does not clearly show the risk associated with it.

 

Do the gains of knowledge outweigh the risks of malicious people learning about it to? Probably, yes. But we need to know about that risk to make an informed decision.

[mr moose]

9 hours ago, LAwLz said:

Just so that we are on the same page, you believe that Microsoft reached out to Google and said that they did not have a date yet, and then at some point after that Microsoft got confident that they would have time to release it on March 13?

 

This is not what it seems like to me, because according to the logs, Microsoft made the statement about the March 13 release on, or before, February 15. Then at some point between February 15 and February 19, they reached out again to clarify that the issue is more complex than they had anticipated, and could not promise any date for the fix.

 

So the comment about them not having a set date is more recent information than the one where they said it would be ready for March 13.

The comment was neither a quote from MS nor qualified.   All it means is MS did talk to them at some stage since from the very start and say they don't know when they'll get it sorted.

 

9 hours ago, LAwLz said:

We have no evidence for this, at all.

 

Then either MS don't care or that statement they made regarding the patch being release 14 days after the grace period means nothing.  Hell it's even possible there was more to that post but it been redacted to just include the date and not the request.  Many things are possible here.

 

9 hours ago, LAwLz said:

I don't think you understand what the grace period is for.

The grace period is not to give developers more time on fixing the issue. It is there so that in the event that the disclosure date falls slightly before the scheduled rollout of a finished update, the disclosure can be delayed until after the patch is pushed out with other scheduled updates.

The initial quote from MS still insinuates they are asking for/asked for an extension.

 

9 hours ago, LAwLz said:

To me it seems like Microsoft does not have a patch ready, nor do they know when it will be ready.

All they knew was that it would not be ready within the 90 day deadline, and that even if they were given the extension they would not be able to align the release with their scheduled patch Tuesday.

So Microsoft's estimate is that the patch will be ready sometime between the deadline ending (including the grace period) and their patch Tuesday.

Except there is a quote from MS saying exactly when it will be pushed out.

 

9 hours ago, LAwLz said:

So to me it seems logical for them to not even request the grace period, because they do not fulfill the requirements to have it granted, and even if they did the update would still not be out before the disclosure happened.

Maybe they didn't ask, but the wording in that quote would make little sense if they didn't or it wasn't part of a request. 

 

9 hours ago, LAwLz said:

Nope

The issue was reported November 17 and it was made public February 15. That's exactly 90 days.

Still doesn't explain the quote from MS talking about definitely having a date 14 days after the grace period. 

 

9 hours ago, LAwLz said:

 

I disagree.

It's when the issues aren't perceived as serious that developers are the most likely to drag their feet. That's when they need real threats of public disclose the most.

It's with things like Meltdown and Spectre that more flexible rules needs to apply, because of the severity of the situations. 

Just opinions here.

 

9 hours ago, LAwLz said:

The problem with your line of thinking is that there is no way to verify that "MS aren't taking the piss and are actually committing to fixing it".

The only ones that know how much resources they are dedicating to fixing the issue are Microsoft themselves. Since there is no way for Google or other security groups to know how seriously the issue gets treated at the companies, they have to assume the worst.

 

By the same token you can't use a lack of evidence as proof.  We have a quote from MS saying they have a patch ready to go on march 13 and  a post from google claiming something different. 

 

 

9 hours ago, LAwLz said:

Security should not be based on faith that companies are willing to spend money to do the right things. Companies sees security updates as black holes where they throw in money to never see it again, and that's why they most of the time don't prioritize it.

I agree, to an extent.  I don;t know that companies don't prioritize security all the time, some may try to sweep it under the carpet, but t really depends on the company and the ramifications of being caught.

 

9 hours ago, LAwLz said:

I legitimately have no idea what you're talking about. I don't understand how you are saying has any relevance to the section you quoted.

Maybe I am being stupid, but I really don't get it. Sorry. Can you please elaborate on what you mean?

What mindset do people have exactly? How is telemetry being opt in related to this?

 

My initial comment was people on edge don't have an alternative, not because edge is exclusively specific to some use, but because the user has no idea other browsers exist nor that google have released this threat or that google even do this work.   To argue they have a choice because technically they do, is the same argument people rejected with opt out telemetry, saying they don't really have a choice becasue their knowledge and skills mean they'll just click through the process. 

 

 

[LAwLz]

3 minutes ago, mr moose said:

The comment was neither a quote from MS nor qualified.   All it means is MS did talk to them at some stage since from the very start and say they don't know when they'll get it sorted.

So you think that Google are deliberately posting comments from Microsoft in the wrong order?

Why would they do that?

 

4 minutes ago, mr moose said:

Then either MS don't care or that statement they made regarding the patch being release 14 days after the grace period means nothing.  Hell it's even possible there was more to that post but it been redacted to just include the date and not the request.  Many things are possible here.

Microsoft can still care, but why make a request when there is no way it will be granted? Why make a request when you won't finish on time regardless?

Besides, the security hole is not that serious so spending time and energy trying to negotiate for something you won't get is unnecessary, especially since the end result would still be that the security hole was posted before the patch rolled out.

 

The statement about the 14 day grace period was just to explain why the security hole was published when it was, and why the grace period wouldn't have helped.

 

10 minutes ago, mr moose said:

The initial quote from MS still insinuates they are asking for/asked for an extension.

I can agree with that, but sadly in the world of security you can't afford to have companies constantly pushing for extensions to deadlines.

 

14 minutes ago, mr moose said:

Except there is a quote from MS saying exactly when it will be pushed out.

And from what we can tell that was before they reached out and said the issue was more complex than they anticipated and could not give a specific date on when it would be fixed.

 

15 minutes ago, mr moose said:

By the same token you can't use a lack of evidence as proof.  We have a quote from MS saying they have a patch ready to go on march 13 and  a post from google claiming something different. 

Actually, what we got are two quotes from Google. One saying that Microsoft has told them they will have a patch ready for March 13, and then another one that Microsoft has discovered that the issue is more complex than they first thought.

You know that quote in the OP? That quote was taken from Ivan Fratric's comment (the one who discovered the issue). Microsoft has, as far as I am aware, made no public statement about this at all. All the info we got is from Google.

 

But anyway, when it comes to security there is very little good faith. It doesn't make sense to have good faith and give companies extensions beucase it would undermine the entire reason for having deadlines to begin with.

Sorry, but being soft doesn't work. Companies don't want to invest in security so public exposure is needed to whip them into fixing issues in a reasonable time frame.

 

Since we don't have any evidence of how Microsoft prioritized fixing this, we should expect the worst. That's the logical thing to do with security. You don't keep silent about issues in the hopes that they will fix it on their own accord.

 

33 minutes ago, mr moose said:

I agree, to an extent.  I don;t know that companies don't prioritize security all the time, some may try to sweep it under the carpet, but t really depends on the company and the ramifications of being caught.

Yes it depends on the company, but the sad truth is that most for-profit companies do not prioritize security updates.

That's why it takes a closed source vendor on average over twice as long to fix issues once they are reported. 42 days vs over 80 days.

There are some closed source vendors which are very quick, offering fixes an average of 38 days after the issue was reported, but those are the exceptions rather than the norms.

 

43 minutes ago, mr moose said:

My initial comment was people on edge don't have an alternative, not because edge is exclusively specific to some use, but because the user has no idea other browsers exist nor that google have released this threat or that google even do this work.   To argue they have a choice because technically they do, is the same argument people rejected with opt out telemetry, saying they don't really have a choice becasue their knowledge and skills mean they'll just click through the process. 

You raise an interesting point and it's a valid one.

There will be users put at risk because of this since they don't know about other browsers. You have to weight the benefits vs the drawbacks though, and I think releasing it to the public is the right thing to do. You need clear cut rules so that companies know what they are dealing with.

 

 

 

By the way, to everyone saying that Google doesn't do this to themselves, they do.

Here is one about Android.

It was discovered by Project Zero on October 19, and released to the public on January 17 because Google missed the deadline.

[mr moose]

31 minutes ago, LAwLz said:

So you think that Google are deliberately posting comments from Microsoft in the wrong order?

Why would they do that?

 

no, it's just the way the comments are, we don't know why they are posted or why three of them were deleted.   I make it  habit not to read into things that aren't written. One post is in quotes so we can assume it is direct from MS the other is not.  

 

31 minutes ago, LAwLz said:

Microsoft can still care, but why make a request when there is no way it will be granted? Why make a request when you won't finish on time regardless?

Besides, the security hole is not that serious so spending time and energy trying to negotiate for something you won't get is unnecessary, especially since the end result would still be that the security hole was posted before the patch rolled out.

If by spending time negotiating you mean sending an email explaining the threat will be patched on march 13,  then I guess they did consider it neccessary.

 

31 minutes ago, LAwLz said:

The statement about the 14 day grace period was just to explain why the security hole was published when it was, and why the grace period wouldn't have helped.

 

I can agree with that, but sadly in the world of security you can't afford to have companies constantly pushing for extensions to deadlines.

What if they can't actually fix it during the deadline?  Are you suggesting threats should be made public anyway?

 

31 minutes ago, LAwLz said:

And from what we can tell that was before they reached out and said the issue was more complex than they anticipated and could not give a specific date on when it would be fixed.

If the chronology of that comment is in line with MS correspondence then it came after google derestricted the threat. It's too late to ask for anything then

 

31 minutes ago, LAwLz said:

Actually, what we got are two quotes from Google. One saying that Microsoft has told them they will have a patch ready for March 13, and then another one that Microsoft has discovered that the issue is more complex than they first thought.

You know that quote in the OP? That quote was taken from Ivan Fratric's comment (the one who discovered the issue). Microsoft has, as far as I am aware, made no public statement about this at all. All the info we got is from Google.

 

I never said they made a public statement.  I am going solely of the posts in bug reports link.

31 minutes ago, LAwLz said:

But anyway, when it comes to security there is very little good faith. It doesn't make sense to have good faith and give companies extensions beucase it would undermine the entire reason for having deadlines to begin with.

Sorry, but being soft doesn't work. Companies don't want to invest in security so public exposure is needed to whip them into fixing issues in a reasonable time frame.

 

Since we don't have any evidence of how Microsoft prioritized fixing this, we should expect the worst. That's the logical thing to do with security. You don't keep silent about issues in the hopes that they will fix it on their own accord.

 

Yes it depends on the company, but the sad truth is that most for-profit companies do not prioritize security updates.

That's why it takes a closed source vendor on average over twice as long to fix issues once they are reported. 42 days vs over 80 days.

There are some closed source vendors which are very quick, offering fixes an average of 38 days after the issue was reported, but those are the exceptions rather than the norms.

This I am afraid is just going around in circles now.  I'll just leave it as it is.

 

31 minutes ago, LAwLz said:

You raise an interesting point and it's a valid one.

There will be users put at risk because of this since they don't know about other browsers. You have to weight the benefits vs the drawbacks though, and I think releasing it to the public is the right thing to do. You need clear cut rules so that companies know what they are dealing with.

Hence why I think on the balance (given the size of the risk versus the number and type of users) giving MS a little more time to integrate the patch seems more sensible.

You or I would update when we heard about it, but your average mum will likely only get the update when it comes through the programmed schedule.

 

[LAwLz]

11 hours ago, mr moose said:

What if they can't actually fix it during the deadline?  Are you suggesting threats should be made public anyway?

Yes they should. If they weren't then all companies could claim that they couldn't fix issues given the deadline even though they could.

 

11 hours ago, mr moose said:

If the chronology of that comment is in line with MS correspondence then it came after google derestricted the threat. It's too late to ask for anything then

No. Where are you getting this from? The issue was derestricted after the comment that MSRC had replied was made.

Here is the exact timeline, if we don't assume that Project Zero are lying or trying to deceive people by posting things out of order or modifying things (which I see no reason to do).

 

1) MSRC reached out to Ivan saying that they would not have a fix ready for the deadline, but they would be done before March 13th.

2) The issue was derestrcited and released to the public since Microsoft did not complete the patch within the 90 day deadline.

3) MSRC reached out to Ivan saying that because of the complexity of the issue, they could not give a date for when the fix would be ready.

 

11 hours ago, mr moose said:

Hence why I think on the balance (given the size of the risk versus the number and type of users) giving MS a little more time to integrate the patch seems more sensible.

The problem with that is that it sets a precedent that companies can be lazy and then just beg for more time, which they will do every chance they get.

Again, most companies set security as a very low priority, because it is purely an expense to them. It only costs them money without generating any new money.

That's why being soft and giving extensions DOES NOT WORK. All being soft does is just just result in users being vulnerable for longer because companies will inevitably drag their feet.

 

Again, this is standard practice in the security industry. It might seem harsh but that's because it has to be. You don't fuck around and base decision on good faith when it comes to security.

[mr moose]

13 hours ago, LAwLz said:

Yes they should. If they weren't then all companies could claim that they couldn't fix issues given the deadline even though they could.

 

No. Where are you getting this from? The issue was derestricted after the comment that MSRC had replied was made.

Here is the exact timeline, if we don't assume that Project Zero are lying or trying to deceive people by posting things out of order or modifying things (which I see no reason to do).

 

1) MSRC reached out to Ivan saying that they would not have a fix ready for the deadline, but they would be done before March 13th.

2) The issue was derestrcited and released to the public since Microsoft did not complete the patch within the 90 day deadline.

3) MSRC reached out to Ivan saying that because of the complexity of the issue, they could not give a date for when the fix would be ready.

3. still could have happened at any time,  it is not a quote. While 1 is a quote that explicitly states a time for it to be resolved.

 

13 hours ago, LAwLz said:

The problem with that is that it sets a precedent that companies can be lazy and then just beg for more time, which they will do every chance they get.

I don't see how a precedent can be set when google can choose the time it derestricts an flaw.  hey are well within their rights to decide on a case by case bases making precedents largely irrelevent. 

 

[dalekphalm]

1 hour ago, mr moose said:

3. still could have happened at any time,  it is not a quote. While 1 is a quote that explicitly states a time for it to be resolved.

 

I don't see how a precedent can be set when google can choose the time it derestricts an flaw.  hey are well within their rights to decide on a case by case bases making precedents largely irrelevent. 

 

Honestly I think a better long term solution to Project Zero is to move control of it over to an independent body, not affiliated with any of the major tech companies.

 

This body would be funded by a combination of governments and industry companies.

 

How this would work exactly, I don't know, but I do know that it would remove any potential biases perceived by other companies against Google (whether those biases actually exist or not).

 

It would also give all the major companies a chance to be consulted on time frames, and procedures, etc. We could have true industry standardization.

 

But this is a pipe dream.

[mr moose]

4 hours ago, dalekphalm said:

Honestly I think a better long term solution to Project Zero is to move control of it over to an independent body, not affiliated with any of the major tech companies.

 

This body would be funded by a combination of governments and industry companies.

 

How this would work exactly, I don't know, but I do know that it would remove any potential biases perceived by other companies against Google (whether those biases actually exist or not).

 

It would also give all the major companies a chance to be consulted on time frames, and procedures, etc. We could have true industry standardization.

 

But this is a pipe dream.

An industry consortium.  A member from each of the interested/funding companies sits on the board and they oversee the work.  Pretty much like what they have for USB, DVD etc.

[LAwLz]

11 hours ago, mr moose said:

3. still could have happened at any time,  it is not a quote. While 1 is a quote that explicitly states a time for it to be resolved. 

So what you're saying is that you think Google are posting things out of order? Why would they do that?

Dont you think it's a far more logical explanation that Microsoft realized the issue was more complex than anticipated and they would not be able to hold their previous estimate? 

This by the way shows why good faith doesn't work for security. If what I think is true, because it is the only explanation that doesn't involve believing Google posts things out of order for no reason, then it's a clear example of how developers could misuse relaxed deadline practices to put off making patches. 

 

"Hey boss, the deadline for the vulnerability is coming up next week and we haven't even started working on it."

"Just tell Google we're working hard on it but it's proving more difficult than anticipated. Those suckers will probably believe it and give us another month of time" 

 

 

11 hours ago, mr moose said:

I don't see how a precedent can be set when google can choose the time it derestricts an flaw.  hey are well within their rights to decide on a case by case bases making precedents largely irrelevent. 

So what you're saying is that you believe Google should set deadlines tailored for each specific exploit they find? 

How do you propose they do that? Remember, they have no way of knowing exactly how difficult something is to patch, nor do they know how much resources the company can nor will dedicate to fixing it. 

 

The reason they use 90 days is based on well established facts and logic when looking at the software industry as a whole, and they have taken things like release schedules and some exploits being more difficult to patch into consideration (hence why the deadline is over twice as long as the average patch time for open source projects and security minded closed source projects). 

 

How would you suggest they estimate the time needed? Again, good faith does NOT work. 

 

 

 

9 hours ago, dalekphalm said:

Honestly I think a better long term solution to Project Zero is to move control of it over to an independent body, not affiliated with any of the major tech companies.

 

This body would be funded by a combination of governments and industry companies.

 

How this would work exactly, I don't know, but I do know that it would remove any potential biases perceived by other companies against Google (whether those biases actually exist or not).

 

It would also give all the major companies a chance to be consulted on time frames, and procedures, etc. We could have true industry standardization.

 

But this is a pipe dream.

I don't see why though. Such an organization wouldn't work and what we got today, with each company doing their own thing is far more beneficial to the industry as a whole. 

Why ruin a good situation just because some people who doesn't understand the industry dislike some company and think they are being dicks when they are actually doing good things? 

 

At the end of the day, it doesn't matter if people think Project Zero are just out to harm Microsoft or whatever they believe. What matters is that security holes gets found and fixed.