Google Goes Public with More Windows Bugs

CommanderFrank

CommanderFrank

Cat Can't Scratch It
Joined
May 9, 2000
Messages
75,399
Microsoft needs to learn from its mistakes and cease the rhetoric directed at Google over the disclosure of Windows bugs or they will just get more of the same from Google. It’s all cause and effect: Microsoft has bugs, Google reports them, Microsoft ignores warning, Google releases Windows bug to the world. Rinse and repeat. :D

Project Zero is composed of several Google security engineers who investigate not only the company's own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically publicly posts details and sample attack code if the bug has not been patched.
Click to expand...
 
So how long before Microsoft starts this with android vulnerabilities? Would hurt Google a lot more, since it's virtually impossible to patch anything android in 90 days.
 
I agree with shamis if they are going to spend all that time on it way not just fix the bug for ms it is not like ms cares about the bugs or the desire to fix all the dependencies that fixing the bug may cause...
 
This just shows Google wants to help people hurt Windows users. Their actions will not hurt MS any, but it could very easily hurt the common man.

Way to go Google, ass-wipes.
 
MajorDomo said:
Microsoft needs to learn from its mistakes and cease the rhetoric directed at Google over the disclosure of Windows bugs or they will just get more of the same from Google. It’s all cause and effect: Microsoft has bugs, Google reports them, Microsoft ignores warning, Google releases Windows bug to the world. Rinse and repeat. :D
Click to expand...

And once again, Google looks like dickheads. They were told the fix was pulled because it didn't pass QA. They could have waited 24 days (give or take) and then released the info if MS still failed to fix it, but no, they'd rather be assholes.

I'd be OK with them saying there is an issue and that they were giving MS till next PT to fix it or they'd release exploit code. This isn't about security, it's about making MS look bad. I'm curious how often they do this with OS X, an OS that often takes months to fix known issues.

Releasing this info today did nothing to make users more secure. MS rarely releases out of band fixes and they're not likely to do it now either.
 
ShamisOMally said:
How about just fix the flaw Microsoft? Google did half the work for you finding it
Click to expand...

They did...and QA found out it caused issues with some systems. Do we REALLY want MS releasing yet another patch that needs to be recalled? This was clearly a case where Google could have said, "OK, we'll give you till next patch tuesday...after that, it comes out if not fixed."
 
Google must be missing the spot light these days and or fearing MS for one reason or another... This is pretty juvenile of them and makes their in house team seem like a bunch interns who are delusional on misguidedly wanting to prove something.
 
nilepez said:
They did...and QA found out it caused issues with some systems. Do we REALLY want MS releasing yet another patch that needs to be recalled? This was clearly a case where Google could have said, "OK, we'll give you till next patch tuesday...after that, it comes out if not fixed."
Click to expand...

And then Microsoft would constantly be playing the game of claiming "we're working on a patch...come back later" ad infinitum.
 
Which would you rather have... exploits and vulns in the wild going 0 day NOT getting reported to MS before being actually used in some tool or other malware, or reported by a white hat/grey hat organization like that division @ Google soon after they discover it so that the company can actually have a chance to patch it? At least they are getting warning way ahead of time.
 
dr/owned said:
And then Microsoft would constantly be playing the game of claiming "we're working on a patch...come back later" ad infinitum.
Click to expand...

I'm sure MS would have been perfectly willing to show them a patched version, on a machine without a compatibility issue as well as another that had the issue.

The idea behind this may be security, but the way they're releasing info/exploits has nothing to do with security. It's the 2nd or 3rd dickish move in a month. The first one gave MS 2 patch cycles. The 2nd apparently was fixed and just awaiting the patch Tuesday release and this one had an issue.

So much for do no evil. FWIW, the one where MS said they may not fix it, that was a legit release by Google, but 3/4 of a dick is still a dick.
 
LightningCrash said:
dr/owned could have easily meant that MS engineers might ask for a public disclosure extension on every single bug that Google reports.
Click to expand...

Fair enough. However all that would mean is that 90 days becomes 120 for each bug, not a constant delay in reporting any particular bug. Not really sure what difference it would make if the timeline were 120 days instead of 90.
 
david_ said:
Three months is fair to fix a defect.
Click to expand...

How is this objectively assessed for any and all defects before you even know what the defect is? There's simply no way to do that with something as complex as Windows.
 
You're right, if only it was developed by a company with almost limitless resources.. Oh wait.
 
nilepez said:
I'm sure MS would have been perfectly willing to show them a patched version, on a machine without a compatibility issue as well as another that had the issue.

The idea behind this may be security, but the way they're releasing info/exploits has nothing to do with security. It's the 2nd or 3rd dickish move in a month. The first one gave MS 2 patch cycles. The 2nd apparently was fixed and just awaiting the patch Tuesday release and this one had an issue.

So much for do no evil. FWIW, the one where MS said they may not fix it, that was a legit release by Google, but 3/4 of a dick is still a dick.
Click to expand...

You're assuming that Google is the only entity that knows about these bugs. I'm sure if Google found it essentially in their spare time, there's some hacker who knows about it too and has been using it for years in his go-to rape kit.
 
dr/owned said:
You're assuming that Google is the only entity that knows about these bugs. I'm sure if Google found it essentially in their spare time, there's some hacker who knows about it too and has been using it for years in his go-to rape kit.
Click to expand...

Exactly
 
david_ said:
You're right, if only it was developed by a company with almost limitless resources.. Oh wait.
Click to expand...

There's only so many resources that you can allocate to any one problem, no matter how many resources you have overall. And after a while throwing resources at a problem can make matters worse. Governments are accused of this very sin constantly.

Time estimation in software development is an intractable problem. How many software projects that had plenty of resources and even well managed overall failed because someone promised to do something faster than was actually possible? At best software development efforts are a guess based on prior experience with how long it took to solve a similar problem.
 
ShamisOMally said:
How about just fix the flaw Microsoft? Google did half the work for you finding it
Click to expand...
They did all the work for someone willing to exploit it including same code. That may have been necessary eventually if Microsoft hadn't acknowledged the bug's existence which they had.

wtf? Microsoft may not be what it once was in a relative sense, but most PC's are still Windows. So fuck MS's users because Microsoft didn't ask how high, when Google said jump? Google gone full on arrogant.
 
dr/owned said:
You're assuming that Google is the only entity that knows about these bugs. I'm sure if Google found it essentially in their spare time, there's some hacker who knows about it too and has been using it for years in his go-to rape kit.
Click to expand...

It's more than their spare time. Google is bringing a lot of computational resources to bear on software with fuzzing. Michal Zalewski of Google authored a fuzzer that is implementing some rather novel approaches to fuzzing. With a $300 24-core Opty running his software I have found a few dozen minor vulnerabilities in open source software in the past 2 months. Google is bringing thousands of cores to bear on the problem.

You can follow their Project Zero security team here:
http://googleprojectzero.blogspot.com/
 
Kibagami said:
Which would you rather have... exploits and vulns in the wild going 0 day NOT getting reported to MS before being actually used in some tool or other malware, or reported by a white hat/grey hat organization like that division @ Google soon after they discover it so that the company can actually have a chance to patch it? At least they are getting warning way ahead of time.
Click to expand...

You do know that Google could have reported the flaw and NOT posted to every script kiddie how to harm most PC users, right? There is a difference between being nice and being a dick. Google showed it is a dick.
 
cybrsage said:
You do know that Google could have reported the flaw and NOT posted to every script kiddie how to harm most PC users, right? There is a difference between being nice and being a dick. Google showed it is a dick.
Click to expand...

You do know that MS had the patch ready but chose to wait to release it, right?
 
dr/owned said:
You're assuming that Google is the only entity that knows about these bugs. I'm sure if Google found it essentially in their spare time, there's some hacker who knows about it too and has been using it for years in his go-to rape kit.
Click to expand...

We're not talking about Google saying to the world, "There's a bug that can do this."

Google said, "There's a bug that can do this, here's how you can exploit it."
 
Maybe they need to spend all that times to fix their Android OS first ...
 
Microsoft isn't avoiding them as a company. The individual developers don't want to admit that their code might have bugs, so they pass the buck and refuse to recognize what is causing the bug, so it takes a while to get the bugs fixed. This is the problem with nearly all programmers. They're egotistical, arrogant asses.

I've worked directly with developers in four jobs now, across a total of 17 different locations and 7 different countries, supporting their computers and servers, and I have worked as a support tech for almost 20 years, and it is the same way everywhere. It doesn't matter if it is Germany, India, Sri Lanka, France, Australia, The UK, or the US. Developers are the biggest block to getting any software bugs fixed.

Don't blame Microsoft for the problems, or Google, or anyone else. Blame human beings being human.
 
LightningCrash said:
You do know that MS had the patch ready but chose to wait to release it, right?
Click to expand...

And you do know that MS didn't release it, because it wasn't compatible with all systems, right?

WTF? It wouldn't have killed Google to wait less than 4 weeks to see if MS released the fix. If they failed again, then fuck MS and their users.
 
dgingeri said:
Microsoft isn't avoiding them as a company. The individual developers don't want to admit that their code might have bugs, so they pass the buck and refuse to recognize what is causing the bug, so it takes a while to get the bugs fixed. This is the problem with nearly all programmers. They're egotistical, arrogant asses.
<snip>
Don't blame Microsoft for the problems, or Google, or anyone else. Blame human beings being human.
Click to expand...

I'd be very surprised if the people who wrote the code are the ones fixing it. A company the size of MS typically has a completely different group of engineers writing patches. I worked for a large company, and the teams that implemented to features in new releases was completely separate from those who wrote patches to fix bugs.
 
LightningCrash said:
.. and that's a good reason not to release it for the systems it passed on, and hold back the patch for an additional 30 days?
Click to expand...
Because to unify windows they'd have to do a recall patch on the previously patched systems first and patch everyone again.

Its one thing to have legitimate points to raise an another to grab onto anything to bitch.
 
jpm100 said:
Because to unify windows they'd have to do a recall patch on the previously patched systems first and patch everyone again.

Its one thing to have legitimate points to raise an another to grab onto anything to bitch.
Click to expand...

Even Oracle put out IDRs for shellshock on platforms that they quit supporting.

Sounds like the exploit isn't that significant, and people are just grabbing onto anything to bitch at Google.
 
MS should put up a page where Android users can select the phone they use and MS will show them all the unfixed bugs on whatever the latest version of Android that runs on that phone.
 
LightningCrash said:
Nonsense. If it passes QA with flying colors in the next 5 minutes, what reason would there be to wait a month to release it?
Click to expand...

But it hasn't passed QA. As much as people like to bash Microsoft for not listening to customers, Patch Tuesday was basically what IT customers wanted, a consistent schedule to receive patches. If the issue is severe enough, Microsoft does from time to time do out of band patch releases.
 
ShamisOMally said:
How about just fix the flaw Microsoft? Google did half the work for you finding it
Click to expand...

Yes of course, because Google is the ONLY entity reporting bugs to Microsoft, so of course MS engineers are just waiting for Google to send them bugs to fix.
 
You must log in or register to reply here.
Back
Top