Google Goes Public with More Windows Bugs

heatlesssun said:
But it hasn't passed QA. As much as people like to bash Microsoft for not listening to customers, Patch Tuesday was basically what IT customers wanted, a consistent schedule to receive patches. If the issue is severe enough, Microsoft does from time to time do out of band patch releases.
Click to expand...

But the question is about when it has passed QA.

In the case of missing a CPU in Oracle a bug could push a disclosure to patch timeline out over 100 days.
What really defines due care in these situations?
If the threat's not big enough for out of band patches... it wouldn't matter if Google had released it or if it had been discovered exploited in the wild via CryptoWaller 3.7, Microsoft would be running the same long procedure.
 
david_ said:
You're right, if only it was developed by a company with almost limitless resources.. Oh wait.
Click to expand...

Microsoft has almost limitless resources and that they have an established trackline of doing nothing is history. Google isn't the bad guy here. They just want to fuck with the mighty Microsoft for it's apathy. Right on Google. Right on. :rolleyes:
 
Dildonose said:
Microsoft has almost limitless resources and that they have an established trackline of doing nothing is history. Google isn't the bad guy here. They just want to fuck with the mighty Microsoft for it's apathy. Right on Google. Right on. :rolleyes:
Click to expand...

Right. Because Google is always about fixing bugs in Android. Oh wait, we can't, not our problem, blame the carriers and OEMs. That's apathy. In all honesty I am being facetious but it is self serving for Google to tell others "Fix your shit in 90 days or else!" but with its own shit it can just say "Not our problem."
 
david_ said:
Three months is fair to fix a defect.
Click to expand...

Are you a developer? That may be true depending on the size, severity, and shared use of said code. The vulnerable code in question is used by many many other parts of the system, and as a developer myself I can tell you that your assumption is not always the case. You may have a fix that took a week to develop and works in 90% of the cases but in the other 10% causes failures. It takes time to set up test cases and proper scenarios to test the remaining 10% only to find that your subsequent release only fixed an additional 5%. You may go through that process 4-5 times before you get to 100%. And when you have hundreds of millions of users as Windows does, anything less than 99.999% is just unacceptable.

It's not as cut and dry as you seem to think it is. In this particular case, MS showed they were actively working on a fix and google released it anyway. For google, this is not about security. Clearly it is about discrediting MS as much as they possibly can, possibly in an attempt to grab more of the desktop market share by constantly releasing Windows vulnerabilities. Pure dick head move if you ask me.
 
Gee, and I was tempted to create a new Google account to try things out, use a garbage email account, try the store through Chrome and some other things. Way to go Google, you have showed me again why I left you.

I think I will stick with what works stably, Windows 8.1, Windows Phone 8.1 and my Xbox One and 360. Bugs get fixed, things take time, Google makes excuses.
 
ZenDragon said:
Are you a developer? [...]

It's not as cut and dry as you seem to think it is. In this particular case, MS showed they were actively working on a fix and google released it anyway. For google, this is not about security. Clearly it is about discrediting MS as much as they possibly can, possibly in an attempt to grab more of the desktop market share by constantly releasing Windows vulnerabilities. Pure dick head move if you ask me.
Click to expand...

So basically we can't make assumptions about MS here but we can make assumptions about Google.

MS has downplayed the extent of the bugs in contention here. One of them, they're not even going to fix.

Based on what I've seen so far, the exploit in question affects confidentiality of regions of memory encrypted by the system. It has to be executed via local attack, with an authenticated user. It does not affect the availability of the system, or have an impact on the integrity of the system. Based on these criteria it would be a low-rated vulnerability. The exploit that the attacker would use to gain local access would be a higher rated vulnerability.

On the up side, you or your LTM/endpoint vendors can now start setting up rules for sinking this at L7 filters and the endpoint side.

It sounds like some media companies are hamming this up into a huge Google v Microsoft row when there's not much reason to care.
 
Once again, Google is doing "Do what I say, not what I do."

It takes time to develop a fix. It takes even more time to validate the fix didn't break the intended software. Given Windows is a *huge* piece of software used by literally billions of people in all the different languages, it shouldn't be a surprise that the first time around, the fix might not work as intended. Even if a fix was pushed to patch Tuesday, sometimes system admins need to do their own testing of the patch in their unique environment.

Disclosing the bug (and a neat how-to exploit it) after an arbitrary amount of time doesn't really help anyone. If anything, it'll escalate to a finger pointing game (imagine of MS used their resources to do something similar to Android).

The reason Google is being hypocritical because they don't apply the same standards to Android. Instead of a well documented how-to guide to exploit a bug, we get a vague blurb with a severity rating that outsiders have no way of verifying.
 
Lets face facts here

People keep saying "Microsoft doesn't have the resources" which is bullshit, if CEO's are running around making upwards of hundreds of millions a year, that budget could be spent elsewhere

Google giving microsoft 90 days is MORE than enough time, and is that isn't enough of a fire to get lit under microsofts ass to get them to work, showing HOW the exploit works will.

Microsoft does not just run user PC's, their OS is used in companies that equal or even exceeds theirs in value, by them not patching these bugs as soon as their addressed is not just sloppy, its dangerous

Google didn't go "We'll give you 24 hours to fix it" They gave them THREE MONTHS to fix it. Three months where probably that exploit was being used even farther back by people who want to break not only into users PC's, but these multi-million dollar companies as well.

Microsoft has zero excuse for acting, absolutely zero. If your house is sinking into the mud, you don't go "Well, I'll get around to it eventually"
 
Its like when the CIA and FBI when they kept "Losing" data cause they didn't "Have the funds to upgrade all their systems" to get them up to code.

And then when asked how much it would cost to upgrade everything, they reported a number they thought the public would assume was high, but then with some digging it turned out they gave out VASTLY more money for the head honcho's bonuses that year, money they said they didn't have
 
ShamisOMally said:
People keep saying "Microsoft doesn't have the resources" which is bullshit, if CEO's are running around making upwards of hundreds of millions a year, that budget could be spent elsewhere
Click to expand...

It's not just a matter of resources. The assumption that some are making is that if you through enough resources at these problems, 100% of the time you will be able to properly assess, code, test and deploy an fix. Every single time no matter the issue without fail. That defies logic.
 
heatlesssun said:
It's not just a matter of resources. The assumption that some are making is that if you through enough resources at these problems, 100% of the time you will be able to properly assess, code, test and deploy an fix. Every single time no matter the issue without fail. That defies logic.
Click to expand...

Most people get it, at least the non-rabit-turbo-M$-haters get it.

This is Google displaying more of their hate for MS. They clearly have an axe to grind with them and are attempting to slander their name much like Apple did in the early 2000's.
 
ocellaris said:
MS should put up a page where Android users can select the phone they use and MS will show them all the unfixed bugs on whatever the latest version of Android that runs on that phone.
Click to expand...

Agreed, and also list how to exploit each and every one of those bugs.
 
nilepez said:
I'm curious how often they do this with OS X, an OS that often takes months to fix known issues.
Click to expand...

Apple releases security patches damn quickly. Their recent NTP fix was even pushed out without requiring users to initiate an update.
 
Apple's response to security issues is extremely fast. Once, a researcher discovered a hardcoded backdoor in Quicktime, and Apple was able to get out a patch in just 4 months. There was also that time that some big bugs were discovered in Java, but fortunately Apple was able to protect their users by getting a patch out a whole 3 months ahead of their 9 month target date.
 
LightningCrash said:
.. and that's a good reason not to release it for the systems it passed on, and hold back the patch for an additional 30 days?
Click to expand...

Seriously? Do you think they know every system it will break? That requires more analysis and testing. It's not like MS has some magic software that says, "Oh LightningCrash's PC is OK let's install this patch on his PC, but not on his Wife's."

How does MS win? One month you'll bitch that a patch broke some PCs (maybe yours maybe not)...then the next you're complaining that they didn't release a patch that had compatibility issues with an unknown number of PC configurations.

The proper solution was wait, find out the compatibility issue(s), fix them and release it the following month. The only reason this is an issue is because Google can be dickish if they want to and they want to.
 
Has anyone here looked at how large MS's source code is for Windows at this point? I know I haven't, and I don't think I want to. Just the process of writing a driver for Windows is difficult as hell and arcane for anyone not intimately familiar with it. Speaking of drivers the thing is made to automatically interface with DACs, sound cards, graphics cards, processors, USB devices, network cards, your browser, all of these random programs you have running on it...

Windows is 16.4 GB (well the folder is on my machine. Shrug) large at this point. It forms the foundation of your entire computing experience, and is probably multitudes more complicated than any random buggy as hell Ubisoft game you have running on it. And it's definitely come a ways since Windows ME (yeah I just went there).

I'm sure they implement the best coding practices over there, but finding the causes of random bugs is nontrivial. That goes for a project of any size. It can be as simple as "oh, I think this line is doing it" to "oh let me go through the memory dump and look at how these memory locations are changing in real time to try to find out what messes with this". This isn't exactly an easy process. I'm sure they have unit testing and all of that stuff down to help them track these things easier in their huge code base... but finding random bugs isn't always easy. What probably doesn't help is they have so many configurations they have to test with. So suppose someone comes up with solution A to problem that fixes it. But then they run it through software/hardware configurations 0-N, and it fails on N/C systems. Then it's not really a fix. Back to the drawing board.

I'm sure they have specific processes in place for tracking down bugs, and it's not like they can just have their entire company drop everything they're doing to track every single one of them down. It's probably a multistage process. Like it gets assigned to some guy(s) to track it down (depending on bug severity in the bug tracker; it may not get assigned at all), then the guy posts his fix. Then it goes to some verification guys (that might be QC). If it fails, back to the drawing board. And this QC is probably a multistage process in and of itself simply because of how many corporate customers MS supports and how important it is that nothing severely breaks (unlike game designers who just release broken crap and patches whenever they feel like it).


Honestly as a dev I have some empathy. Most people that are looking at it from the outside are just sitting there screaming "why can't they fix it?!" and have no idea what goes on over there on their end. Yeah let's just assume they're all arrogant snobs looking down at the bug tracker with these comically contorted sneering faces while picking their nose. Yeah, I'm sure that's how it goes down, guys. That's why Windows Update exists and why it regularly has patches in there.

Anyway, yeah. Screw Google. If anyone is in the wrong here, it's them.
 
nilepez said:
Seriously? Do you think they know every system it will break? That requires more analysis and testing. It's not like MS has some magic software that says, "Oh LightningCrash's PC is OK let's install this patch on his PC, but not on his Wife's."

How does MS win? One month you'll bitch that a patch broke some PCs (maybe yours maybe not)...then the next you're complaining that they didn't release a patch that had compatibility issues with an unknown number of PC configurations.

The proper solution was wait, find out the compatibility issue(s), fix them and release it the following month. The only reason this is an issue is because Google can be dickish if they want to and they want to.
Click to expand...

If it's as big of an exposure as you make it out to be (it's not) then they should leave that up to the device owners. If it's not a big vulnerability, then it's just a pissing match between the Google fan club and the MS fan club.

By knowing the vulnerability, we can actually work to protect ourselves from it, instead of waiting 120 days for MS to finally release a patch. So there's actually some benefit to us knowing about it, even if MS is going to round off close to 1/3 of a year between disclosure and patch release.
 
MS should just open source their stuff and let the community handle these things. When there are serious exploits found in open source code, patches are typically pushed out quickly -- less than a week. Besides, you people are nuts for running closed OSes for anything other than playing around.

Google has done nothing unfair nor has it shown preferential treatment. It puts a bug in a list and after 90 days it's automatically posted to the public. Doesn't matter if you're Microsoft or Joe Schmoe Software, LLC.

Just think of all the possible major exploits that MS has known about in the past that the rest of us never knew about and they probably didn't bother to fix. Hell, some of them were probably intentional for their pals at .gov.
 
I think it is very good that these security issues become public. Security researchers have been criticizing for years that the only way they can get vendors to quickly fix security bugs is public shaming.

arnemetis said:
So how long before Microsoft starts this with android vulnerabilities? Would hurt Google a lot more, since it's virtually impossible to patch anything android in 90 days.
Click to expand...
Likely never, because that would imply admitting that Microsoft's Coordinated Vulnerability Disclosure program is rubbish and doesn't improve security.

nilepez said:
We're not talking about Google saying to the world, "There's a bug that can do this."

Google said, "There's a bug that can do this, here's how you can exploit it."
Click to expand...
This is because software vendors have a history of downplaying the severity of security bugs. "Ah, but that one is only theoretical, can't be exploited in practice" is something you frequently hear until someone comes up with a working exploit.

heatlesssun said:
It's not just a matter of resources. The assumption that some are making is that if you through enough resources at these problems, 100% of the time you will be able to properly assess, code, test and deploy an fix. Every single time no matter the issue without fail. That defies logic.
Click to expand...
StoleMyOwnCar said:
Has anyone here looked at how large MS's source code is for Windows at this point?
Click to expand...
StoleMyOwnCar said:
Honestly as a dev I have some empathy. Most people that are looking at it from the outside are just sitting there screaming "why can't they fix it?!" and have no idea what goes on over there on their end.
Click to expand...
So you are saying that Windows has gotten too complex for Microsoft to handle security bugs in a timely fashion? Well that's too bad, maybe they should stop selling it with the false promise of security then.
 
jwcalla said:
MS should just open source their stuff and let the community handle these things. When there are serious exploits found in open source code, patches are typically pushed out quickly -- less than a week.
Click to expand...
Open source software is all very well, but if no one looks for bugs in the code then it isn't any better than closed source software.

For example, the 'Shellshock' Bash vulnerability was 25 years old when it was discovered.

Another good example is TrueCrypt. No one bothered looking through the code until the Open Crypto Audit Project came along.
 
ArthurFM said:
Open source software is all very well, but if no one looks for bugs in the code then it isn't any better than closed source software.

For example, the 'Shellshock' Bash vulnerability was 25 years old when it was discovered.

Another good example is TrueCrypt. No one bothered looking through the code until the Open Crypto Audit Project came along.
Click to expand...

Security focus is really ramping up in a way I've never seen before. At least in an open source project we can instrument the code for fuzzers, put the project into Coverity and work through those findings. When it's closed source, we're limited to black box approaches.

BettiePage said:
dont see a problem with it... 90 days to fix problem.
Click to expand...

90 days came and went on Jan 11. The patch will be released on Feb 10.
 
Douche move on google's part. Typical arrogant self-righteous "we know what's good for you" types.
 
nilepez said:
I'm sure MS would have been perfectly willing to show them a patched version, on a machine without a compatibility issue as well as another that had the issue.

The idea behind this may be security, but the way they're releasing info/exploits has nothing to do with security. It's the 2nd or 3rd dickish move in a month. The first one gave MS 2 patch cycles. The 2nd apparently was fixed and just awaiting the patch Tuesday release and this one had an issue.

So much for do no evil. FWIW, the one where MS said they may not fix it, that was a legit release by Google, but 3/4 of a dick is still a dick.
Click to expand...

MS should be releasing fix, when its finished - there is no reason to wait for patch Tuesday.
 
ArthurFM said:
Open source software is all very well, but if no one looks for bugs in the code then it isn't any better than closed source software.

For example, the 'Shellshock' Bash vulnerability was 25 years old when it was discovered.

Another good example is TrueCrypt. No one bothered looking through the code until the Open Crypto Audit Project came along.
Click to expand...

The apropos question is how long did it take to get a patch out when the Bash bug was found? More than 90 days?
 
These bugs can be exploited by hacker terrorists so I see a problem. They should be held responsible.
 
It sure would be nice if Google put this much effort into finding and solving their own software problems.
 
Blown 89 said:
It sure would be nice if Google put this much effort into finding and solving their own software problems.
Click to expand...

Google doesn't have a software problem they will admit too, they just point fingers at other manufacturers and carriers.
 
StoleMyOwnCar said:
Honestly as a dev I have some empathy. Most people that are looking at it from the outside are just sitting there screaming "why can't they fix it?!" and have no idea what goes on over there on their end.
Click to expand...

This is a given, because within companies, everyone outside of the dev and h/w groups is clueless. They just want stuff fast and cheap and then if it doesn't work they don't understand that was a direct consequence of their unwillingness to wait for a proper solution to be researched, developed and tested.

It's pretty clear that most people on here don't work on software.
 
LightningCrash said:
If it's as big of an exposure as you make it out to be (it's not) then they should leave that up to the device owners. If it's not a big vulnerability, then it's just a pissing match between the Google fan club and the MS fan club.

By knowing the vulnerability, we can actually work to protect ourselves from it, instead of waiting 120 days for MS to finally release a patch. So there's actually some benefit to us knowing about it, even if MS is going to round off close to 1/3 of a year between disclosure and patch release.
Click to expand...

Do you realize that 99% of the consumers out there don't even know that there's an unpatched issue that Google released exploit code for?
Google may have helped some users....maybe, but for the vast majority, they just fucked them.
Flexibility is how you handles this type of thing, not some set in stone process that says in 90 days we'll release an exploit. If it takes longer than that to right a patch, we don't care.

For all you know, there's a more pressing issue that needs to be fixed, but resources are being diverted to googles issues, because of an arbitrary process. I'm fine with having a general rule for when they'll release info, but releasing exploit code doesn't help anyone but the crooks
 
nilepez said:
Do you realize that 99% of the consumers out there don't even know that there's an unpatched issue that Google released exploit code for?
Google may have helped some users....maybe, but for the vast majority, they just fucked them.
Flexibility is how you handles this type of thing, not some set in stone process that says in 90 days we'll release an exploit. If it takes longer than that to right a patch, we don't care.

For all you know, there's a more pressing issue that needs to be fixed, but resources are being diverted to googles issues, because of an arbitrary process. I'm fine with having a general rule for when they'll release info, but releasing exploit code doesn't help anyone but the crooks
Click to expand...

I'd encourage you read about the vulnerability being discussed (and its significance), and read about the Google Project Zero itself.
If not, it's a free country, no harm I guess.
 
kllrnohj said:
Actually Google's bug bounty program only asks for 60 days before disclosure:

http://googleonlinesecurity.blogspot.com/2010/07/rebooting-responsible-disclosure-focus.html

So Google gave Microsoft 50% more time than Google asks for itself. 90 days is a *very* reasonable amount of time, fully in-line with all standards for white-hack exploits. Microsoft just fucked this up. End of story.
Click to expand...

That's not Google' s page for reporting their own bugs. It's a page inviting security researchers to discuss vendor issues in general.

If Google was serious about the 90 day rule, where's the list of Android bugs and how to exploit them? Oh wait, there is none.
 
dexvx said:
If Google was serious about the 90 day rule, where's the list of Android bugs and how to exploit them? Oh wait, there is none.
Click to expand...

Because they were all fixed in 90 days. Except the ones that weren't. But that's not Google's problem or fault. Blame the OEMs and carriers.
 
What happened to Google? From a di.k slapping CEO, shitty glasses to medicore Nexus 6 and so on.
 
You must log in or register to reply here.
Back
Top