HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
I guess you can consider this a bit of a dick move but, in fairness to Google, they did give Microsoft 90 days to fix this.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
-
Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.
Google Posts Windows 8.1 Vulnerability Before It Is Fixed
- Thread starter HardOCP News
- Start date
- Joined
- Oct 4, 2007
- Messages
- 13,080
Oh, it is on! 
- Joined
- Jun 18, 2004
- Messages
- 5,020
Good. It's about time the big boys started holding each other accountable. Maybe now MS will get off their tails and actually fix it.
Good job Google.
Good job Google.
Semantics
2[H]4U
- Joined
- May 18, 2010
- Messages
- 2,811
Ofc google does this when they don't do enterprise software and their most popular product outside of the search engine, android devices are teeming with vulnerabilities because google lets phone manufacture decide when to implement changes which means 6 months late or never because you didn't buy a new phone.
hellokeith
Limp Gawd
- Joined
- Sep 2, 2006
- Messages
- 240
Meh. I see no controversy. In general Microsoft will be in the best position to determine the severity of bugs/vulnerabilities, and they will decide how much resources/time to devote to a possible fix.
yeah, i don't imagine google has a 90 day disclosure deadline for the Android vulnerabilities they discover themselves.
I'm sure you're right.
Good. If MS wasn't going to fix it within 90 days, it deserves the headaches of it becoming more widely known. It's not like this wasn't already being exploited by hackers, the NSA and others. If it takes public embarrassment to get it fixed, that's fine.
https://code.google.com/p/google-se...+Priority+Milestone+Owner+Summary&cells=tiles
lol, imagine all the fun lazy hackers have with the POC examples to use as a basis for attacking unpatched systems.
lol, imagine all the fun lazy hackers have with the POC examples to use as a basis for attacking unpatched systems.
Megalith
24-bit/48kHz
- Joined
- Aug 20, 2006
- Messages
- 13,000
This implies that Google is always on the ball and fixes any problem and exploit in short time, which I'm pretty sure is false as a mother fucker.
Who gives a shit? Let MS bust Google's balls in front of the whole world on their vulnerabilities just as well!
Semantics
2[H]4U
- Joined
- May 18, 2010
- Messages
- 2,811
Haha just mad at phone companies i don't really like having to get a new phone all the time in order to just get updates.You sound personally offended?
You can announce the vulnerability without posting code. Also, let's assume that MS was going to release a fix on Patch Tuesday. Google just posted exploit code for something that'd be fixed in a week.
Yeah it probably won't be fixed, but given that MS releases fixes on the 2nd Tuesday of each month, Google knew on 9/30 that they were only giving MS 2 months to research and fix the exploit before they released the code.
It's a dickish move. The first step is wait 3 patch cycles. Then announce there's a vulnerability, but provide no code. Then after the next patch cycle release the code (though even then they should talk to the vendor).
Does google do this with Apple? Does Apple patch OS X 1 or more times every 90 days?
QFT
ShamisOMally
[H]ard|Gawd
- Joined
- Apr 24, 2010
- Messages
- 1,480
If you have to rub the puppy's nose in its mess in order to make it behave, so be it.
Why Microsoft ignored such a giant as Google telling them about a very real vulnerability is just flat out poor business and lazy
Why Microsoft ignored such a giant as Google telling them about a very real vulnerability is just flat out poor business and lazy
- Joined
- Oct 4, 2007
- Messages
- 13,080
complacent too because they sill think they are no.1
Oh, they are but, I guess we cannot say anything bad about your O So precious googlie, eh?
Heck, I am still waiting for Google to be treated as the monopoly that they have become. (After all, they are already flexing their monopoly muscles already but hey, I guess only Microsoft can be a Monopoly, amirite? )On the other hand, Microsoft's response to this could be interesting. But then again, not like Google needs help with their crashing, buggy phone OS as it is anyways. I cannot remember the last time my Windows Phone 8.1 or Windows 8.1 desktops crashed unless it was something I caused.
You're assuming that only Google knew about the exploit. It was almost certainly in use out in the wild for targeted attacks. If MS can't patch a fairly straight-forward token impersonation bug in 2-3 months, it deserves to go out of business. That's plain incompetence.
The real reason for not fixing the vulnerability is probably belongs in the category of paranoid speculation since there is little reason for MS to NOT fix the problem in a fairly long amount of time.
Semantics
2[H]4U
- Joined
- May 18, 2010
- Messages
- 2,811
MS likely rated it as a low threat vulnerability given it's requirements. Doesn't mean a disgruntled employee can't do harm but it's not like it's something that can be used against a wide range of targets. Low threat vulnerability put it on the back burner for patch cycles and fix it properly not just break what was broken but properly fix it so you don't create more holes. I've seen plenty of devs just go "I fixed it" only to create more problems and more work down the line because they did a 10 min hack job instead of actually going over the code.
My mobile phone is currently under 3hrs away from having a 5500 hour uptime.This seems to contradict your statement. And my Windows 8.1 event log has at least 4 BSOD's in it from the last 2 months (that i did not cause). Another contradiction.
Hmmm
- Joined
- Oct 4, 2007
- Messages
- 13,080
My mobile phone is currently under 3hrs away from having a 5500 hour uptime.This seems to contradict your statement. And my Windows 8.1 event log has at least 4 BSOD's in it from the last 2 months (that i did not cause). Another contradiction.
Hmmm
No contradiction involved here. Also, your machine had 4 BSOD's which could be power issues, hardware failure, a program you installed that is having problems, a virus or infection and many other things that are not OS related.
Its one thing to disclose the vulnerability's existence, it's another to detail it out with sample code to exploit it. That second part didn't need to come out now.
Its not really Microsoft they are f'ing as much as all the security folks who have to be on guard for this exploit reaching maturity in the wild a whole lot faster now.
Its not really Microsoft they are f'ing as much as all the security folks who have to be on guard for this exploit reaching maturity in the wild a whole lot faster now.
/dev/null
[H]F Junkie
- Joined
- Mar 31, 2001
- Messages
- 15,181
Stop buying substandard (Carrier locked) devices. Buy an unlocked, straight google phone & get updates right from the source. My sub $200 google moto g has the latest 4.4.4 of android. My 2012 Nexus 10 just got android 5.0.1.
So? You conveienently left out a response to the first sentence. What about the program issues their? Do they not apply? I sure as hell use my phone reasonably heavy. And my PC's are kept in pretty good shape both soft and hard-ware wise. Just blame the "other" things as soon as they don't fit your point? Seems a bit blind. Contradiction stands as far as i can see.