Google Reveals Unpatched Windows Bug

[HardOCP News]

Google has revealed an unpatched Windows bug that they say hackers are actively exploiting. Google reported the flaw to Microsoft on October 21st but, since no update has been released yet, the company has gone public with its findings.

The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.

 

[Deleted member 245375]

In a wee bit of a rush there, Google? I wonder if Microsoft would pay out in a bug bounty if their browser competitor started catching all of 'em?

 

[bigdogchris]

I understand why Google does this but 7 days seems a bit too aggressive. If they are truly concerned with users not being compromised, why share the data with hackers only 7 days after giving a company a notice? They know Microsoft patches the second Tuesday of the Month. At least give them 30 days to respond.

 

[DPI]

I understand why Google does this but 7 days seems a bit too aggressive. If they are truly concerned with users not being compromised, why share the data with hackers only 7 days after giving a company a notice? They know Microsoft patches the second Tuesday of the Month. At least give them 30 days to respond.

Because the hackers ALREADY have the data and are already actively exploiting it. And MS has a history of unreliability and sitting on vulnerabilities until someone lights a fire under their ass.

MS has insisted that Windows 10 and its "agile", rolling updates will make it so much more secure than previous windows versions. Well now's the time to prove it.

 

[Ur_Mom]

Because the hackers ALREADY have the data and are already actively exploiting it. And MS has a history of unreliability and sitting on vulnerabilities until someone lights a fire under their ass.

MS has insisted that Windows 10 and its "agile", rolling updates will make it so much more secure than previous windows versions. Well now's the time to prove it.

When the untested update comes out, don't bitch that it breaks something else. With 7 days, I don't think there is enough time to create a patch, test it internally, and get it out to users. At least with 100% (or close to) reliability.

They should get it done ASAP, and I agree that they sit on it way too long. I just don't think 7 days is enough for quality control. It may be, as I'm not in software development, but I have some doubts....

 

[Exavior]

When the untested update comes out, don't bitch that it breaks something else. With 7 days, I don't think there is enough time to create a patch, test it internally, and get it out to users. At least with 100% (or close to) reliability.

They should get it done ASAP, and I agree that they sit on it way too long. I just don't think 7 days is enough for quality control. It may be, as I'm not in software development, but I have some doubts....

This, people bitch that things don't get patched in a day then bitch when an update is pushed out quickly and breaks something. They have to make the update, test the update in house against other parts of windows itself, then test against their other programs, then have a few higher profile test users run it.... yes 7 days is not enough time to fix an issue correctly.

 

[MDboyz]

Darn... only if google is that aggressive to fix bugs in Android OS !!!

 

[Lakados]

Darn... only if google is that aggressive to fix bugs in Android OS !!!

I know right, maybe once Google figures out how to actually deploy their updates they can criticise others for taking more than 7 days to fix something.

 

[5150Joker]

Google is just trying to undermine Windows, that much is obvious by making people think its an unsafe operating system. Yet Android is pure laggy trash.

 

[Mystique]

Laggy trash? My S7 doesn't even know what lag is. Have fun w/ the Windows phone.

 

[ManofGod]

Well, at least now we know what Google is actually doing with their time. After all, Android, Chrome and Chrome OS are perfect now so they have the time, right? Right? Will Google be held liable is someone losses out because they outed the exploit?

 

[Azphira]

So perfect they have free time to fuck with Microsoft, fuck with elections, etc

 

[cyclone3d]

I understand why Google does this but 7 days seems a bit too aggressive. If they are truly concerned with users not being compromised, why share the data with hackers only 7 days after giving a company a notice? They know Microsoft patches the second Tuesday of the Month. At least give them 30 days to respond.

Last time I reported a glaring windows file system bug to MS, they came back with "it is working as designed".

I could replicate it every single time I tried and could/can lead to having to wipe the system and start from scratch because Windows would not/will not let you correct the folder structure once it is messed up.

It has to do with manually setting the library location.

 

[MrAhlefeld]

I know right, maybe once Google figures out how to actually deploy their updates they can criticise others for taking more than 7 days to fix something.

Well Google are actively updating Android with security patches, if you have a Nexus or Pixel device that is new enough to still be serviced.
Don't blame Google for other manufacturers lack of updates eg. Samsung - HTC and the list goes on.....

 

[cyclone3d]

Well Google are actively updating Android with security patches, if you have a Nexus or Pixel device that is new enough to still be serviced.
Don't blame Google for other manufacturers lack of updates eg. Samsung - HTC and the list goes on.....

My LG G4 just got an update about a week ago.

 

[joblo37pam]

Laggy trash? My S7 doesn't even know what lag is. Have fun w/ the Windows phone.

Bring it on. I wish I could still get a Windows phone with decent hardware (Verizon). I ran one for almost 3 years before I destroyed it. It was a much better experience than the Android phone that replaced it and I am constantly having to fiddle with and find apps to do things that WP just handled.

 

[auntjemima]

My LG G4 just got an update about a week ago.

The point of the matter is your updates are not as current as the ones seen on a Pixel or a Nexus device. As an example, I already have 7.0 (and have for months) and get security patches monthly. My buddy, on Samsung s6, is still sitting on Android 6 (and even then it took him ages to get it vs a Nexus device). Google gives security updates all the time, the companies that insist on taking months, or longer, to release the patches to their consumers is the issue.

 

[naib]

This, people bitch that things don't get patched in a day then bitch when an update is pushed out quickly and breaks something. They have to make the update, test the update in house against other parts of windows itself, then test against their other programs, then have a few higher profile test users run it.... yes 7 days is not enough time to fix an issue correctly.

THINGS get patched in hours. What the hell are you smoking... an exploit is discovered in Linux ... 1-2h later a patch has been submitted to the relevant git tree.
Microsoft have ZERO excuse. This is out in the wild and MS was doing nothing. It is out in the wild and Google publically reveal it and MS still stick to the 8th... it should be pushed out.

 

[rezerekted]

Microsoft should rename Windows to Swiss Cheese.

 

[wizzi01]

THINGS get patched in hours. What the hell are you smoking... an exploit is discovered in Linux ... 1-2h later a patch has been submitted to the relevant git tree.
Microsoft have ZERO excuse. This is out in the wild and MS was doing nothing. It is out in the wild and Google publically reveal it and MS still stick to the 8th... it should be pushed out.

Yes all linux bugs get patched in hours. Please stop the stupidity.
https://www.google.com/amp/s/www.wi...nux-bug/amp/?client=ms-android-hms-tmobile-us

 

[Exavior]

THINGS get patched in hours. What the hell are you smoking... an exploit is discovered in Linux ... 1-2h later a patch has been submitted to the relevant git tree.
Microsoft have ZERO excuse. This is out in the wild and MS was doing nothing. It is out in the wild and Google publically reveal it and MS still stick to the 8th... it should be pushed out.

What am I smoking? First off no, not all Linux issues are patches in less than 1 or 2 hours. second you are comparing two different things. (I know this will probably be twisted around, but will do my best to explain what I mean) Linux is more limited in what you are running than windows. What I mean by that is that you have much more supported hardware with windows, you have much more supported software, and you have it being used in day to day business actions at the client level. So you have far more to worry about making sure you are still compatible with as you are doing to do more damage with a bad patch due to the number of people running it and all that you have to keep working with. Remember the NIC driver that brought down entire businesses because a zero day exploit was found and they released a patch the next day to fix it but didn't actually get anyone to test it first? yeah that type of release is bad. On the flip side Linux is more refined in what you are using it for. It is normally going to be a server and be running limited software as you are limited by the build in distribution platforms to only certain versions. So for example Red Hat 6 and Red Hat 7 have different versions of various programs that they support. You also are talking about the difference between something that is sold as a single package (an Operating System) and a kernel. Linux is not an OS. Linux is a kernel, you have to develop an OS around it for it to be of any use. Red Hat is an OS, Centos is an OS, Mint is an OS, Linux is a kernel. When looking at a all inclusive OS you have more parts to worry about. What is something that Linux distros do have going for them is that fact that all the parts aren't as tied together so you can change them out with them interact with each other as much. But it also means there is no uniformity for anyone writing a program and you don't get as user friendly of an end result. Which is different with Windows in that everything is tied together and designed to work as a large single collection, not 200 different pieces working together. So a change in 1 piece of code can ripple through the entire system. You also don't have old code in Linux. if you move to Red Hat 7, your Red Hat 6 stuff doesn't work. Windows has legacy code as you aren't able to blow everything old away. Which also means that a fix might effect more stuff since maybe the change impacts how older parts of the system works. So even if you could get a patch for some Linux issue in an hour or two, there is a massive difference in scale and impact between any change to a Linux server and a Windows network.

 

[DeathFromBelow]

I understand why Google does this but 7 days seems a bit too aggressive. If they are truly concerned with users not being compromised, why share the data with hackers only 7 days after giving a company a notice? They know Microsoft patches the second Tuesday of the Month. At least give them 30 days to respond.

The hackers have it and Windows Update has been broken for over a year now. Can't really blame Google for just releasing the info.

 

[ManofGod]

What am I smoking? First off no, not all Linux issues are patches in less than 1 or 2 hours. second you are comparing two different things. (I know this will probably be twisted around, but will do my best to explain what I mean) Linux is more limited in what you are running than windows. What I mean by that is that you have much more supported hardware with windows, you have much more supported software, and you have it being used in day to day business actions at the client level. So you have far more to worry about making sure you are still compatible with as you are doing to do more damage with a bad patch due to the number of people running it and all that you have to keep working with. Remember the NIC driver that brought down entire businesses because a zero day exploit was found and they released a patch the next day to fix it but didn't actually get anyone to test it first? yeah that type of release is bad. On the flip side Linux is more refined in what you are using it for. It is normally going to be a server and be running limited software as you are limited by the build in distribution platforms to only certain versions. So for example Red Hat 6 and Red Hat 7 have different versions of various programs that they support. You also are talking about the difference between something that is sold as a single package (an Operating System) and a kernel. Linux is not an OS. Linux is a kernel, you have to develop an OS around it for it to be of any use. Red Hat is an OS, Centos is an OS, Mint is an OS, Linux is a kernel. When looking at a all inclusive OS you have more parts to worry about. What is something that Linux distros do have going for them is that fact that all the parts aren't as tied together so you can change them out with them interact with each other as much. But it also means there is no uniformity for anyone writing a program and you don't get as user friendly of an end result. Which is different with Windows in that everything is tied together and designed to work as a large single collection, not 200 different pieces working together. So a change in 1 piece of code can ripple through the entire system. You also don't have old code in Linux. if you move to Red Hat 7, your Red Hat 6 stuff doesn't work. Windows has legacy code as you aren't able to blow everything old away. Which also means that a fix might effect more stuff since maybe the change impacts how older parts of the system works. So even if you could get a patch for some Linux issue in an hour or two, there is a massive difference in scale and impact between any change to a Linux server and a Windows network.

Dude, I do appreciate what you type, but, sweet great wall of text, please learn to use paragraphs.

 

[naib]

Yes all linux bugs get patched in hours. Please stop the stupidity.
https://www.google.com/amp/s/www.wi...nux-bug/amp/?client=ms-android-hms-tmobile-us

Things are already looking up on the enterprise side. Red Hat and Ubuntu have released their updates already, so now it’s just up to admins to implement them.

So a bug was identified on 20160119 ( http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/, https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0728)
and the patch was made available .. 20160119 ( https://access.redhat.com/errata/RHSA-2016:0045 )
How exactly isn't this being fixed within hours... Just because the code the causes it was there for years doesn't negate the fact it was identified and fixed within hours.

Your own example has proven my point that open-source is patched quickly and Windows handling of such things is borderline criminal. MS should be subjected to DO178 software flow, they cannot be trusted to follow a process

 

[wizzi01]

So a bug was identified on 20160119 ( http://perception-point.io/2016/01/...f-a-linux-kernel-vulnerability-cve-2016-0728/, https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0728)
and the patch was made available .. 20160119 ( https://access.redhat.com/errata/RHSA-2016:0045 )
How exactly isn't this being fixed within hours... Just because the code the causes it was there for years doesn't negate the fact it was identified and fixed within hours.

Your own example has proven my point that open-source is patched quickly and Windows handling of such things is borderline criminal. MS should be subjected to DO178 software flow, they cannot be trusted to follow a process

Proven what point? you said hours and I linked a article with a bug that has been around for years. Please stop wth your ridiculousness.

 

[naib]

Proven what point? you said hours and I linked a article with a bug that has been around for years. Please stop wth your ridiculousness.

The bug may have existed for years but was only discovered at the stated date and was patched within hours.

Stop moving the goalposts... How the fsck can you patch a bug if you do not know about it.

This windows bug probably existed for years but was discovered relatively recently AND MS chose to not patch it for weeks