Posted on 10/31/2016 6:41:58 PM PDT by dayglored
Google and Microsoft are butting heads over the disclosure of vulnerabilities. On Monday, Google revealed a critical flaw in Windows after it gave Microsoft a ten-day window to warn the public about it.
Google posted about the zero-day vulnerability on its security blog, saying Microsoft had yet to publish a fix or issue an advisory about the software flaw.
"This vulnerability is particularly serious because we know it is being actively exploited," Google said. It lets hackers exploit a bug in the Windows kernel, via a win32k.sys system call, to bypass the security sandbox.
The search giant originally told Microsoft about the problem 10 days ago, on Oct. 21. It waited to say anything about it publicly so Microsoft could fix the problem first. But Google has a strict policy of giving vendors only seven days to either publish a patch or issue a warning about a flaw.
"Seven days is an aggressive timeline and may be too short for some vendors to update their products," Google said in a blog post in 2013. "But it should be enough time to publish advice about possible mitigations."
Microsoft slammed Google's move. We believe in coordinated vulnerability disclosure, and todays disclosure by Google could put customers at potential risk," the company said in an email on Monday.
...
Google said that on Windows 10, its Chrome browser will prevent the problem from occurring. Using its own sandbox, the browser can block win32k.sys system calls.
(Excerpt) Read more at pcworld.com ...
Seems a little self-serving of Google to trumpet their own mitigation via Chrome. The rest of us had better hope for a patch from Microsoft soon...
Microsoft.
Ptui!
I guess everyone needs to download chrome.
Microsoft cannot keep up with addressing software vulnerabilities and patch fixes:
https://www.us-cert.gov/ncas/bulletins
Endless list...
is this just a win10 issue or are other platforms at risk also?
From what I've seen so far about this, the vuln may be all recent versions (XP/Vista/7/8.1/10). Google's mitigation in Chrome appears to only apply to Win10.
thx,,,
Windows OS degrades over time.
Well, in fairness, they ALL do with regard to security, in two senses:
Now, as a separate, non-security related concern, any given installation of Windows is good for somewhere between as much as a few years (for a lightly-used system) and as little as a few months (for a heavily-used system). Windows gets "stale" faster than any of the other major OSes. I find for my production systems, that I have to re-install Windows to "freshen it up" about every 15 months, otherwise it starts acting strangely and eventually goes unstable. My Linux and Mac installations are typically good for the life of the computer (or VM), which in my case is 6-8 years.
In Windows 10, by reinstall, you mean from the system without destroying data? I had to do that right after I got my Surface when the camera wouldn’t work. It was simple. But is it thorough enough?
Windows (for the desktop) is different in that it bloats and slows with use. The registry gets tangled up and bloated as software is installed and uninstalled. After a few years, the OS needs to be reinstalled if you want it to perform like new.
We know this to be true.
Can mozilla secure this issue?
That's why they need to go to formally proven systems, it *is* doable (see Verve).
As with so many other things, "it depends". If the instability or corruption was in the Windows installation, or the application installations, then reinstalling Windows from scratch, reinstalling your applications, and restoring your data should bring good behavior back. But if the badness was in your own data, profiles, etc.
I regularly make two kinds of backups of my Windows machines:
By "reinstall" I mean that latter process. Not the "disk image" cloning done with Acronis.
Good question. Maybe so, depending on how Firefox does its internals. I would like to think so, since I use Firefox. But I don't know enough about the details to say with any authority.
Not sure about the relevance of the Verve article.
My point is that Microsoft is not adhering to Information Security Vulnerability Management standards that provide timely patch fixes for remediation.
Some High Risk Vulnerabilities on Critical systems ie: CVE 9 - 10.0 are required to be fixed within 24 HOURS.
Microsoft dragging it’s feet beyond 10 days after Google notified them, and then failing to disclose the Zero day exploit to the public and provide a patch fix is GROSSLY NEGLIGENT.
Top 30 Targeted High Risk Vulnerabilities | US-CERT
https://www.us-cert.gov/ncas/alerts/TA15-119A
Maintain up-to-date software
The attack vectors frequently used by malicious actors such as email attachments, compromised watering hole websites, and other tools often rely on taking advantage of unpatched vulnerabilities found in widely used software applications. Patching is the process of repairing vulnerabilities found in these software components.
It is necessary for all organizations to establish a strong ongoing patch management process to ensure the proper preventive measures are taken against potential threats. The longer a system remains unpatched, the longer it is vulnerable to being compromised. Once a patch has been publicly released, the underlying vulnerability can be reverse engineered by malicious actors in order to create an exploit. This process has been documented to take anywhere from 24-hours to four days. Timely patching is one of the lowest cost yet most effective steps an organization can take to minimize its exposure to the threats facing its network.
It's relevant because such methods can be used to prove the absence of errors, a notable case is Ironsides, which is a formally proven DNS. (Their 2013 paper lists the things they were able to prove at around page 12; though the 2012 paper is a bit more explicit on how such were proven.)
The point is that we're now living in an age where we can prove properties of software in a cost-effective manner; essentially we've implemented [mathematical] theory (WRT programming) from 30 years ago, and it opens a whole new vista of software reliability.
Thank you for elaborating further.
I’ll look at the papers you recommended as well.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.