Posted on 10/31/2016 6:41:58 PM PDT by dayglored
Google and Microsoft are butting heads over the disclosure of vulnerabilities. On Monday, Google revealed a critical flaw in Windows after it gave Microsoft a ten-day window to warn the public about it.
Google posted about the zero-day vulnerability on its security blog, saying Microsoft had yet to publish a fix or issue an advisory about the software flaw.
"This vulnerability is particularly serious because we know it is being actively exploited," Google said. It lets hackers exploit a bug in the Windows kernel, via a win32k.sys system call, to bypass the security sandbox.
The search giant originally told Microsoft about the problem 10 days ago, on Oct. 21. It waited to say anything about it publicly so Microsoft could fix the problem first. But Google has a strict policy of giving vendors only seven days to either publish a patch or issue a warning about a flaw.
"Seven days is an aggressive timeline and may be too short for some vendors to update their products," Google said in a blog post in 2013. "But it should be enough time to publish advice about possible mitigations."
Microsoft slammed Google's move. “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk," the company said in an email on Monday.
...
Google said that on Windows 10, its Chrome browser will prevent the problem from occurring. Using its own sandbox, the browser can block win32k.sys system calls.
(Excerpt) Read more at pcworld.com ...
Update at 12:45 p.m. Pacific: Microsoft issued a statement, though the company did not share when a patch could be expected.“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
A source close to the company also shared that the exploit Google describes requires the Adobe Flash vulnerability. Since Flash has been patched, the Windows vulnerability is mitigated. That said, Microsoft still needs to plug the security hole as it could be leveraged in other types of attacks.
I added the bold.
You do understand that the government publishes vulnerability lists for ALL operating environments, right? Microsoft is NOT the only game in town. They’re the biggest, but they’re not the only one being tested. Apple and Android are regularly compromised and patched.
Of course.
The CERT list I sent contains bulletins pertaining to all software vulnerabilities.
The thread post was about Microsoft delaying addressing a serious vulnerability in a responsible manner, and hence discussion was directed accordingly.
All OS’s have vulnerabilities discovered on a regular basis.
Even Unix, ie: Redhat, AIX, Suse, etc.
Thx
Handy to know... thanks!
bing
Microsoft: Russian hackers are exploiting Windows flaw exposed by Google
The hacking group is one that has been linked to the Russian government, and is thought to have been behind a number of recent US hacks. Tensions are already running high between the US and Russia — particularly in light of American accusations that Russia has engaged in a hacking campaign designed to interfere with the election.
http://betanews.com/2016/11/02/russian-hackers-exploit-windows-security-flaw/
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.