Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Google clashes with Microsoft over Windows flaw disclosure (actively exploited zero-day vuln)
PC World ^ | Oct 31, 2016 | Michael Kan

Posted on 10/31/2016 6:41:58 PM PDT by dayglored

Google and Microsoft are butting heads over the disclosure of vulnerabilities. On Monday, Google revealed a critical flaw in Windows after it gave Microsoft a ten-day window to warn the public about it.

Google posted about the zero-day vulnerability on its security blog, saying Microsoft had yet to publish a fix or issue an advisory about the software flaw.

"This vulnerability is particularly serious because we know it is being actively exploited," Google said. It lets hackers exploit a bug in the Windows kernel, via a win32k.sys system call, to bypass the security sandbox.

The search giant originally told Microsoft about the problem 10 days ago, on Oct. 21. It waited to say anything about it publicly so Microsoft could fix the problem first. But Google has a strict policy of giving vendors only seven days to either publish a patch or issue a warning about a flaw.

"Seven days is an aggressive timeline and may be too short for some vendors to update their products," Google said in a blog post in 2013. "But it should be enough time to publish advice about possible mitigations."

Microsoft slammed Google's move. “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk," the company said in an email on Monday.

...

Google said that on Windows 10, its Chrome browser will prevent the problem from occurring. Using its own sandbox, the browser can block win32k.sys system calls.

(Excerpt) Read more at pcworld.com ...


TOPICS: Business/Economy; Computers/Internet; Hobbies
KEYWORDS: chromebrowser; internet; internetsecurity; malware; microsoft; security; software; tech; windows; windowspinglist; zeroday
Navigation: use the links below to view more comments.
first 1-2021-26 next last
More at the link...

Seems a little self-serving of Google to trumpet their own mitigation via Chrome. The rest of us had better hope for a patch from Microsoft soon...

1 posted on 10/31/2016 6:41:58 PM PDT by dayglored
[ Post Reply | Private Reply | View Replies]

To: Abby4116; afraidfortherepublic; aft_lizard; AF_Blue; amigatec; AppyPappy; arnoldc1; ATOMIC_PUNK; ...
Windows Zero-Day Vulnerability, Exploits Active in the Wild ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

2 posted on 10/31/2016 6:42:44 PM PDT by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: dayglored
There is a better solution.
3 posted on 10/31/2016 6:48:45 PM PDT by lefty-lie-spy (Stay metal. For the Horde \m/("_")\m/ - via iPhone from Tokyo.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: dayglored

Microsoft.

Ptui!


4 posted on 10/31/2016 6:56:47 PM PDT by Da Coyote
[ Post Reply | Private Reply | To 1 | View Replies]

To: dayglored

I guess everyone needs to download chrome.


5 posted on 10/31/2016 7:15:04 PM PDT by smokingfrog ( sleep with one eye open (<o> ---)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Da Coyote

Microsoft cannot keep up with addressing software vulnerabilities and patch fixes:

https://www.us-cert.gov/ncas/bulletins

Endless list...


6 posted on 10/31/2016 7:16:02 PM PDT by MarchonDC09122009 (When is our next march on DC? When have we had enough?)
[ Post Reply | Private Reply | To 4 | View Replies]

To: dayglored

is this just a win10 issue or are other platforms at risk also?


7 posted on 10/31/2016 7:16:59 PM PDT by Chode (You Owe Them Nothing - Not Respect, Not Loyalty, Not Obedience, NOTHING! ich bin ein Deplorable...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Chode
> is this just a win10 issue or are other platforms at risk also?

From what I've seen so far about this, the vuln may be all recent versions (XP/Vista/7/8.1/10). Google's mitigation in Chrome appears to only apply to Win10.

8 posted on 10/31/2016 7:25:56 PM PDT by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 7 | View Replies]

To: dayglored

thx,,,


9 posted on 10/31/2016 7:26:58 PM PDT by Chode (You Owe Them Nothing - Not Respect, Not Loyalty, Not Obedience, NOTHING! ich bin ein Deplorable...)
[ Post Reply | Private Reply | To 8 | View Replies]

To: dayglored

Windows OS degrades over time.


10 posted on 10/31/2016 7:27:34 PM PDT by Dalberg-Acton
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dalberg-Acton
> Windows OS degrades over time.

Well, in fairness, they ALL do with regard to security, in two senses:

  1. Bugs and flaws go undiscovered for months or years, and later appear. and
  2. Environments change, threats that weren't conceivable a year or 5 years ago appear.
I patch my Mac and Linux systems just as often as I do Windows Updates on my Windows systems.

Now, as a separate, non-security related concern, any given installation of Windows is good for somewhere between as much as a few years (for a lightly-used system) and as little as a few months (for a heavily-used system). Windows gets "stale" faster than any of the other major OSes. I find for my production systems, that I have to re-install Windows to "freshen it up" about every 15 months, otherwise it starts acting strangely and eventually goes unstable. My Linux and Mac installations are typically good for the life of the computer (or VM), which in my case is 6-8 years.

11 posted on 10/31/2016 7:40:06 PM PDT by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 10 | View Replies]

To: dayglored

In Windows 10, by reinstall, you mean from the system without destroying data? I had to do that right after I got my Surface when the camera wouldn’t work. It was simple. But is it thorough enough?


12 posted on 10/31/2016 7:53:30 PM PDT by Excellence (Marine mom since April 11, 2014)
[ Post Reply | Private Reply | To 11 | View Replies]

To: dayglored

Windows (for the desktop) is different in that it bloats and slows with use. The registry gets tangled up and bloated as software is installed and uninstalled. After a few years, the OS needs to be reinstalled if you want it to perform like new.
We know this to be true.


13 posted on 10/31/2016 7:55:46 PM PDT by Dalberg-Acton
[ Post Reply | Private Reply | To 11 | View Replies]

To: dayglored

Can mozilla secure this issue?


14 posted on 10/31/2016 8:09:01 PM PDT by Paladin2 (auto spelchk? BWAhaha2haaa.....I aint't likely fixin' nuttin'. Blame it on the Bossa Nova...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: MarchonDC09122009
Microsoft cannot keep up with addressing software vulnerabilities and patch fixes:

That's why they need to go to formally proven systems, it *is* doable (see Verve).

15 posted on 10/31/2016 8:15:02 PM PDT by Edward.Fish
[ Post Reply | Private Reply | To 6 | View Replies]

To: Excellence
> In Windows 10, by reinstall, you mean from the system without destroying data? I had to do that right after I got my Surface when the camera wouldn’t work. It was simple. But is it thorough enough?

As with so many other things, "it depends". If the instability or corruption was in the Windows installation, or the application installations, then reinstalling Windows from scratch, reinstalling your applications, and restoring your data should bring good behavior back. But if the badness was in your own data, profiles, etc.

I regularly make two kinds of backups of my Windows machines:

In addition, I maintain multiple copies of all installation media for all applications I have paid licenses for, along with copies of the installation codes/keys. This in combination with the data backup allows me to reconstruct a useful new machine -- one based on a fresh installation of Windows and re-installation of all applications -- in about a half a day. It's not a clone, but it is essentially a copy of the old machine EXCEPT that Windows and the applications have been installed fresh.

By "reinstall" I mean that latter process. Not the "disk image" cloning done with Acronis.

16 posted on 10/31/2016 8:34:17 PM PDT by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 12 | View Replies]

To: Paladin2
> Can mozilla secure this issue?

Good question. Maybe so, depending on how Firefox does its internals. I would like to think so, since I use Firefox. But I don't know enough about the details to say with any authority.

17 posted on 10/31/2016 8:35:35 PM PDT by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 14 | View Replies]

To: Edward.Fish

Not sure about the relevance of the Verve article.

My point is that Microsoft is not adhering to Information Security Vulnerability Management standards that provide timely patch fixes for remediation.

Some High Risk Vulnerabilities on Critical systems ie: CVE 9 - 10.0 are required to be fixed within 24 HOURS.

Microsoft dragging it’s feet beyond 10 days after Google notified them, and then failing to  disclose the Zero day exploit to the public and provide a patch fix is GROSSLY NEGLIGENT.

Top 30 Targeted High Risk Vulnerabilities | US-CERT

https://www.us-cert.gov/ncas/alerts/TA15-119A

Maintain up-to-date software

The attack vectors frequently used by malicious actors such as email attachments, compromised “watering hole” websites, and other tools often rely on taking advantage of unpatched vulnerabilities found in widely used software applications. Patching is the process of repairing vulnerabilities found in these software components.

It is necessary for all organizations to establish a strong ongoing patch management process to ensure the proper preventive measures are taken against potential threats. The longer a system remains unpatched, the longer it is vulnerable to being compromised. Once a patch has been publicly released, the underlying vulnerability can be reverse engineered by malicious actors in order to create an exploit. This process has been documented to take anywhere from 24-hours to four days. Timely patching is one of the lowest cost yet most effective steps an organization can take to minimize its exposure to the threats facing its network.

http://www.theverge.com/2016/10/31/13481502/windows-vulnerability-sandbox-google-microsoft-disclosure


18 posted on 10/31/2016 8:50:41 PM PDT by MarchonDC09122009 (When is our next march on DC? When have we had enough?)
[ Post Reply | Private Reply | To 15 | View Replies]

To: MarchonDC09122009
Not sure about the relevance of the Verve article.

It's relevant because such methods can be used to prove the absence of errors, a notable case is Ironsides, which is a formally proven DNS. (Their 2013 paper lists the things they were able to prove at around page 12; though the 2012 paper is a bit more explicit on how such were proven.)

The point is that we're now living in an age where we can prove properties of software in a cost-effective manner; essentially we've implemented [mathematical] theory (WRT programming) from 30 years ago, and it opens a whole new vista of software reliability.

19 posted on 10/31/2016 9:24:31 PM PDT by Edward.Fish
[ Post Reply | Private Reply | To 18 | View Replies]

To: Edward.Fish

Thank you for elaborating further.
I’ll look at the papers you recommended as well.


20 posted on 10/31/2016 9:33:37 PM PDT by MarchonDC09122009 (When is our next march on DC? When have we had enough?)
[ Post Reply | Private Reply | To 19 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-26 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson