DAMN YOU! Microsoft blasts Google over zero-day blabgasm Microsoft has slammed Google for disclosing a security vulnerability in Windows a mere two days before Redmond planned to fix the bug. Google revealed the flaw on 11 January, 90 days after reporting it to Microsoft; the ad giant said the bug can elevate a user's privileges to administrator-level, thanks to some inelegant …
I understand the point where vendors are not releasing patches and MS have form in this, as do many others, but this one is them being a bunch of pricks. Vendor has stated a release date for fix, asked not to disclose until release is scheduled and they still act like a bunch of spoilt brats going well we sya we're going to do it, so nah, nah na naa nah.
This has FUCK ALL to do with protecting the customers and working with vendors,it's simply a cheap, commercial shot aimed at there biggest rival.
On this one, I'm with MS 100% and Google 0%
Yes down vote Google lovers (no doubt many are busy typing away in defence now), but this is nothing but a stupid move that benefits no one other than their own over inflated ego's.
Yes and no.
Depends if the release date is reasonable. Not patching stuff for years after it was first reported (as in some 2000-es Oracle vulns) is unreasonable.
109 days instead of 90 is actually reasonable especially in this case.
There is a mandatory freeze and do-not touch period in most institutions around Xmas. While the 90 days mandatory disclosure is somewhat reasonable, the lack of adjustment for the 15th of December to 5 of January is extremely counterproductive.
So in this specific case I agree with Miscrosoft (which does not happen that often especially on security).
In this case, the release date was within 90 days (was exactly 90 days, according to the story), but Google released the information after 86 - 92 days; if we are having a response blog from Microsoft appearing in the early morning press 1 day before the 13th January (depends if you give the benefit fo the doubt and from 13th October to 13th January as 30 months or you use exactly 90 days), then I'm guessing that the Google post was on Friday or over the weekend.
Additionally, with the 30th December Google disclosure, they didn't just warn users about a possible threat, they actually gave hackers the source code to exploit the bug! That is, IMHO, completely irresponsible, if as Google states that they are doing it to protect customers.
By all means release PoC code after the patch has been released, to show what was done, but making code available to exploit the bug before the patch has been released? How does that protect users / customers? Surely that puts them at unnecessary risk?
I might as well pretty much post the same thing I posted last time as the response is the same: This is a PR move by Google.
Does Google have a competitive interest in Windows being a better OS? No, they don't. So do they therefore benefit from silently and constructively helping fix bugs in a non-destructive manner? No they don't. This is all basic logic so far. Loudly pointing out vulnerabilities in a competitor's products (to the detriment of its users)? Yes, they clearly do have a benefit because it makes their competitor look bad.
But there is a problem that endangering those users would make Google look bad as well. So clearly what is needed is a way of pointing out those vulnerabilities but making it look like they're not the ones endangering users. Ergo, decide on an entirely arbitrary time scale and say you have given notice and it's your competitor's fault the users are harmed by your publishing this information because they could have fixed it.
Of course the time scale is arbitrary so sometimes your competitor will be able to fix the issue in time and sometimes they wont - hits and misses. But it's necessary so that you appear to be the responsible one.
And releasing proof on concept code publically, instead of just to the vendor so that they can more easily fix it, is a further step wrong again.
This is PR. If it doesn't look like PR, that's because it's well done PR.
Does Google have a competitive interest in Windows being a better OS?
Just as much as any other company which uses the software. So, yes is the answer.
It's naive to think that Google's team is the only one that may have discovered this bug. It's just that others may not have condescended to report it.
Google's real test will be when others start discovering similar bugs in its software or services.
>>"It's naive to think that Google's team is the only one that may have discovered this bug. It's just that others may not have condescended to report it."
I think it's pretty clear to all that the problem isn't that Google reported the vulnerability to MS. On it's own, that's a good thing. But it's not on its own.
>>"So the problem is providing a deadline, and sticking to it?"
Sticking to a deadline reflects very well on you. When it's one you impose on yourself. Imposing a deadline on someone else... not so much. I think the word you are looking for is actually "ultimatum". Or maybe "threat".
I think it's pretty clear to all that the problem isn't that Google reported the vulnerability to MS. On it's own, that's a good thing. But it's not on its own.
I think that the only problem here is buggy software which leaves users vulnerable. If this were the car industry then Microsoft could expect to be charged for every day it didn't provide a fix or a replacement.
There is already a thriving market for undisclosed security bugs. There are two ways to dry it up: reduce the number of bugs; reduce the number of undisclosed security bugs by making more of them public.
@Charlie Clark and the security vulnerabilities in the wireless tyre pressure sensors, which were shown to be hijackable to take over the ECU? Or the regular crashing of the onboard computer system (my old Mondeo's navi/temperature/radio would regularly crash and take all controls with it - suddenly blast hot air, play white noise at full volume and stop navigating; the only solution was to turn off the ignition and remove the key, then stick it back in again and restart the motor - not something you want to do when barrelling down the outside lane of the autobahn at 220km/h!).
Yes on its own.
Once Microsoft had been informed, it's entirely Google's courtesy to wait at all.
They'd be within their right simply to publish on discovery, it's just courtesy that they decided to give a multi billion dollar company 3 months to come up with a fix.
They didn't give them 3 months - and in fact Ms issued the fix in 3 months; they gave them 2 days less than 3 months, knowing that their end date was the Sunday before MSFT's monthly patch release Tuesday. The fact that they released the exploit on a Sunday, not on an ordinary business day, is a prety good indication of malice on their part.
And releasing proof on concept code publically, instead of just to the vendor so that they can more easily fix it, is a further step wrong again.
That's a naive viewpoint. The description in most reports provide enough to create your own exploit. The PoC is for the less adept to realise "oh crap, this report isn't just theoretical waffle - I had better respond to it".
This is PR. If it doesn't look like PR, that's because it's well done PR.
PR for what? You don't need Google to convince the masses about the security problems in Windows, they're already panic buying (so called) security suites. Privilege escalation bug? Just give them a file with "setup" or "install" in the name is enough!
> This is PR. If it doesn't look like PR, that's because it's well done PR.
Google appears to be on a rampage about everyone else's security vulnerabilities. The lady doth protest too much, me thinks.
As of today, there are 127 security vulnerabilities in Google Chrome, as listed at cvedetails.com:
http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-15031/year-2014/Google-Chrome.html
Pot. Kettle. Black.
If you are Windows user, then this "PR" move by Google actually helps YOU.
Don't be so protective of Microsoft, they are not your friends. They could care less if you exist or not.
The Swiss cheese nature of Windows security is scary and with all that millions of zombie Windows computers that SPAM and DDoS the Internet, it is quite understandable why Google would react this way.
Rest assured, there are still enough hooks for the spooks left in Windows.
This post has been deleted by its author
So MS were holding off until the very last possible moment before releasing the patch and hoping Google would relent? They were happy with 92 days but not 90? Doesn't Patch Tuesday roll around every week?
My guess is that MS are playing games, with customers' security being the sacrificial pawn. They were looking to either get Google to change their policy on disclosure as a concession to MS, or to score PR points saying they were irresponsible for releasing a zero-day.
Sorry MS, if you can't release a patch in 2.95 months (or even 1.95 months), you don't get my sympathy vote. You know Google's policy, if you asked them to hold off until 92 days, did you actually to get a reply from them to say they would? I'm guessing you didn't. If you don't get an exception to the policy, the policy stands, that's how things work in business. You don't just fling an email into the void saying you won't make a deadline and hope the third-party changes its policy to suit you. That isn't how enterprises work.
Nice try, no cigar. Stop messing around. When you display an attitude like that, I'm glad I'm not your customer.
And who made Google the Lord High Judge? That's right - it was entirely ultra vires, they appointed themselves.
Google - whose only attempt at an OS is Android which made all versions of MSDOS and Windows look ultra secure. Google bestrides us like great colossus, and we poor morals must be content to grovel at their feet.
Google - whose only attempt at an OS is Android which made all versions of MSDOS and Windows look ultra secure.
Come on now, if you are going to take shots, why pass up the opportunity to beat Chrome OS with a stick? While I appreciate the idea of community pressure making security better, putting out exploit code in this manner is a step beyond unethical. It ranks up there with releasing malware.
"Oh look! We just happen to throw this code together in the lab and haven't gotten round to disposing of it. We're just going to put it here where everyone can see while we turn our backs and let the owner take a crack at fixing it. OK, on the count of 90..." Google, j'accuse!
>>Android which made all versions of MSDOS and Windows look ultra secure.
Wow, did we all miss some Android Apocalypse? Where can we read about Android epidemics similar to (or according to you even more severe than) ILOVEYOU, Mydoom, Blaster, Sobig Worm, Code Red, CIH, Klez, Melissa, Sasser, Bagle, Win32/Simile, Nimda, Conficker, Stuxnet (to mention just a few)? Or you're gonna be referring to the millions of trojaned apps that await Android user, although pretty much nobody ever had?
Probably impossible to get the fix out by October. November may have been possible for a stupendous flaw with a desperate need for a fix (Heartbleed level stuff).
So really, December was the earliest reasonable release. They didn't make it, which could have been sloppiness on their part or, more likely, just the timescales required for a huge company with a massive code base running on millions of differing systems to lumber through a process.
Perhaps the release was ready for the day after patch Tuesday in December, I don't know either.
This gives more weight to the release-when-ready system but I still think bundling up the patches together, testing them as blocks up until some cut-off date is more reliable.
And the end users and admins don't have continuous automagic or, worse, manual updates being requested every day or two (or three) - once a month is fine by me - extraordinary cases notwithstanding.
Probably impossible to get the fix out by October. November may have been possible for a stupendous flaw with a desperate need for a fix (Heartbleed level stuff).
Well Google notified MS on 13 Oct. the Monday before Patch Tuesday so they had a day tops which is a non-starter, toss October. That effectively gave MS 29 days until Patch Tuesday in November (the 11th) and 57 days until Patch Tuesday in December (the 9th). Conveniently, since both October and December have 31 days, it put January's Patch Tuesday at 92 days from notification giving Google an opportunity to do their little dookie dance.
Now a cynical old fart, such as yours truly, might say that the GOOG held this little exploit close to their chest and carefully chose the timing to notify MS hoping MS wouldn't have enough time to cover it or would release another unstable patch. Either way MS gets a black eye. Notice that quarterly Patch Tuesdays are always 13 weeks apart and 13*7=91 so it isn't hard for the GOOG to piss in Microsoft's corn flakes or those of anyone else who sets a fixed update schedule for that matter. You see, what their dookie dance is really about is "our flexible release system is bigger better than your rigid one". Perhaps the children over at Google should lay off the sugar and caffeine for a bit.
All those complaining that Google were sticking to an arbitrary deadline seem not to have noticed that so were Microsoft!
What is so special about a Tuesday?
If Microsoft had the fix for a security vulnerability and decided not to release it merely because they only release fixes on Tuesday they were 100% in the wrong. You have a fix you make it available, if you are meeting an old friend for a regular lunch every fourth Tuesday is fine.
If Microsoft had sent a mail saying "This problem is proving very tricky to fix and we estimate we are 7 days off a working solution please can you withhold" I would have some sympathy but "We have fixed it but our marketing department thinks it is better to do things on Tuesday so please don't release the info" is crass.
Microsoft are a huge company if they cannot fix a simple bug in their code in 3 months then they need to redeploy some of the thousands of people in other jobs into doing something useful.
Well the patch has / could of been ready for 2 weeks now, but MS has a well documented patch process, which has to be in place due to it's enterprise aspects. Only are super serious deadly to OS patches ever made out of their Patch Tuesday pipeline. Everyone knows about patch Tuesday to the point hell we all call it Patch Tuesday it has it's own title and day. Lots of system admins have whole business processes that affect billions of dollars in productivity setup around patch Tuesday. Changing that process isn't something MS takes lightly.
Also this is OS patching, which means you have about 1 billion possible hardware aspects that could cause problems, a few billion lines of code something could screw up, and you best damn well make sure your fix doesn't make a bigger hole elsewere. Testing code takes a lot of time, with it comes to top end programming. Really don't want a patch to come out then see the headline, UAC patch prevents users from installing any new products or running half their applications. Not exactly where you want to be. Also it's part of UAC so that means group policy, Azure services, Active directory, System Center, all have to be updated. It's not a super simple fix to say.
"So MS were holding off until the very last possible moment before releasing the patch and hoping Google would relent? They were happy with 92 days but not 90? Doesn't Patch Tuesday roll around every week?"
No it is not. It is the 2nd Tuesday of the month. Thus depending on when the report is sent in, MS can have only 2 cycles or 3 before the 90 days are up. Given this window, I can see waiting another 2 days in this case as a reasonable delay since the fix is supposedly included. Given that MS has a fixed fix release schedule (which they recently broke once to issue an emergency 'Can Not Wait Until Fix Tuesday" fix) I can see that 90 days can be a bad fit and 3 Fix Tuesdays can be a better period. OTOH: There needs to be some cap on the delay beyond 90 days.
By all means release PoC code after the patch has been released
The PoC code is a fucking batch file - with 2 commands!
Here it is - go and take over the world with it:
reg add HKCU\Environment /v TEMP /f /t REG_EXPAND_SZ /d %%USERPROFILE%%\..\..\..\..\..\windows\faketemp
reg add HKCU\Environment /v TMP /f /t REG_EXPAND_SZ /d %%USERPROFILE%%\..\..\..\..\..\windows\faketemp
To see someone defending that a company like MS can not provide fixes for serious security bugs in its Operating Systems in a timely manner, is shocking given the track record that MS leaves many back doors open for spooks from all sides to peek into users computers.
Perhaps MS has difficulties with it because they sell licenses to the spooks for using these back doors for more than 90 days ?.
"can not provide fixes for serious security bugs in its Operating Systems in a timely manner"
90 days is reasonably timely for a privately disclosed vulnerability in a complex OS. Proper regression testing such as testing a patch across dozens of OS versions and thousands of test scenarios takes time.
'Sell' licences to spooks, hilarious, good one!
I suppose there are contracts and an EULA, they must be hysterical... "We guarantee that this software has security flaws. We guarantee that this software will support DDoS. You may use this software for illegal purposes. We guarantee that any published fixes will insert an equivalent exploit as soon as reasonably practicable".
As long as they keep paying the support fees of course!
If MS had completely ignored Google and not given them any information on when a fix would be available, I would have less of an issue with what Google did and the blame would be on MS for not communicating properly with them on the matter.
But MS did tell them that a fix was coming with a release date and asked them to delay disclosure for a couple of weeks until it was out. Google had a definitive time frame when a fix would be available and they stuck to the 90 days anyway, knowingly creating risk for users who may be vulnerable to the exploit.
So in this case, Google are firmly in the wrong IMHO.
Publishing an exploit at 90 days when the vendor has informed you that the fix will be released on the 92nd day and asked you to delay for those two days is just irresponsible vandalism, giving all the script kiddies in the world an opportunity to have fun doing damage in the two days before the fix is issued.
109 days instead of 90 is actually reasonable especially in this case.
What if their deadline was 60 days? Should they have released it on day 79? What if it was 120 days?
The thing that the fan boys (both Google/Microsoft) can't grasp is 90 days means 90 days and if they don't stick to it then their security reports wont get the respect they deserve.
Security is one of the most important factors, and we've all laughed and face-palmed at the break-in reports on here and I think we can all agree that vendors also need to start taking it more seriously. Without the security reporters providing the ultimatums the vendors just wont be motivated enough to fix it, where new features are more exciting to work on. They should be grateful that they're actually reporting these bugs, rather than selling to the highest bidder (which happens more than you think).
Google might be naughty for releasing the proof of concept, but Microsoft are equally in trouble for allowing it to happen. Maybe now Microsoft and the other vendors (including Google themselves) will take security reports more seriously, just like their users should.
Voland's right hand:"There is a mandatory freeze and do-not touch period in most institutions around Xmas."
When you can prove that cybercriminals all take xmas off that might be an argument. But rather a lot of them live in countries that don't do xmas. If a company wants to slack over a holdiday they'd better throw more resources at the job to make up lost time.
Or perhaps we could stop pretending security is a normal business activity and actually accept it's high priority.
This is not a CERT matter to contain and counteract an attack. This is modifying code to correct a bug - a bug that has security implications. That has to be done by coders that usually don't work "on urgency" but for very special situations - coders who know well that codebase and are allowed to modify that code. And which work in normal shift, and sometimes take holidays as well.
The last thing you want - unless the risk is too high - is hurried up code written by someone who has to get a plane in a few hours or something alike. What you want is someone working and thinking clearly to deliver the best fix in the allowed time.
Otherwise, what you get is the endless stream of patches alike those hurried up to fix the Bash bug.
Fixing bugs, including most vulnerabilities *is* normal business activity.
It's pretty clear people like you does a lot of confusion about software development, lifecycle management, operations security and ermergency response.
Thanks for saving my having to compose a nearly identical response, but yours is likely better worded. Microsoft was right, but both companies are engaged in a pissing match over this. Broader buy-in over the Coordinated Vulnerability Disclosure policy would seem to benefit everybody.
Please Google, don't be horrid to us. By the way, thanks for moving the needle above floor noise for us with our mobile revenue.
Sigh, we've done this one before.
Plenty of idiots thinking it's a Microsoft vs Google issure when it quite clearly isn't (to those actually familiar with the security field).
This is standard practice, regardless of it being Google or Microsoft. In fact, 90 days is quite generous.
>>"This is standard practice, regardless of it being Google or Microsoft. In fact, 90 days is quite generous."
No it isn't. Symantec and all those other security companies don't generally release proof of concept code to help black hats build their exploits. They also work constructively with the affected projects or companies. And 90 days is not "quite generous". We're talking systems programming here, not a web app where you can just drop in a quick patch on deploy on your servers. When I did this sort of work we had a team of people in another building who did nothing all week but work through formal tests to check each release of software. It took a long time to do that and it was necessary. If we wanted to push out a change, that went into the process. If we stopped the process to account for a new bug, that would be holding up fixes for others - which may be more important - because it means restarting the whole release pipeline.
That's what a lot of people who only work on web apps and on non-safety critical software don't understand. And the armchair developers are worse. Stopping everything to put in a fix for the latest discovered problem can actually make your software more vulnerable because it can delay the release of fixes for more dangerous bugs. This bug basically causes the UAC notice to not pop up. So if a user with administrative rights is persuaded to run your malware, they don't get a "Do you want to allow this program to make changes..." message when they double click the email attachment, etc. That's bad, but who is to say it should have delayed some other fix?
Probably none of us here have seen the code and none of us therefore know whether 90 days is "generous" or not. And certainly Google don't know.
Symantec and all those other security companies...
So who are "all those other security companies"?
You mention Symantec - who are strongly motivated by keeping "their" reports a secret because they don't really want to help their competitors. By the way - Symantec just regurgitate reports from full disclosure reports, removing all the interesting information.
Stopping everything to put in a fix for the latest discovered problem can actually make your software more vulnerable because it can delay the release of fixes for more dangerous bugs
..
That's bad, but who is to say it should have delayed some other fix?
I agree, the bug itself is low/medium priority compared to all the other issues their security department deal with. It's the fact that it's "Google + Microsoft" squabble that hits the headlines and gets the fanatics excited.
"In fact, 90 days is quite generous."
As someone who used to deal with bugs, etc I agree. The fact remains that even if a good guy found it and reported the thing, badhats may have found it and not bothered - the number of actively exploited (0-day) vulnerabilities that still crop up should be a good reminder of that.
it's not at all uncommon to apply a fix and then find that attacks were already happening, before exploit code was released (and in some cases before the bug had been published), so I'd argue that the number of published 0-day bugs is a substantially smaller subset of the number actually being exploited.
Sigh, we've done this one before.
Yes, if only the entire IT security community hadn't had this whole "responsible disclosure" argument ad nauseum ten years ago, across all the prominent conferences and mailing lists and other forums... Oh, wait, we did.
Well, we shouldn't be surprised that the non-experts are once again stumbling blindly over the same territory, September being eternal and all that.
Personally, I'm firmly on Google's side in this case (and I'm no Google fan). I remember all too well the days before responsible disclosure became the norm, when firms would sit for years on known vulnerabilities while exploits circulated among the txtfile community. Responsible disclosure was what got Microsoft (and a great many other firms) off its collective ass in the first place; it's not a coincidence that Bill Gates' "Trustworthy Computing" memo came out a few months after RFPolicy started the rush to formalize disclosure policies.
And responsible disclosure works because it's a carrot and a stick. The carrot is refraining from publishing exploits immediately; the stick is the threat to publish eventually. They only work when they're imposed by researchers, not the affected vendors. Sure, Microsoft's free to push its own disclosure policy1, but they'll have to live with the fact that they can't impose it on researchers, and that not everyone will agree that their way is the best.
The MS Trustworthy Computing initiative and the security groups that have come out of it are a mixed bag. Some of it is, in fact, excellent. Other bits are not. Their handling of reported vulnerabilities is, in my opinion, better than the industry average; but it's not so good that researchers should feel compelled to agree to Microsoft's terms.
1Though they might have done so a bit less ham-fistedly. Like, say, publishing it as HTML rather than as a fucking Word document. The late, great Rich Stevens once rightly excoriated Microsoft for pretending that everyone loves its stupid proprietary document format, but they'll never acknowledge that. It'd also have been good if they'd drafted something a little earlier than 2010.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
