back to article Google drops a zero-day on Microsoft: Web giant goes public with bug exploited by hackers

Google has slung a grenade at Microsoft by disclosing a Windows vulnerability before Redmond has a patch ready. The bug can be exploited by malware on a machine to gain administrator-level access. According to this blog post by Neel Mehta and Billy Leonard of the Chocolate Factory's Threat Analysis Group, the reason for going …

  1. Doctor Syntax Silver badge

    "Adobe worked fast on its patch because Flash malware was already in the wild."

    You wrote that as if it was something new.

    1. nhirsch

      Article also says the Microsoft exploit was also found in the wild. How many days is enough to get Microsoft moving? Ten seems more than reasonable to me.

  2. Anonymous Coward
    Anonymous Coward

    Google is as much nice with Microsoft...

    ... as it is with Apple, right? Plenty of time for Apple to fix its threading issues, no time for MS (the CVE was reserved on September 9). Even if the bug is being exploited, would really help to disclose it fully? Ok to disclose it exists and is being exploited, looks dangerous to tell where it is.

    It looks quite clear bug disclosures are becoming a weapon.

    1. Nate Amsden Silver badge

      Re: Google is as much nice with Microsoft...

      Doesn't seem like any real value to disclosing it, they don't claim to have a workaround, so other than "be careful" and "install the patch when it comes" (which most people should be doing anyway) see no value to disclosing other than for publicity.

      Not that I care(as a Linux user), doesn't really affect me.

      1. gerdesj Silver badge
        Childcatcher

        Re: Google is as much nice with Microsoft...

        "Doesn't seem like any real value to disclosing it"

        There is value when you are say Google with a webby ad business and a browser to show them off and gather data with. Note how Chrome/Chromium are unaffected due to their sandboxing - this is probably a dig at IE/Edge.

        Perhaps someone could tell us whether Firefox, Edge, IE etc have similar sandboxing techniques.

        I also use Linux exclusively but I am under no illusion that I'm much safer than others purely due to my OS choice - Gentoo - "the lap scorcher"

        1. Sil

          Re: Google is as much nice with Microsoft...

          Edge isn't affected on Windows 10 anniversary (more than 77% of Win10 installs)

      2. GruntyMcPugh Silver badge

        Re: Google is as much nice with Microsoft...

        "Not that I care(as a Linux user), doesn't really affect me."

        Uh huh. Unless say, your local Doctor's surgery falls foul of this exploit, and your medical records get stolen? Or maybe someone else that holds sensitive personal information about you. Your security isn't solely in your hands.

    2. Anonymous Coward
      Anonymous Coward

      Re: Google is as much nice with Microsoft...

      I think the value in disclosing it publicly is to get Microsoft to fix it now instead of sitting around until they are good and ready to come up with a fix. If Adobe can knock out a patch to the public in four days, MSFT should be able to come up with a *plan* to release a patch on a zero-day in 10 days.... MSFT, of course, is upset with Google for pointing out MSFT's incompetence. Google plays this stuff straight. They don't care if you are MSFT or some four person shop. If you have a critical vulnerability, you have seven days to get your stuff together and push out a patch (actually gave MSFT 10 days) or at least tell your devs about your screw up and the plan to fix, Google is going to tell their devs.... There is no excuse for MSFT's poor security management in Windows. Given the billions they rake in from the only licensed OS, you would think it would be iron clad... that "enterprise level" experience MSFT is always going on about. MSFT just isn't used to having to do things well as until recently it was a non-competitive market.

      1. big_D Silver badge

        Re: Google is as much nice with Microsoft...

        There is a difference between informing the world that there is a problem being actively exploited by malware and giving full details on how to exploit it... Especially given that they have only given Microsoft a little over a week to study the problem and fix it.

        Yes, warn the public that there is new malware out there that can exploit the problem, but don't tell other hackers, who haven't discovered the issue, where to look and what to do.

        By the sound of it, the problem is pretty deep in Win32 and it might not be a five minute fix, as the windows handling functions are used by pretty much all software, so any changes will need to be thoroughly tested to ensure that they don't kill other, valid applications.

        1. hplasm
          Devil

          Re: Google is as much nice with Microsoft...

          "...so any changes will need to be thoroughly tested..."

          That might lead to infinite delays- why test patches now- MS 'testing' seems to have been overlooked before?

        2. tiggity Silver badge

          Re: Google is as much nice with Microsoft...

          "so any changes will need to be thoroughly tested to ensure that they don't kill other, valid applications."

          That would be a first in recent years, where testing seems to be down to the unlucky "early adopters" of the latest patches.

    3. Anonymous Coward
      Anonymous Coward

      The difference is the Apple one was not being actively exploited

      It sounds like this Windows bug was being, so there's not much gained by keep the details "secret" when they're already out in the open.

      This is sort of like when hackers grab something and Wikileaks releases it - complaining that the news is discussing your classified material when it is no longer "secret" is kind of pointless.

    4. anonymous boring coward Silver badge

      Re: Google is as much nice with Microsoft...

      "It looks quite clear bug disclosures are becoming a weapon."

      Let's hope so!

      1. LDS Silver badge

        Re: Google is as much nice with Microsoft...

        Hope you don't get into the cross fire...

    5. Ken Hagan Gold badge

      Re: Google is as much nice with Microsoft...

      "Even if the bug is being exploited, would really help to disclose it fully?"

      Probably not, but as far as I can see no such disclosure has been made. (Apropos the description in the article, being able to set the ID of a window is something that any normal program can do. It isn't a privilege escalation. Presumably in this case there is some side effect of making the call that *is* a privilege escalation, but we aren't being told what that is.)

      Knowing that there is something in this area *might* be useful, except that there are only a few hundred entry points in win32k.sys and these have been the targets of every tool in the black hat toolbox for about twenty years now.

  3. Will Godfrey Silver badge
    Meh

    No Angels Here

    I've no love for Google, but Microsoft have a reputation for taking their own sweet time over bugfixes.

    1. N2

      Re: No Angels Here

      Whilst Apple take even longer or hope it goes away!

      1. Steve Knox

        Re: No Angels Here

        Apple software has no bugs; you must be using it wrong.

    2. Anonymous Coward
      Anonymous Coward

      Re: No Angels Here

      Sometimes it could be laziness, sometimes fixing a kernel bug can require a lot of care because if it requires some behaviour change, its side effects could be hard to predict and create problems to many applications. Apple took eight months to fix its task switching bug. And Sierra itself caused problems to not so few applications.

  4. a_yank_lurker

    Slurp is having a bad week?

    First atom tables and now an active, unrelated exploit of 'bloat. It's been too quiet on the bug front for Slurp recently. Waiting for the next nasty to come out.

    As far as Slurp being able to patch a bug, they will screw it up at least a couple times before getting it sort of right.

  5. Anonymous Coward
    Anonymous Coward

    I still haven't got my windows 7 system to download the last 12 patches yet.... fortunately I don't use it for much these days. Linux is a heck of a lot easier to update, and a lot clearer about what's getting fixed. I have no idea what windows 10 is doing with its patches or what's in them. Half the time it seems to get stuck on part of the mega patch and then fails. Then I have to reboot and start the mega download all over again. That's when there is a patch of course....

  6. Anonymous Coward
    Anonymous Coward

    Doesn't seem like any real value to disclosing it

    "the reason for going public is simple: they've seen exploits for the bug in the wild so something has to be done now, like right now."

  7. Dinsdale247

    Did We Mention Chrome is Unaffected?

    I'm shocked, *shocked* that a company like Google would throw a zero day hand grenade and have a patch for their browser ready. It must have been for the good of the people because Big Brother... I mean Google, is always working in the interest of the people.

    1. Anonymous Coward
      Anonymous Coward

      Re: Did We Mention Chrome is Unaffected?

      Disagree. Google patched it (side question - how does Google always seem to know more about Windows than Microsoft?). They let Adobe and Microsoft know we have a major issue. Adobe said "Shit, thanks for the heads up" and fixed it days before any public announcement. Microsoft sat on their hands and did nothing for 10 days, three days past the Google security standard for their Chrome devs, then released the info to their Chrome developers... looking out for their devs. Microsoft still doesn't have a plan and blames Google for publicly pointing out yet another Windows 10 issue. Microsoft could prevent Google from releasing critical security issues in Windows 10 if they stopped having critical security issues in Windows 10.

      1. bazza Silver badge

        Re: Did We Mention Chrome is Unaffected?

        Disagree. Google patched it (side question - how does Google always seem to know more about Windows than Microsoft?). They let Adobe and Microsoft know we have a major issue. Adobe said "Shit, thanks for the heads up" and fixed it days before any public announcement. Microsoft sat on their hands and did nothing for 10 days, three days past the Google security standard for their Chrome devs, then released the info to their Chrome developers...

        Get real. All Adobe and Google have done is block use of that system call in their sand boxes. They've not fixed anything, they're simply ensuring that it can't be exploited through Flash or Chrome.

        Once you have a sandbox, that's a far easier job than actually fixing the bug in the OS itself. For comparison look how long it took Apple to fix their latest (stupid, self inflicted) OS kernel flaw - months. There's probably good reasons why MS cannot fix the bug quickly.

        Personally speaking I don't see that Google or Adobe had any real choice. If the bug is being exploited then we have a real problem and they're in a strong position to mitigate against it, fast. But in doing so they're inevitably advertising the existence of the bug. So they may as well just come out with it and give the rest of us a heads up.

        In the round it's probably better to mitigate for this flaw in browsers ASAP because that'd always be the primary exploitation route. Gives the rest of us a problem though.

      2. Anonymous Coward
        Anonymous Coward

        Re: Did We Mention Chrome is Unaffected?

        "Microsoft sat on their hands and did nothing for 10 days"

        Of course they did. Any other possibility would simply be preposterous.

  8. MotionCompensation

    At last: a valid reason to upgrade to Windows 10

    "Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

    I may have to upgrade after all. Not looking forward to it.

  9. Howard Hanek
    Childcatcher

    Mascot

    I see El Reg used Microsoft's bug fix team's mascot for the graphic. Good work. Their favorite dish, served often I'm sure, is Escargot served with room temperature Mountain Dew.

  10. Anonymous Coward
    Anonymous Coward

    "A local privilege escalation in the Windows kernel that can be used as a security sandbox escape."

    Anyone familar with Microsoft KB's (a very long list for Win7) will understand how often this type of sandbox escape exploit comes up in the Windows 7 Patch List. It's a common (re)occurrence, along with exploits related to Fonts, Graphics Engine, Remote Desktop Control. Hacker's aren't being clever here, they are just sniffing around the existing exploit areas to find even more.

    Chrome has so many legitimate ways of lifting user's data (for Google), who needs exploits? that seems to get forgotten here.

  11. Zippy's Sausage Factory
    Windows

    There are bugs in Word 2016 that have been around since version 2.0c.

    So... good luck with that.

  12. David Nash Silver badge

    What's in it for Google?

    Is it just the PR, an attempt to "get one over" on MS?

  13. Anonymous Coward
    Anonymous Coward

    Not sure I'm onboard with tech companies flinging poo over security like this. It will be patched we all know this...this really isnt much of a story at all. Any patch will under go further testing or wait for the next enterprise patch schedule. Don't be surprised if MS waits another week or two...most of us would rather have a quality patch over a rush job.

  14. Mark 85 Silver badge

    And so it begins.....

    There's seems to be an escalation on Google's part to smack MS hard. Are these the opening shots in an OS war that's coming? I'm seeing some things that resemble the early on browser wars with Chrome and Edge, so maybe Google is getting ready to take on MS.

  15. Happy Ranter
    Mushroom

    people in glass houses....

    I love how Google are shit hot at telling the world about other companies flaws and use the same such high standards in keeping their Android app store in order... oh wait

    Never mind...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon