back to article Windows kernel vulnerability disclosed by Google's Project Zero after bug exploited in the wild by hackers

Google's Project Zero bug-hunting team has disclosed a Windows kernel flaw that's being actively exploited by miscreants to gain control of computers. The web giant's bug report was privately disclosed to Microsoft on October 22, and publicly revealed just seven days later, after it detected persons unknown exploiting the …

  1. Maelstorm Bronze badge
    Flame

    Really?

    Really Google? This is the second time that you guys pulled this: Disclosing a zero-day with no patch available. However, I think we can mitigate it by removing the driver in question. However, I don't know what that will break. My question is how do they know it's being exploited in the wild if it's a local exploit? Did they see malware using it to gain kernel level access? Or is Google pissed off because they are now under the Sherman Act microscope? Convenient excuse.

    1. Blackjack Silver badge

      Re: Really?

      Is a cryptography driver so... what does use cryptography by default in Windows 7 and newer?

      1. bombastic bob Silver badge
        Unhappy

        Re: Really?

        what does use cryptography by default

        probably anything involving crypto API, from web browsers and e-mail to domain logins and file sharing. But that's just a guess on my part.

        Fair bet I won't get a patch for Windows 7 either. I'd like something I could manually install, please, rather than getting mandatory updates enabled via "windows update".

        1. JCitizen
          WTF?

          Re: Really?

          How are you going to get manual updates for Win7 now that it is out of bounds on support? Just get Opatch, and be happy. So far nothing has compromised my Windows machine using Win7 Ultimate x64, and I don't have to do anything manual, and the micro patches don't foul up the system like MS did! My PC has never performed better, BTW.

    2. Anonymous Coward
      Facepalm

      Re: Really?

      Yeah, it amazes me they still can’t understand the distinction between a few people possibly knowing about an exploit and everyone definitely knowing about it.

      The only people they are helping by publicly releasing this information are hackers who didn’t know about the exploit. Idiots.

      1. Mike 137 Silver badge

        Re: Really?

        The other people it might be seen as helping are those who own the disclosing company, that's in competition with the company that created the bug.

      2. Anonymous Coward
        Anonymous Coward

        Re: Really?

        "Yeah, it amazes me they still can’t understand the distinction between a few people possibly knowing about an exploit and everyone definitely knowing about it."

        And some people fail to grasp that the larger security community can take actions to mitigate an active exploit prior to Microsoft releasing a patch.

        Pretending something doesn't exist won't improve your security. Acknowledging it exists and having mitigations from firewalls/IDS/IPS/AV/malware products is likely to be sufficient for users of those products while we wait for Microsoft to release an actual patch.

        And if your security stack doesn't include something that addresses the issue, you can always use an air gap....

      3. RyokuMas
        Coat

        Re: Really?

        "The only people they are helping by publicly releasing this information are hackers who didn’t know about the exploit."

        Not true - they're also helping themselves by trying to damage a potential competitor's reputation (not that Microsoft traditionally needed any help with that, but still...)

        1. big_D Silver badge

          Re: Really?

          On many occasions this has been true. But in this explicit case, they are helping affected users, by informing them that hackers are already exploiting this bug, even though there is no patch.

          If they had just announced this "for the hell of it," I'd be with you. But in this case they have good reasons to announce it. I'd have preferred a joint statement with Microsoft, but you can't have everything.

      4. big_D Silver badge

        Re: Really?

        The hackers already knew about it (and are using it), hence the reason why Google announced this, to warn users.

        They should have co-ordinated a statement together with Microsoft, but regardless of whether there is a patch, this is already being exploited and users should be informed. I do not agree with Google jumping the gun, when it comes to releasing information about exploits, before the software producer can patch it, but in this case, it is fully justified.

    3. iron Silver badge

      Re: Really?

      Google Project Zero being dicks yet again. I really dislike their repeated lack of responsible disclosure.

      1. Steve Davies 3 Silver badge

        Re: Google Project Zero being dicks yet again

        Nah... that's Google being Google. Dipsticks through and through.

        1. Anonymous Coward
          Anonymous Coward

          Re: Google Project Zero being dicks yet again

          @"Nah... that's Google being Google" personally I would say this is Microsoft being Microsoft since they are the ones that have a long history of failure when it comes to secure coding.

    4. Anonymous Coward
      Anonymous Coward

      Re: Really?

      30 days wait is standard for a general vulnerability. 7 days is standard for a serious vulnerability.

      The chances are that Google have a licence for access to the Windows source code, and probably even gave Microsoft a patch. It's Microsoft who aren't taking it seriously.

      1. felixk

        Re: Really?

        > The chances are that Google have a licence for access

        > to the Windows source code, and probably even gave

        > Microsoft a patch. It's Microsoft who aren't taking it seriously.

        Have you ever shipped a large software product? One that runs on every weird configuration you can imagine, and then a few millions more? Seven days is not even enough to run the patch against the BVTs for all in-servicing builds, never mind the full test set or, G–d forbid, the appcompat test suites.

        "But it's just a small patch to a single function in a single driver!" I hear you say. That is usually what goes wrong when Windows Update renders a hundred million devices unbootable.

        No, AC, Google Zero is a collection of unwashed, smelly dicks. Competent they may be, but their behaviour reminds me of Red china ("Do not trust China. China is asshole.").

        1. Anonymous Coward
          Anonymous Coward

          Re: Really?

          Yes I have, and customers expect a 7 day turn around on high severity security issues.

        2. Anonymous Coward
          Anonymous Coward

          @felixk & "Have you ever shipped a large software product"

          @Have you ever shipped a large software product? One that runs on every weird configuration you can imagine, and then a few millions more?

          Like linux you mean? an OS that is able to run on widely different hardware and with far fewer security holes than Windows that merely runs on just machines designed to run windows. Yes there are limited versions of windows that run on other CPUs but they are not the full version.

          The premise that after going on 40 years of windows they should again be forgiven for yet another failure to defend their customers is wearing very thin for anyone not getting paid to support the lie

      2. big_D Silver badge

        Re: Really?

        Standard practice goes out the window here, the bug is being actively exploited. I'd much rather know what to look out for than be kept in the dark until my machine is hacked.

        The normal wait is 90 days, not 30. But that only counts if hackers aren't actually exploiting it already.

    5. a_yank_lurker

      Re: Really?

      To me it's more pot meet kettle when these get into a match. Both are being dicks for different reasons. Chocolate Factory wants to make the Rejects from Redmond look bad and the Rejects want to downplay the serious of the issue.

    6. asdfasdfasdfasdf

      Re: Really?

      "My question is how do they know it's being exploited in the wild if it's a local exploit? "

      What Google do is run honeypot clients that go around the Internet to see what happens. Presumably they hit a website that broke through a Chrome (or whatever) zero day, and then ran code that used this vulnerability escalating to Local Admin.

      Any one security vulnerability is fairly limited, but most attackers are smart enough to chain several together.

    7. Anonymous Coward
      Anonymous Coward

      Re: Really?

      This is windows we are talking about, anyone who believes that windows is secure is either being paid to have this opinion or is so new to computing that they missed all the evidence that supports the premise that Windows is by defaultbadly coded and full of holes.

      Bitching that a bughunter has released details of a bug doesn't mean that they created the bug only that now everyone with a clue knows, good and bad. Those that have a clue can attempt to mitigate or rebuild the effected kit once a fix becomes availible, those that wish to exploit it have a limited time to code their attack and use it before the bug is patched.

      It is always better to know how crap windows is so you can avoid believing it is trustworthy, those that posted their support of pretending windows is secure are clearly either ostriches or shills and neither are worth listening to or paying for their opinions.

      The truth is always better than a lie, those that say different are in on the scam

    8. big_D Silver badge

      Re: Really?

      In the circumstances, I am relatively happy that they have publicly reported this.

      They reported it to Microsoft privately, but this is being actively exploited, so people should know about it.

      I'd rather see them do a co-ordinated statement together with Microsoft, but regardless of whether a fix is available or not, people need to know they are vulnerable.

  2. cb7

    IOCTL is an abbreviation of input/output control apparently.

    Had to look that one up, so thought I'd post it here just in case I'm not the only one.

    1. mark l 2 Silver badge

      IT people do love our acronyms, I would say the medical profession is probably the worst for it though. Listening to them speak sometimes can sound like a foreign language. Although I guess when you are dealing with life and death situations having an acronym rather than a long winded phrase could save vital seconds. Not so much when someone's USB SSD is failed to be recognised by the OS

      1. Pier Reviewer

        “... I would say the medical profession is probably the worst for it though.”

        Telco. You can have a 90 minute meeting where around a dozen actual words are spoken - the rest is just letters :/ It’s horrendous.

      2. Flocke Kroes Silver badge

        People Can't Memorise Computer Industry Acronyms

        There are other reasons for acronyms. Apparently writing "Raving Loony" in someone's medical records can get a doctor into trouble but CAAC (crazy as a coot) is fine. For some reason the internet does not appear to have the correct definition of CGSM.

        Does anyone know an objective test to measure craziness that works on humans and coots?

        Who is Round and to what does he object?

        1. David 132 Silver badge

          Re: People Can't Memorise Computer Industry Acronyms

          Apparently writing "Raving Loony" in someone's medical records can get a doctor into trouble but CAAC (crazy as a coot) is fine.

          The two medical acronyms I’ll always remember are NFN (“Normal, For Norfolk”) and PAFO (“Pissed And Fell Over”).

          1. Robert Carnegie Silver badge

            Re: People Can't Memorise Computer Industry Acronyms

            As Phil Hammond (Dr Death in Private Eye) has said from time to time, these clever little acronyms still are embarrassing to have in your notes when the judge asks you to spell them out.

          2. Man inna barrel

            Re: People Can't Memorise Computer Industry Acronyms

            I believe PAFO (Pissed And Fell Over) refers to a genuine medical condition, rather than just being drunk. When you pee, it tends to lower your blood pressure, so you can faint, and fall over. It is officially called something like post-micturation hypotension, but I am not a doctor, so what would I know. I got hypotension episodes after an operation, so I had to be dead careful about getting out of bed to go for a pee.

      3. eldakka

        The advantage of acronyms is more to do with written communication than spoken.

        Take your example of the medical profession, GSW vs Gun Shot Wound. They take the same amount of time to say. Speaking the letters G, S and W has the same number of syllables as saying the phrase Gun Shot Wound. However, when writing it it is much quicker to write/type 3 letters than the 12 letters of the phrase in full.

        Take you other example, "USB SSD is failed to be recognised by the OS". Typing out the full phrase without using acronyms would be: "Universal Serial Bus Solid State Drive is failed to be recognised by the Operating System." That's a full 45 characters - twice as long - as the version using the acronyms.

        1. John Brown (no body) Silver badge

          While I agree with you shouting out GSW in a TV show as is there wont to sound cool, takes LONGER than shouting out Gun Shot Wound. Wound is one syllable while "double-you" is three! (Or two if you live in an area that say "Dubya") :-)

      4. hoola Silver badge

        No, science, particularly anything to de with satellites. The names concocted for some of the instruments are mind boggling.....

        New Horizons for instance:

        Alice, Lorri Pepssi, Ralph, Rex, Student and Swap.

    2. Anonymous Coward
      Anonymous Coward

      This is a tech site, so hopefully most people will know what an IOCTL is.

      1. Anonymous Coward
        Anonymous Coward

        "This is a tech site, so hopefully most people will know what an IOCTL is."

        *NEWS FLASH*

        Not everyone that visits this fine site works in IT.

        I only frequent this site to desperatly try and understand it all to better protect my family, friends and myself....

        From the likes of Google and Microsoft

        1. Dwarf

          @Anonymous coward

          Perhaps a little research on what IOCTL's are and what they can do IOCTL man page would help you in that quest, or alternately, consult with someone that has that experience to help you.

          The tone of your posting ("desperately try and understand") implies that you are expecting us to dumb things down for you, but that would make the information less useful to those that that do need to know the detail and how it could affect the companies they are paid to support.

          Its no different to say trying to learn how to build a house vs being a builder by profession.

        2. Anonymous Coward
          Anonymous Coward

          "I only frequent this site to desperately try and understand it all to better protect my family, friends and myself...."

          The harsh reality is that this item probably isn't aimed at you (or many of the MS vs Google fanbois who have already commented - I'm just surprised we haven't had a flood of commentators mentioning this as an NSA backdoor) - it's the way of the world sometimes.

          In terms of understanding how to protect friends and family, the best you can do is the standard advice (patch and ensure you have up-to-date AV/security software from a reputable source, ideally an adblocker on all your browsers, make sure their e-mail service is sending the majority of spam to the spam folder and try to stay away from known dodgy applications for file sharing) - there isn't much more an end user can do for this issue other than hope other companies can mitigate and contain it. In time, MS will release a patch.

          1. Uffish

            Shock news “El Reg is available on the web”

            Anyone can read it and benefit from it. Many do. Many of those know what IOCTL does, some don’t - so what.

            I mainly come here for the sarcasm - and the info.

      2. Anonymous Coward
        Anonymous Coward

        @"This is a tech site, so hopefully most people will know what an IOCTL is."

        You assume that those affected by this bug are of a similar calibre to those of your youth, given the way that MS has treated their experts then I doubt this strongly.

        Now those supporting MS products have bought into all the BS and come here in the hope of someone explaining to them what they should already know if they wish to be recognised as experts themselves.

        Personally I am of the opinion that they should do what they are being paid for and learn the subject they are claiming to be expert in

  3. Anonymous Coward
    Anonymous Coward

    "the Windows giant suggested exploitation would be difficult because an attacker would first need to compromise a host machine and then exploit another vulnerability of the local system"

    That's like putting an unlocked safe in a locked room.

  4. Anonymous Coward
    Anonymous Coward

    Snappy comeback from Microsoft

    Not at all tongue-in-cheek:

    ".. an attacker would first need to compromise a host machine and then exploit another vulnerability of the local system. Microsoft says the only known remote-based attack chain for this vulnerability has been dealt with, a hole in Chromium-based browsers .."

    Remind me, who is behind Chromium?

    Oh, that's right. Google.

    1. cbars Silver badge

      Re: Snappy comeback from Microsoft

      and what does edge now use?

      Its turtles all the way down man

    2. Anonymous Coward
      Anonymous Coward

      Re: Snappy comeback from Microsoft

      ".. a hole in Chromium-based browsers which we now ship as default so I guess we should really acknowledge this issue rather than pretending it is just Google being dicks .."

      FTFY

      1. Anonymous Coward
        Anonymous Coward

        Re: Snappy comeback from Microsoft

        It is not a security hole limited to Chromium, merely that Chromium like every other web browser is a good infection vector into remote machines. Google have their own patch cycle and bitching that this time it makes MS look unwilling to fix their crap doesnt mean that Google were the ones that fked up on their OS design and implementation.

  5. YetAnotherJoeBlow

    Google

    I have never publically released a POC to anyone other than to those who can act on it to patch. If it is severe enough maybe a mention of the driver involved or other actionable info so one can mitigate the bug.

    Google has always acted like a bunch of high school jerks. All that matters to those guys is street creds. At best they are irresponsible and worst complicit. They will have their day in the sun.

    A POC is not necessary to advise the public as many in IT will not understand it or would not be able to develop a patch for it as Windows is closed source. What the public needs are mitigations. Releasing a POC without mitigations makes Google complicit IMHO.

    1. Anonymous Coward
      Anonymous Coward

      Re: Google

      @"A POC is not necessary to advise the public as many in IT will not understand it or would not be able to develop a patch for it as Windows is closed source"

      So you are saying that MS who have sole control over mitgations and patches should be allowed to dictate disclosure?

      How long has this exploit been in existance? when did MS become aware and how long before they release a working patch?

      As you say the onus is on MS to fix this but without full disclosure of when they knew then who can say that Google jumped the gun?

      How about instead of defending the back covering you realise that it is better to know the truth than act on lies. If you lie knowing the truth then you are just as much to blaim as those that failed to secure their OS in the firstplace.

  6. cdrcat

    Google bashing, now smearing...

    The tone on multiple technical websites has really started to go up a notch whenever it is something related to Google. In this case a lot of comments are shooting the messenger.

    The Google Zero team are not cowboy dicks: they follow a fair process and have thought about the issues more than most, and are trying to be responsible.

    Think about what happens in an alternative world where Google keep these vulnerabilities hidden or just informs the vendor, instead of publishing them... Nobody likes the outcomes of vulnerabilities, but they are simply a result of Microsoft’s historical attitude towards security.

    These security faults are often ancient, and the rate of discovery is not decreasing, so expect more of the same in the coming years.

    1. RyokuMas
      FAIL

      Re: Google bashing, now smearing...

      "The Google Zero team are not cowboy dicks: they follow a fair process and have thought about the issues more than most, and are trying to be responsible."

      Oh, so this vulnerability is as critical as, say, the MD5 collision attack?

      Lets take off the (junked) Google Glasses here - Google are known for sour grapes behaviour and releasing details of bugs in competitor products event when they know that a fix is being tested. Project Zero is just another part of Google's attempt to appoint themselves the police of the internet, using the key of "responsible disclosure" in the hope that this legitimises their posture and makes them look like the good guys.

      Standard Google tactics: attack someone else from behind a wall of perceived altruism.

      1. Anonymous Coward
        Anonymous Coward

        Re: Google bashing, now smearing...

        @"Standard Google tactics: attack someone else from behind a wall of perceived altruism."

        You could say the same for MS, what I see herehas become a competition of who is worse when both MS and google have both been dirty in the past rather than recognition that this is a problem that will not go away on it's own. Now everyone is aware of it those who are paid to fix these issue need to get off their arses and do their jobs rather than trying to say it is someone elses fault

        This a MS bug that is already being exploited, MS and those paid for their MS knowledge clearly want to keep the secret to avoid their employers realising that choosing MS for a business means that you are always under attack and reliant upon a company that puts their needs before their customer's is not a sound investment.

        The last since, as you can see here, MS and their "experts" prefer to blaim their failures upon anyone but themselves.

        P.S.

        Given that MS products are not free (like linux) and require employing an unreasonable amount of paid support agents (unlike linux) then it would be nice if those that took your cash actually put your needs first rather than the leaders of their cult. Instead of protecting your interests they waste their time saying it isn't their fault when clearly it is

        1. RyokuMas
          FAIL

          Re: Google bashing, now smearing...

          "You could say the same for MS..."

          ... and I have, when I believe they've deserved it. In fact, I made the same point about the race to the bottom some time ago, around the time Microsoft unveiled the telemetry in Win10, if memory serves.

          The point here is - and I quote the article: "... a Microsoft spokesperson said the company is working on a fix... " So before Google blew the whistle on this, Microsoft were aware of the issue - and probably that it was being actively exploited - and were working on a patch in order limit the damage.

          And then - like the Daily Mail and the leaked information on UK Lockdown V2.0 this weekend gone - Google decide to go public. And - here's the important thing - with only a seven day disclosure period. Why is this important? Because had they waited the standard 90-day period, the fix would have gone out on November 10th. So instead of playing by their own rules, Google chose to rank this issue on a par with the MD5 collision attack I brought up in my previous post - so either Google perceive that this issue is as important as a vulnerability in SSL certificates or, more likely I believe, they saw that the window of opportunity to attack was closing.

          In many ways, this situation reflects your own post: as I have already mentioned, the article states that Microsoft were working on a fix for this before Google blew the whistle. Similarly, I have just re-read the article and I cannot find any mention of this blame you bring up, much less Microsoft blaming others. What I do see from your postscript though is your extolling of Linux at the expense of Microsoft; similarly, your second paragraph reads pretty much as if there was some conspiracy within Microsoft and their associates to hush up the existance of this bug. And - quite frankly - your implication of businesses being constantly under attack due to choosing Microsoft's tooling is nothing short of absurd: yes, Microsoft may have more vulnerabilities, but if someone truely wants to attack a particular business, they would. By the same token, as Microsoft's software is still dominant on the office desktop, it is the biggest target, just as Android is the biggest target for phones.

          So, just like Google choosing to ignore their own responsible disclosure timings, you - as an obvious supporter of Linux - have taken this as an opportunity to attack Microsoft... unless, of course, you have can provide proof that Microsoft indeed have blamed someone else and/or were trying to cover this up.

          Or would you rather they rushed out an untested fix (in the same manner as I linked in my post when Google made a similar disclosure previously)? As I myself would prefer they did not, as rushed fixes tend to cause more bugs than they correct... but then that would probably suit you down to the ground: more bugs to say that Microsoft were conspiring to cover up - right?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like