back to article Google unveils Windows 8.1 zero-day vuln – complete with exploit code

Google has made public the details of a security vulnerability in Windows 8.1 a mere 90 days after disclosing it to Microsoft, sparking debate over the wisdom of the online giant's Project Zero security initiative. The bug, which was privately reported to Microsoft in September, can potentially allow a logged-in user to …

  1. Anonymous Coward
    Anonymous Coward

    Good on them for sticking to it! 90 days was more than enough time to release a patch, or even request an extension. Perhaps they'll be quicker next time.

    It makes you wonder how slow MS have been in the less publicised vulnerability reports...

    The actual bug itself is quite pathetic, though. There's many other ways for elevation in Windows that have yet to be addressed

    1. I. Aproveofitspendingonspecificprojects

      90 days was more than 89 days more than enough

      > We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.

      Anyone using Windows and not having the option to use a Live CD or something sensible has to wait 90 days with a company dispensing this sort of advice. I am presuming the largest softwarez company in the world is still not into making antiviruses a part of the process.

      Please excuse me if I am wrong.

      Please execute somebody if I am right.

      Nice advice about the firewall though.

      Very good.

      Edit...

      Oh wait...

      Isn't "not having the firewall switched on" the same thing as not needing one after you have used the internet for a moment?

      It should be pretty nearly immune to everyone but the new user by then?

      1. Crazy Operations Guy

        Re: "still not into making antiviruses a part of the process.'

        Ummm, they've been including AV as part of the install for a few years now. On Win 7 it would install an AV package if you didn't have one installed for a while and starting in Win 8 there is one installed by default that disables itself when you install a different one.

        1. I. Aproveofitspendingonspecificprojects

          Re: still not into making antiviruses a part of the process.'

          OK thanks for the new info.

          I do have a Windows partition on this laptop. I used it a couple of time to access the Smithsonian archives but once I had the list of eruptions I didn't need it. If I ever do need such a thing again I shall be sure to give up the Internet.

          I should have known they would have come up with something as they had already resolved the lack of Optical Drive drives by 1998, IIRC.

          Or was it 2001?

          Sadly I shall never know.

    2. Anonymous Coward
      Anonymous Coward

      Though when you think about it, how pathetic is Microsoft, they have launched some of the most insecure buggy software in the past couple of decades and yet they lumber on because they don't really care. It does not affect them/ It is only now that it has been of a concern as people start looking towards Chrome OS for their basic needs, let's face it Chrome OS fills most of the needs for the average old granny wanting to view facebook or buy their collectibles from websites or watch kittens on youtube.

      Even after this it will have little or no effect because the 'consumer' will continue to buy cruddy bug ridden Windows devices because it's all they know and cannot deviate from what they used at their place of work who only used it because it was the only platform available to them.

      Microsoft don't give a crap about the consumer or the businesses, they operate in a SNAFU situation all the time.

      1. This post has been deleted by its author

    3. JeffyPoooh
      Pint

      Policy Update recommendation

      The Christmas and New Years holidays have taken about two weeks out of many work schedules. How about the policy shift from "90 days" to something like "65 Business Days" or similar? Or even "90 Business Days" if they need more time.

      1. Eddy Ito

        Re: Policy Update recommendation

        Don't forget that those 90 days also include the great turkey eating challenge, a.k.a. turkey-day or Thanksgiving. That also kills half a week to a week easily as folks tend to travel far and wide at that time. Besides, most folks who aren't burning vacation days and go into the office operate on cruise control between turkey-day and new year.

      2. Tom 13

        Re: Policy Update recommendation

        During that 90 days, MS had 3 patch updates.

        No, 90 days is sufficient time. At the very least, MS ought to have an announced mitigation in place if the underlying issue is too complex to address in 90 days. In fact, I'd be inclined to argue that the mitigation needs to be announced within 30 days with a project plan in place to address the actual bug. In the case of well established reporting agencies, that project plan probably ought to be shared with the reporting agency so they have some level of assurance the bug IS being addressed.

    4. Anonymous Coward
      Anonymous Coward

      "Good on them for sticking to it! 90 days was more than enough time to release a patch, or even request an extension. Perhaps they'll be quicker next time."

      Presumably Microsoft can return the favour in the future against Google products like Android and Chrome that have both had vast number of security holes to date. Many Android devices have yet to receive security fixes for issues known years ago...

      1. h4rm0ny

        >>"Presumably Microsoft can return the favour in the future against Google products like Android and Chrome that have both had vast number of security holes to date. Many Android devices have yet to receive security fixes for issues known years ago..."

        This is true, but Google are not responsible (nor able) to patch most of those phones. It's in the hands of OEMs.

    5. Anonymous Coward
      Anonymous Coward

      "There's many other ways for elevation in Windows that have yet to be addressed"

      Such as?

      The Windows security model is actually pretty good - for instance significantly superior to *NIX where you have to use kludges like SUDO that have to run as root. Windows supports proper constrained delegation and advanced security features not possible in most versions of *NIX like Dynamic Access Control (expression based ACLs).

      "how pathetic is Microsoft, they have launched some of the most insecure buggy software in the past couple of decades and yet they lumber on because they don't really care"

      You mush have missed Flash, Acrobat, Java, Android, Chrome, etc. all of which have far worse security vulnerability counts than the roughly equivalent Microsoft products. Microsoft in the last decade or so actually have a much better security vulnerability record than most competing options in pretty much every area.

      1. SolidSquid

        Er, not sure when you last used *NIX systems, but there's the options of group permissions so that users in the correct group have full access to features and those who aren't are restricted, as well as the usual kind of password prompt for things which require admin access. It might potentially take a bit more work setting up some things, but for most things you'd be doing with it the system works pretty well

        1. Anonymous Coward
          Anonymous Coward

          "but there's the options of group permissions so that users in the correct group have full access to features and those who aren't are restricted, as well as the usual kind of password prompt for things which require admin access"

          Which is not constrained delegation. If you want to do something that requires elevated access on *NIX you have to run SUDO - which executes as UID 0 = root. On Windows you can directly assign just the rights needed and elevate only those without running a root level user process to get there.

          Windows has a much more powerful, flexible and secure security (and auditing / logging) model than standard *NIX options without any doubt. The issue often questioned with Microsoft is the quality of the underlying code.

          1. Eddy Ito

            If you want to do something that requires elevated access on *NIX you have to run SUDO - which executes as UID 0 = root.

            Actually you can specify the UID by using the -u option on the command line so while the default may be root but it doesn't have to execute as root. There are also a whole host of other options you can set in sudoers including limiting who can run which commands and the GID/UID those commands use to execute. It seems that "you can directly assign just the rights needed and elevate only those without running a root level user process to get there" in *NIX as well.

      2. Michael Wojcik Silver badge

        "There's many other ways for elevation in Windows that have yet to be addressed"

        Such as?

        Try reading BUGTRAQ. Stefan Kanthak's "Defense in Depth" series of exploitable Windows OS and Microsoft application security bugs is now up to part 26. For elevation, all that's required is someone running one of those applications as administrator (without a UAC split token, or with UAC disabled, or clicking through the prompt without paying attention). And that's just one example (or twenty-six examples).

        The Windows security model is actually pretty good

        Yes, it's pretty good. Pity Microsoft have done such a lousy job with the tooling, but it's usable.

        The problem isn't the Windows security model. It's failures to use it correctly that are the problem. Like not checking for impersonation abuse, say. Or not making sensible use of filesystem and object ACLs. Or using a brain-damaged default search path for LoadLibrary. And far too much of Microsoft's own software can't be bothered to use the fine-grained privilege model properly, and simply divides the world between ordinary users and administrators.

        The SDL is pretty good, too, but it's clearly a Sisyphean task, because too many of Microsoft's own application development teams still can't get simple stuff like quoting file paths in Registry values right.

        1. Anonymous Coward
          Anonymous Coward

          "Try reading BUGTRAQ. Stefan Kanthak's "Defense in Depth" series of exploitable Windows OS and Microsoft application security bugs is now up to part 26. For elevation, all that's required is someone running one of those applications as administrator"

          Administrator is already elevated. This is just the same as if you run a hostile script as root under *NIX. This is generally not an exploit.

          "Pity Microsoft have done such a lousy job with the tooling, but it's usable."

          You obviously are not familiar with Powershell. Like advanced *NIX shells such as PASH but much more powerful.

          "The problem isn't the Windows security model. It's failures to use it correctly that are the problem."

          So bugs and vulnerabilities then. Which for Microsoft Windows actually comes out much lower on counts every year for the last decade than say RedHat Linux, SUSE Linux, or Mac OS-X. Even when you feature match the Linux Distributions.

      3. bill 27
        Pint

        "where you have to use kludges like SUDO"

        Huh? I'm running linux, worked with UNIX, and have never used sudo. Sure it's there, but when I need root access I run as root. Do whatever is needed, logoff and log back in as myself.

        "Flash, Acrobat, Java"

        Didn't realize they were *NIX only packages. Next you'll be telling me I need to modify the kernel code and roll my own everytime.

        1. Anonymous Coward
          Anonymous Coward

          ""Sure it's there, but when I need root access I run as root. Do whatever is needed, logoff and log back in as myself."

          Which is even less secure than using SUDO as you don't drop any unneeded privileges after logging in. As I'm sure most *NIX users will tell you, actually logging in as root is not best practice. Hence the existence of SU / SUDO.

  2. agricola
    Boffin

    The REAL advice coming later from Microsoft...

    "Have you tried switching your computer off, then on again?"

  3. Crazy Operations Guy

    Good on them for releasing information about the vulnerability

    But they undid their goodwill with my by releasing proof-of-concept code... They should do something like reveal the vulnerability after 90 days, and then slowly releasing more information about the vulnerability every few days afterward.

    In this case, just publicly reveal that "NtApphelpCacheControl()" has a bug, then after 15 days release that is doesn't properly check permissions, then 15 days after that release info about the security tokens, and so on. Going from keeping it to private to instantly tell the world+dog how to do it seems very irresponsible. At the very least they could have sent something to Security Software vendors so they can write code to detect malware using this vulnerability.

    1. Anonymous Coward
      Anonymous Coward

      Re: Good on them for releasing information about the vulnerability

      Well, why ever publicly release the proof of concept code before a patch is available? It doesn't help anyone else fix or avoid the vulnerability.

      However it does help hackers develop attacks against vulnerable systems between now and whenever MS get round to releasing a patch. That's doing no one any favours at all. Thanks a bunch Google. And don't buy the argument that hackers could have been exploiting it anyway. The difference is that now every single hacker in the world can and will develop and attack, whereas before it would certainly have been more limited or probably not exploited at all (given it's obscurity).

      How would Google like it if someone released proof of concept code for an exploitable vulnerability in Android? Google can do almost nothing to ensure that patches actually get to most handsets regardless of how quickly the write it. Oh yeah, they don't really care about that.

      They're deliberately using an aggressive disclosure policy to harm their competitors' businesses. Google, having created an Android ecosystem where nobody cares about security at all (or at least cannot get patches easily even if they did care) would presumably simply shrug their shoulders if anyone did the same to them. No very endearing, really. Do No Evil?

      1. Anonymous Coward
        Anonymous Coward

        "Aggressive disclosure policy"

        90 days is reasonable, assuming they would be willing to delay disclosure if Microsoft said "we're working on it, but the fix is complicated and we need more time to test it, etc."

        If they wanted to harm competitor's businesses, they'd sell the 0 days on the black market so Microsoft would get a black eye if it becomes the next CodeRed.

        1. Robert Helpmann??
          Childcatcher

          Re: "Aggressive disclosure policy"

          I agree a 90 day lead time on public disclosure is reasonable, though not at all with the release of proof of concept code. Also, I cannot imagine something Microsoft would like more than to have it come out that one of its major competitors is selling on the black market. Say what you will about MS's products, their PR people would make good on an opportunity like that.

          1. Zane

            Say what you will about MS's products...

            I would say their PR is in fact the only part of the company that is doing a good job.

            /Zane

        2. Anonymous Coward
          Anonymous Coward

          Re: "Aggressive disclosure policy"

          @DougS,

          "If they wanted to harm competitor's businesses, they'd sell the 0 days on the black market so Microsoft would get a black eye if it becomes the next CodeRed."

          So then, does 90 days makes it OK? That's a pretty short statute of limitations. As it appears to be an arbitrarily chosen period, how about 89, or 75, maybe 30, or how about 10? The point is that there's no fixed period of time that make it "reasonable"; it's how you work together to help the wider community that matters.

          Google aren't helping anyone. It's worthwhile questioning their motivation, though I suspect that this is ultimately about thoughtless bragging and showing off rather than a coldly calculated business practice. But a straight forward interpretation of this event is that Google are deliberately trying to make Microsoft's life hard.

          They should be taking a leaf out of the aviation industry's book. When General Electric recently had a hydrogen corrosion problem in the shafts in their current range of engines, Rolls Royce (their largest competitor) offered help in fixing the problem. And GE have made similar offers to RR in the past too. Reason why? It's in both their long term commercial interests to improve the safety record of the whole industry. Rubbing a competitor's nose in it when they've screwed up doesn't achieve that.

          Same for the software industry. Malware on any platform is a stain on the whole industry. Working together to get rid of it is a fundamental requirement. Unnecessarily exposing a segment of the industry to more malware, especially when there's a patch on the way, is not helpful.

          It's stupid for Google to have set a disclose-by target. They've set an arbitrary target they're now having to stick to otherwise their stupidity would be highlighted for all to see. Setting a target that is in no one's interest (not even their own, ultimately) makes them look ridiculous, though they're trying to hide that behind a veil of public service respectability. I don't think they're fooling anyone who matters in the software security world.

          Yes, find bugs and work with the software owner and claim the credit when all is safely patched; that is the respectable way to do things. Showing off by going public when it's in no one else's interests to do so makes them look like dick heads.

          Besides, for a company whose major software product (Android) is notoriously un-updateable, setting the target at 90 days could really come back to haunt them. OK, so MS may or may not have been a bit slow to fix this particular one. In contrast Google struggle to get even a small minority of Android phones running the latest bug fixed code within a year of its release. It's not as if there's never been a premium number dialler trojan or other punter-fleecing malware on Android.

          With that track record why would anyone trust Android or Google with anything that mattered to them at all?

        3. Tom 13

          Re: "Aggressive disclosure policy"

          Unfortunately, even if you're Google, you need the proof of concept to prove the vulnerability is a real threat.

      2. Anonymous Coward
        Thumb Down

        Re: Good on them for releasing information about the vulnerability

        If the hacker is logging on to your machine locally, you've already passed the point of no return. [Physical access == no security. At least if I'm around, ditto most non-script-kiddies.] So the POC gets you exactly nowhere. For now.

        1. Anonymous Coward
          Anonymous Coward

          Re: Good on them for releasing information about the vulnerability

          It doesn't require 'physical' access, it requires a local login. And elevation of privileges flaws is exactly what you need when you gained somehow a limited local access maybe thanks to flaws in some other software (maybe a PHP one... and maybe you already have one because you're an insider), and need to escalate it for a full compromise.

          Most attacks happen in steps, using different vectors to gain full control. Google is becoming a megalomaniac company - it now blackmails state prosecutors, releases exploits - and note the time of the year... carefully chosen the right time to create more havoc), decides what laws should be applied to it. This behavior can only backfire, with users on the fire line, The question is what is Google afraid of? Such behaviors are often dictated by fear, masqueraded by arrogance.

        2. Anonymous Coward
          Anonymous Coward

          Re: Good on them for releasing information about the vulnerability

          If the hacker is logging on to your machine locally, you've already passed the point of no return. [Physical access == no security.]

          Not with Windows + Bit Locker + Secure Boot + a TPM as is commonly used when of benefit these days. Provided any known holes in the OS are closed even physical access to the machine doesn't enable you to compromise it.

          1. bill 27

            Re: Good on them for releasing information about the vulnerability

            "Not with Windows + Bit Locker + Secure Boot + a TPM as is commonly used when of benefit these days."

            Tell your granny she has to fork over the extra $'s to upgrade that XMAS special Windows machine to run Bit Locker.

            1. Anonymous Coward
              Anonymous Coward

              Re: Good on them for releasing information about the vulnerability

              "Tell your granny she has to fork over the extra $'s to upgrade that XMAS special Windows machine to run Bit Locker."

              Granny probably isn't too worried about securing her new PC from direct physical attack. This is more for enterprises, kiddy fiddlers, terrorists, and anyone that cares a lot about the privacy and security of their data. Anyway the upgrade to Windows 8 Pro is currently only £45 on Amazon, so hardly a fortune.

      3. Natalie Gritpants

        Re: Good on them for releasing information about the vulnerability

        Releasing the proof of concept will help the person trying to fix this bug to test if the fix is effective with the person affected. If you don't release the proof of concept there is no guarantee that the fix that is eventually provided is actually a fix since it will rely on the fixer guessing at how to provoke the bug.

        1. h4rm0ny

          Re: Good on them for releasing information about the vulnerability

          >>"Releasing the proof of concept will help the person trying to fix this bug to test if the fix is effective with the person affected"

          Sharing the proof of concept with the person trying to fix the bug helps them test. Releasing it generally, is a PR move.

          1. Steve Evans

            Re: Good on them for releasing information about the vulnerability

            @H4rm0ny, I'm sure they shared the proof of concept code with MS on the day they filled the report.

            The 90 day deadline is to get MS to pull their finger out and fix it... Otherwise you know the paper shufflers would push other shiny things in front of it in the queue.

            Having stated a 90 day period, they have to stick to it, or the whole "threat" loses credibility, and any sense of urgency is removed from the next one.

            Would they hold it back a bit if MS asked, who knows. Maybe.

          2. Tom 13

            Re: Releasing it generally, is a PR move.

            Truthfully, so is releasing the vulnerability at 90 days. I see no point in half measures at that point.

    2. thames

      Re: Good on them for releasing information about the vulnerability

      The reason for releasing proof of concept code is so that other security researchers can reproduce it and also look for variations on it. It's a privilege escalation exploit, so it would typically be combined with some other exploit, such as a web browser vulnerability. If you are a third party software developer, you may want to add mitigation features to your software to prevent it from being exploited.

      The point of having a standard proof of concept code sample is so that everyone can test the same way. It's the same reason that scientists document their experimental procedures. An experienced virus developer doesn't normally need that, although script kiddies might.

      Security researchers used to not put any deadline on waiting for the vendor to respond. What would often happen though would be that the vendor would simply sit on their hands and do nothing until the vulnerability was being actively exploited in the wild. After all, why pull developers off your behind schedule new product development project to work on something that isn't going to bring in new sales if you don't have to? Microsoft, along with a number of other big proprietary vendors, has a long history of sitting on security reports for years while dong nothing. The current increasingly popular policy of setting a deadline grew out of third party frustration with Microsoft's policy of ignoring them.

      If Microsoft was going to do something, then 90 days should be enough time to do it in. If you look at comparable problems that happen in the open source world, they typically get patched in time spans measured in hours to a couple of days. If it really is a massive and pervasive fundamental design problem in MS Windows, then Microsoft could have talked to the security researcher, told him what they're doing, and asked for an extension.

      My best guess at what happened here is simple bureaucratic incompetence within Microsoft led to someone dropping the ball and nobody being assigned to work on it. They're not going to fix their internal procedures without their customers turning up the heat on them, and that isn't going to happen without Microsoft getting some very public black eyes over this.

      1. Anonymous Coward
        Anonymous Coward

        Re: Good on them for releasing information about the vulnerability

        @thames,

        "If Microsoft was going to do something, then 90 days should be enough time to do it in."

        Turn it round and ask yourself if 90 days is long enough for Google to get all Android handsets patched. Clearly the answer is No. It takes years for bug fixes and releases to permeate the whole Android sector.

        If someone found a devastating bug in Android and gave Google a mere 90 days to get it fixed and distributed, Google would be screaming for mercy.

        1. Anonymous Coward
          Anonymous Coward

          Re: Good on them for releasing information about the vulnerability

          If someone found a devastating bug in Android and gave Google a mere 90 days to get it fixed and distributed, Google would be screaming for mercy.

          This issue isn't "Google vs Microsoft", it's about a vendor not responding to a vulnerability report in ample time.

          90 days is a long time for a security hole to be just sat on, and it's a very generous deadline in the security world. If Google took more than 3 months to respond to a vulnerability report then they would also be treated with equal contempt as Microsoft.

          1. h4rm0ny

            Re: Good on them for releasing information about the vulnerability

            >>"If Google took more than 3 months to respond to a vulnerability report then they would also be treated with equal contempt as Microsoft."

            Obviously false. Just look at the voting in this or any similar article. There are a legion of Google fans who will downvote even factual posts if inconvenient. Bar the odd outlier, that is far less the case with Microsoft. There's a heavy Google bias on these forums.

            1. Anonymous Coward
              Anonymous Coward

              Re: Good on them for releasing information about the vulnerability

              Microsoft is one of the largest, if not the largest, software developer on this planet, and have been for at least one decade - if they cannot coordinate at least extending a deadline with a security researcher, they do have larger problems than fixing their paying customers security issue at hand.

              What is your opinion of http://secunia.com/community/research/policy/ ? This is a Danish security company, which would put them as a not-competitor to Microsoft - they will fully disclose a vulnerability 14 days after disclosure to the vendor, if the vendor fails to communicate with the researcher - and they will work with the vendor at delaying the full disclosure up to 6 months (in certain cases 1 year if it is deemed complex and the vendor has a clear plan for fixing the issue), and Secunia will publish at least a limited advisory 5 months after discovering a flaw, whether the vendor agrees or not.

        2. Steve Evans

          Re: Good on them for releasing information about the vulnerability

          @A/C that's a bit of an unfair comparison given many of the Androids out there aren't running under google's control of updates... They've already released fixes to bugs in Lollipop, which hasn't been released for 90 days yet, so yes it sounds fair.

          If the likes of LG, Samsung, HTC etc, decide to "fork" Android and add their own bits, and control when their users get updates, that's not Google's fault! Cyanogen manage to roll Google's updates into their builds and get them released pretty quick, so why do the huge corporations find it so challenging?

        3. Tom 13

          Re: Turn it round and ask yourself

          As has been pointed out previously, Google don't directly patch handsets. They release updated code and the vendors of the handsets are then responsible for updating them. This is for the very good reason that the vendors customize the source code for their particular hardware implementation. Sucks if you're with a slow handset vendor, but it is what it is. MS have no such claim to make with Windows.

    3. Tom 13

      Re: Good on them for releasing information about the vulnerability

      You're working on the assumption of a reasonable recipient of the vulnerability report. Once you're past the 90 day time limit, that's an assumption which can be discarded. Without the proof of concept code in the wild, you're subject to a PR war where the vendor claims the vulnerability isn't as bad as the reporter claims because the reporter is using the report to hawk their own wares. Yes, it's a nasty sort of war where there are only losers. The only way to win is not to play the game, in this case, not let the bug age for 90 days before addressing the issue.

  4. agricola
    Linux

    "Awww, c'mon Goog, ..."

    "...cut us some slack. We're used to having 'way more than ninety days to screw our customers."

  5. Anonymous Coward
    Windows

    I agree that MS needs to be more on-the-ball with this.

    90 days seems like plenty of time to at least evaluate the zero-day and get back to Google with a reasonable timeline to create and deploy a fix and request an extension if need be.

    1. GitMeMyShootinIrons

      Re: I agree that MS needs to be more on-the-ball with this.

      Google aren't the police or some government agency (though the ad-peddling data scavengers do see themselves as all powerful). I can go with the 90 day disclosure, but releasing exploit code is dubious to say the least.

      Google are treading on dangerous ground - would they like MS (or anyone else?) dropping code for vulnerabilities in Android or ChromeOS 90 days after finding them? A harmful precedent set by Google that could backfire on them.

      1. Anonymous Coward
        Anonymous Coward

        Re: I agree that MS needs to be more on-the-ball with this.

        releasing exploit code is dubious to say the least.

        It's standard practice. How would you, the admin of some Windows servers, be able to test if the machines that you're responsible for are vulnerable?

        Withholding it isn't a barrier. In most cases, people are able to create their own exploit code based on the report if they wanted - but Mr Server Admin may not have the time, skill, or motivation to. Why leave them out?

        1. Anonymous Coward
          Anonymous Coward

          Re: I agree that MS needs to be more on-the-ball with this.

          "How would you, the admin of some Windows servers, be able to test if the machines that you're responsible for are vulnerable?"

          The normal method is to check the installed version of the vulnerable component. Can't say I have EVER heard of a sys admin having to break the OS to test this type of thing on Windows.

  6. Winkypop Silver badge
    Trollface

    It's OK

    No one uses Windows 8x anyway

  7. startstuff

    Sick and tired of microsoft

    Microsoft is not the company that they used to be, after all they have been always the same but the OS options that we have today is what will make windows obsolete especially the fast adoption of Android and iOS on tablets and phones.

    I turned off microsoft automatic updates because the upgrades are often worse than viruses or vulnerabilities. How many times I've read that I should uninstall a MS update because of the new 'problems' it created? Too many times so when I see that nefarious icon informing me that there is a new update I just wait a week and see if there are no complaints and then install it

    If they can't release a 'clean' update what makes you think they can fix something in 3 months?

    Sorry but windows 7 is the end of the road for me, I own Macs and linux machines and I feel perfectly safe and happy using those OSes, besides everything is migrating to Android/iOS and the PC is becoming less and less important. I migrated from Adobe creative suite (dreamweaver) to KomodoIDE for linux and Mac, right now I'm downloading the Altera QuartusII for linux, I run ARM programming tools in Linux.

    I just have to find a way to migrate my ICOM scanner software to linux or Mac and I'll be done, maybe emulation or something else.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sick and tired of microsoft

      What have you been ingesting recently? I think your sense of proportion has been severely degraded...

      "I turned off microsoft automatic updates because the upgrades are often worse than viruses or vulnerabilities."

      Only on a few occasions have they screwed up an update. They're no worse than anyone else, and they're a lot better than something like Android (which doesn't have updates at all).

      "I own Macs and linux machines and I feel perfectly safe and happy using those OSes"

      Smirk.

      "I just have to find a way to migrate my ICOM scanner software to linux or Mac and I'll be done, maybe emulation or something else."

      Why don't you just write your own driver, sounds like you're a real hotshot.

      1. Dan 55 Silver badge
        Windows

        Re: Sick and tired of microsoft

        If my memory serves me, AC, four out of the last five Patch Tuesdays have needed a rollback of somekind. More info in this esteemed publication and comments.

        1. Sandtitz Silver badge
          Windows

          Re: Sick and tired of microsoft @Dan 55

          "four out of the last five Patch Tuesdays have needed a rollback of somekind."

          None of those patch tuesday problems have been a problem with any of my clients.

          There have been plenty of MS updates that have caused havoc with some users. Usually the problems have arised on a very small subset of users due to special hardware/software circumstances and most people never have to uninstall any updates. (and most users wouldn't even know how to uninstall anything anyway)

          Same goes with other operating systems, there's always some people whining how the latest Android/IOS/OSX update broke something.

        2. Anonymous Coward
          Anonymous Coward

          Re: Sick and tired of microsoft

          "If my memory serves me, AC, four out of the last 120 Patch Tuesdays have needed a rollback of somekind."

          There, fixed it for you (or at least got it closer to being correct). And whilst we're on the topic, how many Android handsets have received all patches or releases? Oh that's right, none at all.

          1. Dan 55 Silver badge

            Re: Sick and tired of microsoft

            Very good, AC, but we're talking about a clear drop in quality since the Trustworthy Computing group was disbanded which means it does make sense to talk about the last few months.

            Was it really 10 years of fault-free patching? I'd have preferred it if you'd have been let go instead of the TC group and then there'd be fewer nonsensical arguments on forums and better patching.

        3. This post has been deleted by its author

    2. h4rm0ny

      Re: Sick and tired of microsoft

      "Microsoft is not the company that they used to be"

      I'd agree with you there - Google are.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sick and tired of microsoft

        "I'd agree with you there - Google are."

        Yep - Google are now The Borg.

    3. Bloakey1

      Re: Sick and tired of microsoft

      <snip>

      "I just have to find a way to migrate my ICOM scanner software to linux or Mac and I'll be done, maybe emulation or something else."

      I agree with your comments and have Macs and Linux here as well. Now down to your scanner and other stuff, see below I use some of these programs as I am a bit of a ham having been a signals type person in the military.

      http://www.dxzone.com/catalog/Software/Radio_Control/

    4. Anonymous Coward
      Anonymous Coward

      Re: Sick and tired of microsoft

      "I turned off microsoft automatic updates because the upgrades are often worse than viruses or vulnerabilities."

      Clearly you are an uninformed idiot and are part of the problem.

      "four out of the last five Patch Tuesdays have needed a rollback of somekind"

      No issues here with several hundred PCs.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sick and tired of microsoft

        No issues here with several hundred PCs.

        I wish you Linux users would stop showing off!

  8. Destroy All Monsters Silver badge
    FAIL

    Have you applied leeches and vented the phlegm?

    "We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."

    Recommendation to do the obnoxious, perform the borderline dangerous and enable the frankly useless.

    1. Cipher

      Re: Have you applied leeches and vented the phlegm?

      Having read MS forums for years, I have to agree. No matter what the problem, and often it is buggy code, MS staffers post the scripted "safe mode, AV, chkdsk, it is likely malware so cleanup your machine" bullshit instead of addresing user problems.

      Windows users are lucky that some folks write free workarounds to these problems, ShellFolderFix comes to mind...

  9. DerekCurrie
    Megaphone

    If Only Google Paid Better Attention To Android Security

    Q: What mobile OS has the most malware by orders of magnitude beyond all others?

    A: Android.

    So is the Google security initiative simply a smokescreen to hide Google's guilt in not adequately securing Android, turning it into the equivalent of Windows on mobile devices? I say YES.

    I applaud Google for finding security flaws in everyone else's software. Now how about THEIR OWN??? Hmm?

    1. jaduncan

      Re: If Only Google Paid Better Attention To Android Security

      To put it extremely generously, [citation needed] on the malware claim.

      1. Anonymous Coward
        Anonymous Coward

        Re: If Only Google Paid Better Attention To Android Security

        http://www.techlicious.com/blog/99-of-all-mobile-malware-targets-android-devices/

        http://www.techlicious.com/blog/32-million-android-phones-infected-with-malware/

    2. RankingRoger

      Re: If Only Google Paid Better Attention To Android Security

      Got a source for that? As obviously with 90% market share, it's easy to be fooled by the press reporting.

      Android actually has a very secure multiple levels of device security.

      http://qz.com/131436/contrary-to-what-youve-heard-android-is-almost-impenetrable-to-malware/

      Given that pretty much everyone runs android, I don't know a single person that's ever had malware or security issues on android.

      Ever get the feeling you've been cheated?

      1. Anonymous Coward
        Anonymous Coward

        Re: If Only Google Paid Better Attention To Android Security

        "As obviously with 90% market share"

        What has Windows on the desktop got to do with it?

  10. Phoenix50

    90 days?

    Utter tripe. This has got nothing to do with "90 days" being enough time (though frankly - how anyone here can know for sure that 90 days "is enough" to develop a fix is beyond me).

    This is about Google acting like the world "code" police - who the f**k do they think they are? They've set themselves up as protectors of the realm and now go around handing down edicts as though they own the f*****g internet? Who's next? Apple? Adobe? Oracle?

    I find their attitude astounding. More arrogance from the chocolate factory, as usual.

    1. Dan 55 Silver badge

      Re: 90 days?

      Well if Android or Chrome OS is next, I doubt they will have one team working against another and releasing exploit code after 90 days.

    2. David Lawton

      Re: 90 days?

      "They've set themselves up as protectors of the realm and now go around handing down edicts as though they own the f*****g internet?"

      To be fair, if any of my users i support (which is several thousand) cannot get to www.google.com they think the internet is broken. So yeah, in the minds of most non tech people, they do own the internet, Google is the internet, and they Google it.

    3. regadpellagru

      Re: 90 days?

      "I find their attitude astounding. More arrogance from the chocolate factory, as usual."

      Whether this is arrogance or anything else is irrelevant. As has been said already, Google IS the internet for Joe User.

      The point is, with people like MS, who have utterly failed to even think about security in their OS (remember 4-5 years back, when they said they would put security at the core of Windows and all dev processes ?), don't give a f**k, and don't have a clue, you need to break their arm to get get any bloody security fix.

      This is what Google is doing.

      Arrogant ? Maybe. But this is in the interest of users, pending their migration to other solutions ...

      1. Destroy All Monsters Silver badge
        Windows

        Re: 90 days?

        remember 4-5 years back, when they said they would put security at the core of Windows and all dev processes ?

        I have the same problem: Time flies.

        It was in January 2002 after a string a "access all areas" events IIRC.

        The trustworthy computing group was disbanded this September.

        As to the rejects claiming "OH NO 90 DAYS IS NOT ENOUGH FOR ANYBODY."

        ... what you gonna do when a 0-day hits the street and it's not 90 DAYS but 90 MINUTES. Huh? What you gonna do, PUNKS?

    4. Michael Wojcik Silver badge

      Re: 90 days?

      how anyone here can know for sure that 90 days "is enough" to develop a fix is beyond me

      From the description of the vulnerability, it certainly seems like 90 days should be more than sufficient. I dare say confirming the obvious fix with the exploit code supplied by Google would be trivial. Then, yes, there's the problem of looking to see if it breaks something else; but it's difficult to see why anything would need to update the app cache while running under a privileged impersonation token.

      So at least the problem as described by Google appears to be fixable within the time limit. There might well be a class of similar problems, but there's no reason not to do a phased fix - correct the obvious, known issue first, and then look for others.

  11. Anonymous Coward
    Anonymous Coward

    Look after your vulnerables

    The Windows program that I have to 'clean' the most on customers' PCs is Google Chrome - usually taken over by malware designed to throw up adverts & subvert search. Sometimes this means replacing it with Opera Chromium in the hope that that will be less targeted.

  12. nematoad
    Unhappy

    Ahh

    "Microsoft issued a statement to the effect that it is aware of the problem and is preparing a fix."

    Oh, good.

    Pity that they were probably the last to know about it.

  13. Teiwaz

    A poke with the shit-stick

    I hope microsoft have learned a lesson here..

    Deal with any open sores quickly otherwise Google will poke it with a shitty stick.

    All the same, I think we know Now why Google are called the 'Chocolate Factory',...

  14. h4rm0ny

    This is basic PR. Does Google have a competitive interest in Windows being a better OS? No, they don't. So do they therefore benefit from silently and constructively helping fix bugs in a non-destructive manner? No they don't. But loudly pointing out vulnerabilities in a competitor's products (to the detriment of its users)? Yes, they clearly do but with the caveat that endangering those users would make them look bad. So clearly what is needed is a way of pointing out those vulnerabilities but making it look like they're not the ones endangering users. Ergo, decide on an entirely arbitrary time scale and say you have given notice and it's your competitor's fault the users are harmed by your publishing this information because they could have fixed it.

    Of course the time scale is arbitrary so sometimes your competitor will be able to fix the issue in time and sometimes they wont - hits and misses. But it's necessary so that you appear to be the responsible one.

    What is particularly silly is all these armchair critics here saying "90 days is enough to patch it" with NO idea of what fixing it involves. Maybe it is, maybe it isn't.

    Equally silly is the person in the article arguing that now we can all take counter-measures. Yes, I'll just reverse engineer the Windows sourcecode and whip up a fix, now. Of course on the other side of the equation, the black hats can just copy and paste Google's helpful How To and tweak to their needs. Yes, a Windows PC still needs to already be partially compromised to exploit this bug but it's the principle as well.

    This is PR. If it doesn't look like PR, that's because it's well done PR.

    1. jason 7

      Indeed, with ChromeOS on the rise...

      ...it's only going to get nastier.

  15. MR J

    0 Day Exploit

    I reported a exploit for Netgear routers to Netgear nearly a year ago now that allows users to "ask" the router for the admin and password (From WAN side!) and even though they confirmed it was a valid exploit, they still to this day have not rolled out a fix..

    Until it hits the public domain then I bet they wont issue a fix. So the question is, should we blackmail companies who don't issue fixes.

    1. phil dude
      Coat

      Re: 0 Day Exploit

      The word is "liability"...

      P.

      1. Destroy All Monsters Silver badge

        Re: 0 Day Exploit

        Of which there is none at the company's end.

        "BEST EFFORT" is the best you can get.

        As Dan Geer says in "Inviting More Heartbleed" -- "The only two products not covered by product liability today are religion and software, and we don’t think software is going to or should escape for much longer."

    2. Michael Wojcik Silver badge

      Re: 0 Day Exploit

      So the question is, should we blackmail companies who don't issue fixes.

      This was widely debated in the infosec community - particularly among the white hats - back in the '90s and early '00s. That's why we have things like RFPolicy. Every software vendor should be aware that there are researchers who will disclose vulnerabilities and exploits if the vendor doesn't respond in a timely fashion. That's been widespread practice for more than a decade - precisely because history amply demonstrates that's what it takes to make vendors behave responsibly.

  16. RankingRoger
    FAIL

    In summary

    It's Google's fault that Microsoft have sat on this for 3 months...

    OK then.....

  17. Anonymous Coward
    Anonymous Coward

    At any given time Microsoft are working on who knows how many fixes for the next cycle. They have to test the fixes against who knows how many configurations before they can release them to Patch Tuesday. Sometimes they don't make it because of issues. The fix might take minutes but the testing cycle takes weeks. Sometimes they release one with issues and everyone slates them. If an exploit that's really risky turns up, they might stop their testing, introduce a fix and restart testing - a big decision, Of the open issues on the table, they will know what's more exploitable and what isn't. They have monitoring systems to see if exploits are being exercised in the real world too. Let's say this one was obscure and not important enough to interrupt testing. Releasing the exploit code for this one potentially screwed up the release of more important higher priority fixes already in the pipe. How does someone outside Microsoft make that call on their behalf, or more importantly, my behalf as a Windows user. You might not like the fact that the majority of desktops run it, but releasing exploit code actually puts me at risk of something definite instead of me potentially being at risk of something obscure (yes, I know there's no security in obscurity). Thanks for actually putting me at risk. I really can't see any mitigating excuse for doing something that stupid.

    1. Anonymous Coward
      Anonymous Coward

      Lets all be anonymous...

      90 days is more than enough time to come up with a plan for handling it and then communicating that with the security researcher to get more time to fix the problem. Either Microsoft missed this in their internal handling of this, and then that would be something to improve on, or on the other hand, they did not think it was a problem at all and then the PoC code being released is not a problem.

      And seriously, the only ones putting you at risk are Microsoft for not handling this bug faster or working out a timeframe - and before anyone suggets otherwise, I would certainly hope that other researchers employ same or stricter rules on publishing security problems in the future, especially those in Android.

      Stop claiming that it is the researchers that makes systems insecure - it is the guys creating the software that makes it insecure!

      1. h4rm0ny

        Re: Lets all be anonymous...

        >>"90 days is more than enough time to come up with a plan for handling it and then communicating that with the security researcher to get more time to fix the problem."

        So now companies have to report to Google?

        1. Anonymous Coward
          Anonymous Coward

          Re: Lets all be anonymous...

          Would you rather have insecure software, or is your attitude towards software security biased by the fact that it was Google who reported it?

          And if you had read further I said I would prefer if every other security researcher chose the same ruleset for publishing - the attitude towards security in software, both in the open source world and in the closed source world is appaling, I am just sorry you find that acceptable...

        2. Anonymous Coward
          Anonymous Coward

          Re: Lets all be anonymous...

          So now companies have to report to Google?

          The fact that it is Google should be irrelevant. They have to respond to security reports from whoever they are from, if they care about the security of their systems and products.

          1. h4rm0ny

            Re: Lets all be anonymous...

            >>"The fact that it is Google should be irrelevant. They have to respond to security reports from whoever they are from, if they care about the security of their systems and products."

            The fact that it is Google is irrelevant. I'd say the same of any company that set itself up as policeman of the Internet and tried to get other companies to organize their development schedule around their demands, threatening the security of their customers as a threat.

            But it's not irrelevant in a couple of other senses. If it weren't Google, but for example Microsoft releasing exploits for Android or OSX, then you wouldn't see the same "more than enough time" crowing posts. You could also suppose that the motivation of, say a company like MacAffee reporting such a problem, would be different than one doing so against their main competitor. Google are not motivated by improving the Windows OS. Anyone who thinks they are is an idiot. So yes, reasons for publishing such exploits are also different because it's Google. Symantec et al. become aware of vulnerabilities all the time and don't see the need to publish template exploit code and set arbitrary deadlines. Just Google the White Knight does that, who will nobly protect our security by telling the world how to compromise it.

            1. Anonymous Coward
              Anonymous Coward

              Re: Lets all be anonymous...

              The fact that it is Google is irrelevant.

              But you asked "So now companies have to report to Google?"

              If it weren't Google, but for example Microsoft releasing exploits for Android or OSX, then you wouldn't see the same "more than enough time" crowing posts.

              I would - while I can't speak for the majority of commenters here, I have no emotional attachment with either company. But let's flip this one around - if it where the other way around, would you be defending Google?

              Google are not motivated by improving the Windows OS.

              Of course not - but what is their motivation? Why are they trying to improve the security of other products? I don't know, but I think they have a vested interest in securing the Internet in general - it's "their" platform.

              So yes, reasons for publishing such exploits are also different because it's Google

              No. The fact that it is Google is irrelevant - it just so happens that they support full disclosure, rather than security through obscurity (both have their merits). It's a very common mindset in the security field, and is not specific to Google by far.

              To me, and others who have a security mind-set, it's not pro-Google or anti-Microsoft.

              1. h4rm0ny

                Re: Lets all be anonymous...

                >>But you asked "So now companies have to report to Google?"

                Yes, and if it had been Apple that did this I would have said them instead. It's not particularly relevant that it's Google as to whether this is harmful or not. It's only relevant in so far as discussing motivations.

                >>But let's flip this one around - if it where the other way around, would you be defending Google?

                Yes. I don't see why Android users' security should be put at risk, or anyone else's.

                >>"Of course not - but what is their motivation?"

                I have already explained that in my previous post. In this case, as it's obviously not going to be helping Microsoft and this is harmful to users' security, the answer is PR.

                >>"but I think they have a vested interest in securing the Internet in general - it's "their" platform"

                No-one is going to stop using the Internet - even people who have been hacked. It's just a non-issue. The only question that is asked is what way people use to access it. Google do not need to protect against people no longer going online. But they do want people to use their products to do so rather than those of one of their main competitors. That is an actual thing they try to safe-guarding. And alongside usability and cost, security is the other big way you persuade people to use your way over a rivals. So obviously Google have no motivation to help Microsoft make a better product. But they do have a motivation to appear to be the most security-aware by publicising competitor's flaws. This is not complicated stuff.

                >>"No. The fact that it is Google is irrelevant - it just so happens that they support full disclosure, rather than security through obscurity (both have their merits). "

                Again, it is irrelevant to whether or not this harms people, it is - obviously - not irrelevant to discussion of Google's motivations whether or not we're talking about Google. Unless of course it's a motivation that is universal which it is not. You say it's about "supporting full disclosure", but we're actually talking about applying this to your competitor's products and setting your own deadlines and decisions on how your competitor can behave by using their customer's security as a threat. That is not universal behaviour and in fact is not how most security companies behave (if any).

      2. Anonymous Coward
        Anonymous Coward

        Re: Lets all be anonymous...

        There was no claim that "researchers make systems insecure", only that releasing the vuln detail is irresponsible, releasing exploit code is wildly irresponsible and potentially criminally liable, and that they (researchers) are not aware of the full implications of all the known vulns in the pipeline.

        Do I think Microsoft could patch things faster - yes. They probably have most fixes ready to roll very quickly (minutes or hours). Would I want them to spray out every fix the moment it compiles without appropriate testing - definitely not. They have released out of band patches because of the severity and active exploits. So as far as choosing which ones to go with, if they prioritise things a certain way I trust them to understand the implications way more than some random researcher who has that one vuln that they just found out about.

        Unlike Apple and Google, Microsoft has to deal with the massive number of combinations of hardware, devices and software out in the real world, which they do, let alone the old versions of Windows/Office/IE they deal with. Hence it takes weeks to get through the testing, hence there's a schedule and a priority, and which for very obvious reasons you and I don't know about. Also unlike Apple and Google, breaking Windows or Office will bring the screaming hordes of corporations and a large proportion of the public with commentards alike if it all goes pear shaped.

        Meanwhile, how's your security patch support for n-3 or 10 year old versions of OS-X, iOS/Android and Chrome/Firefox going ?

  18. DavCrav

    I'm surprised Google hasn't heard of the crime of aiding and abetting.

    If I find out that someone's front door lock doesn't work, and tell them, but they haven't fixed it, and then I go on Twitter and tell everyone that so-and-so's house is unlocked, and it gets burgled, I would find myself in the dock for aiding and abetting theft. If this proof-of-concept code is used in the wild, Google is guilty. Simple as.

    1. This post has been deleted by its author

    2. Destroy All Monsters Silver badge
      Thumb Down

      aiding and abetting

      Yeppers, it's argumentation from 2001 again. Should we, shouldn't we etc. etc. etc.

      I would find myself in the dock for aiding and abetting theft.

      [Citation needed]

      It's out, and there was time to fix it. Deal with it.

  19. phil8192
    Linux

    Par for the course. Some of you may remember the Web site and accompanying book, "Windows 95 Annoyances", and later, "Windows 98 Annoyances". The author of the sites and the books, David Karp, was a member of a select group of people who got to use Windows 95 a year before it was released to the public, with the objective of reporting back to Microsoft on problems he found. He reported several dozen problems, yet when Windows 95 was released NOT A SINGLE ONE of the problems had been corrected and some Windows 95 problems persisted in Windows 98, and beyond. That's just the way Microsoft is; it is endemic to the company culture. Either accept it or jump ship like I did. Other operating systems have their problems, too, but you might as well try to pick one that has shorter response time from the maintainers when bugs are discovered.

    1. BongoJoe

      It's the same with Office. If a bug isn't fixed in one version then if it isn't fixed in a product update then the same bug will be there forever as only new bugs will be fixed.

  20. Youngdog

    The canned response doesn't help

    "It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine"

    Bull. The attacker may try manipulating someone with valid login credentials into doing their dirty work for them instead!

    1. h4rm0ny

      Re: The canned response doesn't help

      >>"Bull. The attacker may try manipulating someone with valid login credentials into doing their dirty work for them instead!"

      Didn't actually read the bug description yourself, did you? The bug allows software to bypass the UAC prompt (i.e. "do you want to allow this program..."). It is only of use against those who already have Administrative privileges. If the scenario you propose were to occur - i.e. an Inside Job, then presumably the infiltrator would be willing to click "Yes" to the UAC prompt anyway.

      Some people are in such a hurry to pin blame, they don't even understand what they're blaming someone for.

      1. Youngdog

        Re: The canned response doesn't help

        I didn't propose an Inside Job scenario - that was you reading 'manipulating' as being an overt coercion e.g. blackmail.

        There are plenty of ways to get an unknowing user with admin rights to click the wrong thing - and most don't need a gun put to their head to do it!

        1. h4rm0ny

          Re: The canned response doesn't help

          >>"I didn't propose an Inside Job scenario - that was you reading 'manipulating' as being an overt coercion e.g. blackmail."

          You're not going to admit that you didn't actually know what this bug did when you wrote about getting someone with login credentials to do their dirty work for them? It doesn't really matter even if you pretend that you did know what the bug does when you wrote that. In any scenario you're talking about getting an insider to do something for you - whether that is "blackmail", bribery or calling them up and pretending to be the IT department, they're not doing anything they don't already have permission to do and whether it's bribery or telling them convincingly on the phone "download this program and click Run", the UAC prompt is not going to make much difference. Not that downloading a program from a link doesn't prompt its own set of equivalent warnings, anyway.

          Straight question - did you understand what this bug actually did when you wrote your original post? I think it's pretty clear you didn't and now you're trying to get around that because you don't want to be wrong on the Internet. Honest answer, please.

          1. Youngdog

            Re: The canned response doesn't help

            Straight, honest answer? Yes I did. My reading was that it could potentially allow malicious code to be run as admin without the UAC prompt and the likeliest targets would be home users with Admin rights on their regular accounts so the 'Insider scenario' hadn't occured to me. Won't hold my breath for an apology though.

  21. Spoonsinger

    Actually this highlights quite a nice free market competition lead peer review system developing.

    i.e.

    Company G) Companies M software has a bug, we've told them, they didn't do anything about it, we will tell everyone else. (including the punters).

    Company M) Oh!, you're going to play it like that are you? OK, this is the bug we told you about sometime back and you didn't do anything about it. Finger is now hovering over the 'enter' key. Not backing down? ok!, it's pressed.

    (Some iterations of above later).

    Company G) Ok, point taken. But what if we pool our efforts, (because you and us have common ground now), we can go after that Company A - mainly because they are smug and can be quite lackadaisical.

    Win win for the consumer.

  22. BiffoTheBorg

    Is Google my friend?

    Not sure, usually I'm not that keen on self aggrandising megalomaniac advertising companies.

    Perhaps, this time they really do have my best interests at heart.

  23. Bill 11

    I do not agree with the ninety days on any number of counts, to list them in no particular order:

    1) Google is playing with fire releasing bugs from competitor software. The Holier than thou can easily degenerate into Hole'er than thou.

    2) As I am sure some one must have already said that if you have local access, regardless of OS, your toast anyway.

    3) All software firms have bugs and they are prioritised by criticality, as this bug requires you to have local access then, to be honest, it isn't critical. Needs fixing sure, but it is not critical. Critical is something that can be actioned remotely such as the Heartbleed bug. If you want patches to work correctly when applied then proper regression testing is a must, if you are prioritising then 90 days is not necessarily enough. All this does is create a situation where bugs notified by a group who release the exploit within 90 days are potentially prioritised over bugs that are more critical but notified by a group who are more sensible in their media relationships.

    4) If you must create pressure on a company to fix their software then a simple league table of bugs notified and time to fix would suffice. Releasing the bug and exploit doesn't just hurt the firm it hurts us the end user.

    5) With 4 in mind, who the hell does Google think they are?

  24. Haro

    Look at the larger picture, people

    Right now MS must be looking at dozens of worse bugs, and taking their sweet time. This is only an escalation exploit, and must go into that bin of hundreds. Shame on Google for revealing, what must be the most minor of bugs in the MS Universe. :) (I think two years should be the time limit.)

  25. Vladimir Nicolici

    One thing to note is that the only thing this bug does is to allow the executable to bypass the UAC prompt. An account without administrative permissions won't be affected, since it can't elevate anyway.

    A workaround for this issue, until Microsoft releases a fix, is to change the UAC security from the default to "Always Notify".

  26. Anonymous Coward
    Anonymous Coward

    I don't see any indication that Microsoft ( or anyone else ) can ask Google for an "extension" to their 90-day rule.

  27. Grease Monkey Silver badge

    Doesn't often happen, but I agree with Google on this one. They gave 90 days notice, WTF is the point in giving 90 days notice and then having idiots saying "give them a second chance"? How many second chances do they need exactly?

    If they can't fix a bug in 90 days what right do they have claiming to be the best software company in the world? I'll bet it wouldn't take that long to fix a bug in Linux.

    1. Anonymous Coward
      Anonymous Coward

      Haven't several Linux baddies been hidden for DECADES?

      1. Kanhef

        Sure; the Shellshock bug was introduced back in 1989. Once it was reported, though, there was a patch available in 12 days, from someone who maintains Bash for free as a side project. Microsoft pays thousands of people to work on Windows as their full-time job, so not being able to respond to vulnerability reports in a timely manner is embarrassing, to say the least.

        1. Anonymous Coward
          Anonymous Coward

          "Once it was reported, though, there was a patch available in 12 days"

          But it took several more for a patch that actually worked.

  28. Henry Wertz 1 Gold badge

    "In this case, just publicly reveal that "NtApphelpCacheControl()" has a bug, then after 15 days release that is doesn't properly check permissions, then 15 days after that release info about the security tokens, and so on"

    That'd be useless I think.

    1) Microsoft already had a full *90 days* to fix this bug. This isn't like a few holes where the fix might break other behavior or is complex, or where the fix has to be patched into many products (like a few JPEG or SSL flaws where -- on Windows -- the flawed JPEG or SSL code was usually "built in" to each software instead of them all using a single shared library with the code in it.) I simply have no sympathy, there have been FAR too many cases where commercial companies (not just Microsoft...) will string some security company on for months, 6 months, 9 months, a year, "Oh be responsbile, don't release that exploit yet!". Eventually either blackhats or a second security company (who will not wait to release) re-discovers the flaw (and get the credit) and lo and behold! They manage to put out a patch (that they claimed they needed months or more to do) within a week or two.

    2) Once someone says "NtApphelpCacheControl() has a bug", it'll probably take some blackhat (if it hasn't been found already) less than a day to poke around, find the flaw, and have full exploit code ready. And again, they already had 90 days to fix it, another 15 or 30 is just keeps the hole exploitable for longer.

    1. h4rm0ny

      >>"This isn't like a few holes where the fix might break other behavior or is complex"

      You are either biased or have no experience of large-scale systems development. Regression testing, platform testing, prioritizing of finite resource. Nothing in developing a mainstream OS is not complex. I used to work on a large, low-level project (an OS, but an industry-specialized one, not a user-orientated one). Around forty full time developers and a testing department of around eighteen people. Even the smallest change I made had to be incorporated into testing schedules that went to weeks just as part of the normal process. If we did something out of band - something vitally urgent (which thankfully I only recall happening once), it would involve beginning again and many late nights for our testing team. Therefore our fixes were properly prioritized and we wouldn't hold up a more important fix or feature for the sake of a lesser one. You had a pipeline. And you didn't suddenly stop the process whenever the latest issue came in because that would be holding back more important things.

      Basically, all these people going "it's not complex" or "90 days is plenty of time" are armchair developers speaking about code they have little idea of and processes they have no familiarity with.

      1. Anonymous Coward
        Anonymous Coward

        And you didn't suddenly stop the process whenever the latest issue came in because that would be holding back more important things.

        It really depends on how important security is to you.

        Basically, all these people going "it's not complex" or "90 days is plenty of time" are armchair developers speaking about code they have little idea of and processes they have no familiarity with.

        So you're suggesting that this bug is too complex for Microsoft to fix in a timely manner, and have hence ignored the report with the hope it would go away? Of course you're not - or that would make you an "armchair developer", speaking about code you have little idea of. There have already been comments here along the theme of "volunteer OSS developers are able to do it".

        1. h4rm0ny
          Facepalm

          >>"It really depends on how important security is to you."

          No, you're simply unfamiliar with the complexities involved in this sort of software. When I was working on this sort of project, we had a strict release procedure - we had to because it was very complicated system-level software performing critical functions. Pre-release testing took a couple of weeks and had to be done against signed-off code. So I fix bug X which is an important bug. Then bug Y comes in. Do we stop the whole release procedure and hold back bug X for the sake of getting bug Y in? Yes, we can then get bug Y resolved earlier than it would be otherwise, but it's at the cost of bug X being fixed later than it otherwise would. Not to mention a huge amount of wasted resource because we've cancelled an update process part way through when bug Y came in. And that is an EXTREMELY simplified version of things to illustrate the principle that you can actually make your software LESS secure by holding things back to include the latest issue found.

          >>"So you're suggesting that this bug is too complex for Microsoft to fix in a timely manner, and have hence ignored the report with the hope it would go away?"

          No, I'm not suggesting that and nowhere did I say anything like it. If you want to have a conversation with yourself, I'm not stopping you but please don't pretend one participant in the conversation is me.

          >>or that would make you an "armchair developer"

          Well no, I have experience of systems level programming and have worked on very large software projects of a critical nature so I have some familiarity with this stuff. And more to the point, I'm not the one asserting that deadline X is appropriate for a codebase I have no familiarity with. Maybe 90 days is suitable, but I doubt it and I know enough not to make confident statements that it is without any knowledge of it. That is why they are "armchair developers" - because they are making assertions without familiarity. I have not done so. I'm just pointing out they (and you) have no idea whether it's right or not. If you struggle with that concept then let me point out that the 90 days is a set period. So you think one size fits all? Obviously it doesn't. Ergo, it's arbitrary and doesn't respect actual needs.

          >>"There have already been comments here along the theme of "volunteer OSS developers are able to do it".

          So... you're saying 90 days is appropriate because some people here say that it is? See icon.

          1. Anonymous Coward
            Anonymous Coward

            Wow, get over yourself!

            No, you're simply unfamiliar with the complexities involved in this sort of software. When I was working on this sort of project, we had a strict release procedure

            Good for you - but it's not how everyone operates. If you haven't broken your strict procedures because they don't account for unforseen circumstances (ie, bugs & design problems) because you're such a brilliant developer, then I have one thing to say: Please work for me!

            >>"So you're suggesting that this bug is too complex for Microsoft to fix in a timely manner, and have hence ignored the report with the hope it would go away?"

            No, I'm not suggesting that and nowhere did I say anything like it

            Yes you did. You name called people who suggested "it's not complex" or "90 days is plenty of time" - so, unless you're also an "armchair developer", you must therefore think that it is complex, and 90 days isn't enough time.

            See how logic was used, but it just went over your head?

            So... you're saying 90 days is appropriate because some people here say that it is?

            You know they're factual, and I only said it was already posted so I didn't need to type it again.

            You can't discount something just because it was mentioned on here; it doesn't mean it's untrue - otherwise, what you've just said would also be untrue.

            1. h4rm0ny

              >>"Good for you - but it's not how everyone operates. If you haven't broken your strict procedures because they don't account for unforseen circumstances (ie, bugs & design problems) because you're such a brilliant developer, then I have one thing to say: Please work for me!"

              This just reinforces my point that you don't have familiarity with projects like this. I didn't have the power to break procedures. If I made a change to a library that library goes through its testing again. If it passed that, it went into general build and was admitted to the wider testing procedure. We had an entire testing team in a different building who did nothing all day but work through the documented testing procedures. If there were a critical incident report that required higher-priority, then the procedures accounted for that and things would be held back so that this could go out - nothing didn't go through testing. The key point is - as I already explained - things would have to be held back because of it. What you're arguing is that it is okay to hold back all these other things to fix this one thing, you just don't understand that this is what you're arguing. And neither you nor the rest of us are in a position to say whether this bug is important enough to hold back other things for.

              As to "design problems", the specifications team was again, a different team to the programmers. We didn't get part way through something and then realize we actually wanted something else - we were coding to very tight requirements. You're just emphasizing again that you haven't worked on this sort of project.

              >>"Yes you did. You name called people who suggested "it's not complex" or "90 days is plenty of time" - so, unless you're also an "armchair developer", you must therefore think that it is complex, and 90 days isn't enough time."

              I have indeed called people armchair developers. However, you claimed that I was saying that Microsoft "have hence ignored the report with the hope it would go away" which is not the case. Also, I haven't said that 90 days isn't enough time. I've said that it might be, might not be and that in any case a fixed deadline like that clearly is going to be enough some of the time and not the rest of the time. What I actually wrote is that people here don't know. If you can't distinguish between someone saying something is unknown and saying something isn't the case, then no wonder you're commiting logical fallacies all over the place.

              >>"You know they're factual, and I only said it was already posted so I didn't need to type it again."

              Saying that people with no familiarity with the code base or procedures are right when they assert that an arbitrary time period is "enough", doesn't carry any weight. Not even if you say it twice.

              >>"You can't discount something just because it was mentioned on here; it doesn't mean it's untrue - otherwise, what you've just said would also be untrue."

              I'm realizing that you are rather limited. Saying that something isn't true just because someone claims it online, is not the same thing as saying something must therefore be untrue because it was said online. Your logic is shoddy and biased.

  29. BongoJoe
    Trollface

    Ninety Days Is Never Going To Be Enough

    It would take more than that to get one of their designers from the Halo TV Studios or Funky Website Department, strip them of their trendy beard, out of their designer chinos, into an old pair of jeans and t-shirt and teach them to write code.

    The days of wall-to-wall developers with badgers in their beards have long gone.

  30. Anonymous Bullard
    Flame

    Wow... and this site is frequented by IT professionals? I wouldn't trust half of these commenters with a calculator!

    The general thought the researchers have is "we might not be the first to have discovered this, and wont be the last - let's get it fixed now before/if it's abused".

    90 days is more than enough time to respond to a vulnerability report, and is more than the standard time - no matter who the reporter is, or who the vendor is. It's standard practice to provide a deadline before full disclosure, to give pressure to the vendors who, quite frankly, don't give a fuck. Something has to be done once the deadline has passed, otherwise why have a deadline? Submitting the details of the bug will force the vendor to either release a patch, or imply that they don't care about the risk to their customers.

    I've had a few reports made against me (both my code and what I've inherited), and the turn-around has never been more than 2 weeks (from report to patch availability) - but then again, I actually give a shit (and I'm paid to produce secure code).

    Defending any firm who takes more than 90 days to respond to a security report and thinking it's acceptable is absolute bullshit, naivety, or just blind fanaticism and for the sake of our industry and those that rely upon it: Get different job!

    1. Dave Stevens

      In software support, 90 days is an eternity.

      The exploit code can be used to check if your system is vulnerable. That's very useful.

      Also, I'm assuming Microsoft received that code in September which made it easy to reproduce the issue and develop a fix.

      Either Microsoft's release management doesn't care or they have higher priorities. Adding a couple a support staff would have a negligible effect on their profit margin. I find it weird that they have no legal requirements to fix things in a determined time. Surely the US government has critical data on MS servers.

  31. Anonymous Coward
    Anonymous Coward

    Can't stop laughing..

    Sorry wha, I was too busy laughing.. Oh look it's Pot - meeting - Kettle!

    Android Binding MVVM Framework!

    Similar to what Microsoft was calling "Prism" under silver-light until they rapidly changed the name in wake of all the spying disclosures.. what google appears to be doing is strong-arming M$ especially as now most M$ software is rejected for Mobile platforms leaving only one contender.. aka: Android.

    Excellent talk directly available from the Chao's Computer Club in Hamburg available on youtube about elevating the Jit Debugger in ARM processors which contain closed source from Google that exploits of all things.. JAVA.. See: "Dont stick beans up your nose!"

    Then reflect on the leaking tap of infomation flowing steadily from news outlets and just which "developers" from google where being flown around the world in an F15 jump jet and ah, so Multics really was such a huge failure that the architect of it all, wants to prove it to the world.

    Thankfully those of us that want to maintain some shred of privacy can go back to using a fax machine and buying Sectera products to encrypt the lines as endorsed by the NSA and they cant protest because it's a commercial company and they're in the business of providing good military grade security for money, unlike google that provides crap like the "BlackPhone" with commercial grade bullshit complete with its Java debugger and then expects you to all buy there phone and "trust them" because "they're not evil"...

    Fraud is still fraud and insider trading is still insider trading, regardless of who's trying to pull it off!

    1. MustyMusgrave

      Re: Can't stop laughing..

      There was one load of phones available and those where replicant phones that where free from Google's feelers.. Unfortunately there fast becoming a rarity as the whole world embraces Android and google makes it its mission to phase those out so nobody may be free from either android, google or microsoft an just wait till they all figure out where SIPDIS and the octopus from Plan-B labs went? Then Google's marketting shares will really hit rock bottom!

      Fuck google & it's vision and fuck microsoft too!

      1. Anonymous Coward
        Anonymous Coward

        Re: Can't stop laughing..

        Shouldnt have called it Prism.. *Jism* sounds so much more in touch with reality!

        Dont download embedded MatrixSSL for embedded sectera products your not allowed to use it if you live in Cuba, Iraq or Afganistan, clearly it must be weighing heavily on there Conscience after they killed half a million people including women and children, as Ms Albright said "the price was worth it!"

        1. Anonymous Coward
          Anonymous Coward

          Re: Can't stop laughing..

          Someimes you just have to laugh, Secure IP Router Network that belongs to hackers... Well then doesnt it stand to reason that such a network, would be public common knowledge amongst the parties concerned? If it where not, then pray tell how do you suppose it came into being? Oh it just grows on trees does it?!? Sometimes people are just fucking retarded! it must be based around some Network Agnostic totally Transparent Protocol.. hmm gee where have I heard of that before? (Research Unix System 10.5) an I suppose the guys that wrote it neglected to mention that it's encrypted from start to finish on multiple layers and the security is bound into the systems Volatile Memory on bootup and it has no web browser! Yeap it turns out that if you remove the battery, the files go *poof* it's magical candy!

    2. Anonymous Coward
      Anonymous Coward

      Re: Can't stop laughing..

      Oh look it's Pot - meeting - Kettle!

      It's not a case of "our products are more secure". It's a case of "here's a security hole in your product" then "<no repsonse>"

      1. h4rm0ny

        Re: Can't stop laughing..

        >>It's a case of "here's a security hole in your product" then "<no repsonse>"

        You're saying Microsoft never even acknowledged the Google team's contact of them? Are you sure of that?

        1. Anonymous Coward
          Anonymous Coward

          Re: Can't stop laughing..

          Wouldnt worry too much, it really hasnt sunk in with these idiots in there tiny brains yet, I mean there goes the PLA (Peoples Liberation Army) buying up most of the Mobile chip makers and there goes America's chances of buying equipment from the countries that produce it, without backdoors inside it made specially for them. When it finally sinks home with the gravity of how they've screwed themselves quite happily and they start loosing serious money because lets face it, everyone is going to be buying retro tech from now on.. Then 35 billion in losses later it might finally sink in, they didnt just put some penis in a uniform on the front line mumbling "cyber" repeatedly, they successfully killed the internet as they know it. The hackers, went elsewhere, back to there agnostic networking transparent protocol and left them to wallow in there own filth!

          1. MustyMusgrave

            Re: Can't stop laughing..

            Now then kids this is called a Modem, back in the day this was all the rage, you simply plugged it in and it dialed a number and this piece of software is called PGPFone.. Back in the day this was all the rage too... the supreme chancellor of the Galactic senate hasnt seen one of these in many many years, whilst hes busy signing executive orders with his golden pen!

        2. Anonymous Coward
          Anonymous Coward

          Re: Can't stop laughing..

          You're saying Microsoft never even acknowledged the Google team's contact of them?

          They accepted receipt of it.

          1. Anonymous Coward
            Anonymous Coward

            Re: Can't stop laughing..

            The only way microsoft will florish as a tech firm again, will be to out-source to INDIA because all those guys LOVE windows with a passion. "Hello you've reached prakesh, how may I help you!"

            They need to get themselves out of REDMOND and go where people love them as a company all this NOC listed bullcrap floating around on Cryptome tell's you that they want to spy on it all, MySpace, Linkedin, Tumbler, Twitter, YouPorn.. It's so overt it's covert.. People knew about it for years and all snowflake did was give them all a wake up call. No wonder Windows went from being "cool" XP service pack 3 with Core Force firewall into Windows 8.1 with no start button and microsoft updates with no advantage! Firewall & Sandbox, what firewall and what sandbox?

            I'll be the first one in line to buy a Google "BlackPhone" the moment I see the President of the White-House using one himself, he wasnt even allowed to keep his "Black-Berry" he had to trade it in for the Sectera Edge at £1,500 a pop and those handsets are powered by the same Free Software his New Satanic Agency has declaired war on, although on the surface it's Windows CE embedded with a little bt of MingGW32 thrown in for good measure and no active scripting host!

            Sorry Microsoft, your OS has become Kitty Litter!

  32. -tim
    Thumb Down

    More like a 90-day vuln

    Is 90 days reasonable when part of that 90 includes many holidays? If code is deep enough, fixing bugs can often have nasty side effects resulting in dead-locking the kernel or worse. If the code was serverly broken, it might require a rewrite of major systems and the access control elements are spread far an wide in modern kernels.

    I wish people would stop describing this type of thing as a zero day but I expect that ship has sailed. Microsoft has already had 90+ days to fix it. A zero day is a bug that is actively exploited before the coders know about it.

  33. Fading

    So looking forward to my next call from...

    "Windows technical support as there is a problem with your computer." - cold call.

    Instead of my usual nonsense I will now ask if they have addressed this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like