"Adobe worked fast on its patch because Flash malware was already in the wild."
You wrote that as if it was something new.
Google has slung a grenade at Microsoft by disclosing a Windows vulnerability before Redmond has a patch ready. The bug can be exploited by malware on a machine to gain administrator-level access. According to this blog post by Neel Mehta and Billy Leonard of the Chocolate Factory's Threat Analysis Group, the reason for going …
... as it is with Apple, right? Plenty of time for Apple to fix its threading issues, no time for MS (the CVE was reserved on September 9). Even if the bug is being exploited, would really help to disclose it fully? Ok to disclose it exists and is being exploited, looks dangerous to tell where it is.
It looks quite clear bug disclosures are becoming a weapon.
Doesn't seem like any real value to disclosing it, they don't claim to have a workaround, so other than "be careful" and "install the patch when it comes" (which most people should be doing anyway) see no value to disclosing other than for publicity.
Not that I care(as a Linux user), doesn't really affect me.
"Doesn't seem like any real value to disclosing it"
There is value when you are say Google with a webby ad business and a browser to show them off and gather data with. Note how Chrome/Chromium are unaffected due to their sandboxing - this is probably a dig at IE/Edge.
Perhaps someone could tell us whether Firefox, Edge, IE etc have similar sandboxing techniques.
I also use Linux exclusively but I am under no illusion that I'm much safer than others purely due to my OS choice - Gentoo - "the lap scorcher"
"Not that I care(as a Linux user), doesn't really affect me."
Uh huh. Unless say, your local Doctor's surgery falls foul of this exploit, and your medical records get stolen? Or maybe someone else that holds sensitive personal information about you. Your security isn't solely in your hands.
I think the value in disclosing it publicly is to get Microsoft to fix it now instead of sitting around until they are good and ready to come up with a fix. If Adobe can knock out a patch to the public in four days, MSFT should be able to come up with a *plan* to release a patch on a zero-day in 10 days.... MSFT, of course, is upset with Google for pointing out MSFT's incompetence. Google plays this stuff straight. They don't care if you are MSFT or some four person shop. If you have a critical vulnerability, you have seven days to get your stuff together and push out a patch (actually gave MSFT 10 days) or at least tell your devs about your screw up and the plan to fix, Google is going to tell their devs.... There is no excuse for MSFT's poor security management in Windows. Given the billions they rake in from the only licensed OS, you would think it would be iron clad... that "enterprise level" experience MSFT is always going on about. MSFT just isn't used to having to do things well as until recently it was a non-competitive market.
There is a difference between informing the world that there is a problem being actively exploited by malware and giving full details on how to exploit it... Especially given that they have only given Microsoft a little over a week to study the problem and fix it.
Yes, warn the public that there is new malware out there that can exploit the problem, but don't tell other hackers, who haven't discovered the issue, where to look and what to do.
By the sound of it, the problem is pretty deep in Win32 and it might not be a five minute fix, as the windows handling functions are used by pretty much all software, so any changes will need to be thoroughly tested to ensure that they don't kill other, valid applications.
It sounds like this Windows bug was being, so there's not much gained by keep the details "secret" when they're already out in the open.
This is sort of like when hackers grab something and Wikileaks releases it - complaining that the news is discussing your classified material when it is no longer "secret" is kind of pointless.
"Even if the bug is being exploited, would really help to disclose it fully?"
Probably not, but as far as I can see no such disclosure has been made. (Apropos the description in the article, being able to set the ID of a window is something that any normal program can do. It isn't a privilege escalation. Presumably in this case there is some side effect of making the call that *is* a privilege escalation, but we aren't being told what that is.)
Knowing that there is something in this area *might* be useful, except that there are only a few hundred entry points in win32k.sys and these have been the targets of every tool in the black hat toolbox for about twenty years now.
Sometimes it could be laziness, sometimes fixing a kernel bug can require a lot of care because if it requires some behaviour change, its side effects could be hard to predict and create problems to many applications. Apple took eight months to fix its task switching bug. And Sierra itself caused problems to not so few applications.
First atom tables and now an active, unrelated exploit of 'bloat. It's been too quiet on the bug front for Slurp recently. Waiting for the next nasty to come out.
As far as Slurp being able to patch a bug, they will screw it up at least a couple times before getting it sort of right.
I still haven't got my windows 7 system to download the last 12 patches yet.... fortunately I don't use it for much these days. Linux is a heck of a lot easier to update, and a lot clearer about what's getting fixed. I have no idea what windows 10 is doing with its patches or what's in them. Half the time it seems to get stuck on part of the mega patch and then fails. Then I have to reboot and start the mega download all over again. That's when there is a patch of course....
I'm shocked, *shocked* that a company like Google would throw a zero day hand grenade and have a patch for their browser ready. It must have been for the good of the people because Big Brother... I mean Google, is always working in the interest of the people.
Disagree. Google patched it (side question - how does Google always seem to know more about Windows than Microsoft?). They let Adobe and Microsoft know we have a major issue. Adobe said "Shit, thanks for the heads up" and fixed it days before any public announcement. Microsoft sat on their hands and did nothing for 10 days, three days past the Google security standard for their Chrome devs, then released the info to their Chrome developers... looking out for their devs. Microsoft still doesn't have a plan and blames Google for publicly pointing out yet another Windows 10 issue. Microsoft could prevent Google from releasing critical security issues in Windows 10 if they stopped having critical security issues in Windows 10.
Disagree. Google patched it (side question - how does Google always seem to know more about Windows than Microsoft?). They let Adobe and Microsoft know we have a major issue. Adobe said "Shit, thanks for the heads up" and fixed it days before any public announcement. Microsoft sat on their hands and did nothing for 10 days, three days past the Google security standard for their Chrome devs, then released the info to their Chrome developers...
Get real. All Adobe and Google have done is block use of that system call in their sand boxes. They've not fixed anything, they're simply ensuring that it can't be exploited through Flash or Chrome.
Once you have a sandbox, that's a far easier job than actually fixing the bug in the OS itself. For comparison look how long it took Apple to fix their latest (stupid, self inflicted) OS kernel flaw - months. There's probably good reasons why MS cannot fix the bug quickly.
Personally speaking I don't see that Google or Adobe had any real choice. If the bug is being exploited then we have a real problem and they're in a strong position to mitigate against it, fast. But in doing so they're inevitably advertising the existence of the bug. So they may as well just come out with it and give the rest of us a heads up.
In the round it's probably better to mitigate for this flaw in browsers ASAP because that'd always be the primary exploitation route. Gives the rest of us a problem though.
"A local privilege escalation in the Windows kernel that can be used as a security sandbox escape."
Anyone familar with Microsoft KB's (a very long list for Win7) will understand how often this type of sandbox escape exploit comes up in the Windows 7 Patch List. It's a common (re)occurrence, along with exploits related to Fonts, Graphics Engine, Remote Desktop Control. Hacker's aren't being clever here, they are just sniffing around the existing exploit areas to find even more.
Chrome has so many legitimate ways of lifting user's data (for Google), who needs exploits? that seems to get forgotten here.
Not sure I'm onboard with tech companies flinging poo over security like this. It will be patched we all know this...this really isnt much of a story at all. Any patch will under go further testing or wait for the next enterprise patch schedule. Don't be surprised if MS waits another week or two...most of us would rather have a quality patch over a rush job.