
Google's Project Zero exposes unpatched Windows 10 lockdown bypass - _o_
https://www.zdnet.com/article/googles-project-zero-reveals-windows-10-lockdown-bypass/
======
andrewguenther
To people calling this a dick move by Google, I encourage you to look at the
actual issue in Monorail. The reason given for not extending the deadline was
that the issue is not particularly severe, and there are also similar bypass
issues which are currently unpatched. If it isn't going to help protect
customers, what's the point in granting an exception?

[https://bugs.chromium.org/p/project-
zero/issues/detail?id=15...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1514#c3)

~~~
braythwayt
Alice: "My bug isn't particularly severe, and there are similar issues from
Bob and Carol. If it isn't going to protect customers, what is the point in
fixing it?"

Bob: "My bug isn't particularly severe, and there are similar issues from
Alice and Carol. If it isn't going to protect customers, what is the point in
fixing it?"

Carol: "My bug isn't particularly severe, and there are similar issues from
Alice and Bob. If it isn't going to protect customers, what is the point in
fixing it?"

~~~
Dylan16807
First off, this is about disclosure, not fixing.

Second, you're neglecting the time aspect.

This is a valid argument: "There's a similar issue that microsoft hasn't
bothered patching for months, so what's the point in keeping it secret?"

This is not a valid argument: "In a few months there will be a similar issue,
so what's the point in keeping it secret?"

So there is no loop leading to mistakes.

------
nikic
The only "dick move" involved here is the fact that zdnet wrote this article.
Minor security issue lapses standard disclosure deadline? Who cares. Instead
we get this attempt to sensationalize this into some kind of big Google vs.
Microsoft rivalry.

------
ge0rg
Original source: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=15...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1514&q=)

~~~
saagarjha
Could someone who’s more knowledgeable about how Windows works than I am
provide a semi-technical explanation of how this works?

~~~
campuscodi
Yeah. It's not as severe as the article makes it seem. It's just a bypass in a
very insignificant component for which you need 2-3 other vulns to exploit.

I presume the editor just wanted to put an article out with Microsoft and
Project Zero in the title, rather than analyze the actual flaw in the context
of its severity.

------
bitmapbrother
_Google reported the issue to Microsoft on January 19. Microsoft confirmed the
issue about three weeks later_

Microsoft should make a mental note that when you receive an email from a
member of Google's Project Zero team you don't wait 3 weeks to respond.

~~~
bootloop
Answering an email and confirming an issue is not really the same thing.

~~~
bitmapbrother
If it takes 3 weeks to confirm an issue reported to you by a Project Zero team
member, especially when they provide you a detailed report on how to replicate
the exploit, then you need to optimize your process.

------
dewiz
Google, you have 90 days to stop tracking web users, then Windows will start
asking desktop users if they would like to block tracking by filtering DNS
requests

~~~
rasz
This could happen 10 years ago, today Microsoft embraced tracking and spying.
Win 10 grabs more info about you than google.

~~~
hello_asdf
It's unfortunate that this is necessary, but you can use this if you'd like to
limit that a bit. You'll have to put it on your router or on your own dns
server though, as I think Windows will ignore some hosts from the system file.

[https://raw.githubusercontent.com/crazy-
max/WindowsSpyBlocke...](https://raw.githubusercontent.com/crazy-
max/WindowsSpyBlocker/master/data/hosts/win10/spy.txt)

------
jacksmith21006
Why does MS struggle so much with security?

~~~
jiveturkey
Why does everyone struggle so much with security?

~~~
jacksmith21006
ChromeOS been secure since the get go. Just seems weird Google can do it and
MS struggles so much.

Now you get GNU/Linux out of the box but security intact.

~~~
hs86
Are you aware that ChromeOS comes without the GNU userland?

------
avttre
Why 90 days? Why not 30, 14, or 7? Microsoft might have requested responsible
disclosure for exploits affecting Windows, but what gave Google the right to
set a deadline?

I feel the 2 US companies have a friendly competition with each other which
can help secure their systems.

~~~
saagarjha
Nobody has any right to set a deadline. The 90 days is merely Google being
courteous.

~~~
fintler
For something installed on so many devices, 90 days seems like an incredibly
tight timeframe to change anything.

~~~
ge0rg
Don't forget that these 90 days are also 90 more days where this vulnerability
can be exploited by attackers.

Microsoft has set up a patch delivery infrastructure that's pretty effective
and comparably fast by industry standards, if not deactivated by the people
who got offended by the forced Windows 10 upgrade and feature creep.

~~~
gmueckl
Well, Windows Update is forcing me to deactivate it in one machine bacause it
continues to make it unusable. I have come to terms with most quirks of the
forced updates, but in this particular situation Windows is nasty und
uncooperative.

Add to it Microsofts well established unwillingness to provide any useful
diagnostic information and suddenly the only way to use the machine is to not
update it.

------
finchisko
I think there are so many point of views here. I'm not going to defend Google
nor Microsoft, but imagine you're paid by Google to work on security issues.
What would be the metric to prove your existence, if there is no public
awareness of your work, like this zdnet article? Project Zero IMO from time to
time need to show they exists and doing great job. I think that could be one
of reasons, why they resists to prolong standard 90 day period.

~~~
lvh
I have a hard time thinking of a more elite team than P0. They earned their
stripes long before they got there. The disclosure policy is the right thing
to do, not to make someone feel better about their job.

~~~
finchisko
It's one of the points of view, not saying the most significant one.

------
kerng
Read about the details. Wow, having a bug like this being discussed so broadly
shines a bad light on Google IMHO. Its appears like targeted news against
Microsoft. It's not mich newsworthy defense in depth issue. If an adversary
can modify the registry, they can do a lot more harm.

------
foepys
Denying the deadline extension to May 8th [1] is quite a dick move by Google,
considering that it took them 6 _months_ to fix the extremely harmful sitemap
ranking bug in their search engine[2]. And after they fixed the bug, they only
paid peanuts to the researcher for a bug that could've cost Google's customers
tens of millions in misplaced ad campaigns.

1: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=15...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1514#c3)

2: [http://www.tomanthony.co.uk/blog/google-xml-sitemap-auth-
byp...](http://www.tomanthony.co.uk/blog/google-xml-sitemap-auth-bypass-black-
hat-seo-bug-bounty/)

~~~
jhall1468
First of all, Google has no responsibility to give _any_ period of time. It
isn't a "dick move". Second, the researcher in question:

1) Never gave a required date for disclosure. 2) Upon requesting the right to
disclose, was told no and he followed suit. 3) Was initially offered a bug
bounty of $1300, which was upgraded to $5000. He apparently never bartered on
that issue at all.

So your entire post was completely irrelevant.

~~~
shawnz
> First of all, Google has no responsibility to give any period of time. It
> isn't a "dick move".

The motivation of the project is supposedly to protect Google's users. Being
firm on disclosure deadlines helps ensure that vendors take the issue
seriously. Did they have any indication that Microsoft wasn't taking this
seriously? If not, then it sounds like their true motivation is elsewhere.

~~~
Dylan16807
> Did they have any indication that Microsoft wasn't taking this seriously? If
> not, then it sounds like their true motivation is elsewhere.

That doesn't follow. The primary reason to be firm is to ensure that vendors
take _future_ issues seriously. Belief that the vendor is serious about a
single issue removes only a tiny fraction of the motivation to be firm on
deadlines.

~~~
jrockway
There are two possible outcomes with any security issue:

1) The issue is so obscure that nobody else in the world will ever discover
it, so not disclosing it to anyone but the vendor is the right choice.

2) The issue has been discovered by someone with malicious intent, and every
second that you hide the details from the users, they're at risk.

You can't know which case applies, which is why policies about disclosure are
useful. If a vendor is informed of a security hole, and they immediately fix
it, great, users are saved. If a vendor is informed of a security hole, and
they do nothing... eventually users will have to mitigate the risk in their
own way (which is usually "stop using the flawed product"). A disclosure
deadline strikes a balance; in many cases it's pretty likely that no evildoers
have independently discovered the flaw, but would be able to exploit it if
they knew the details. So giving the vendor a bit of time to fix the issue is
the best solution. But given infinite time, all bugs will be discovered and
exploited, so the longer you wait to fix or mitigate, the more risk you take
on. Therefore, I think Google's policy strikes a very reasonable balance
between protecting through patching and protecting by telling users to use
something else.

With that in mind, I have no real qualms with people that disclose flaws
immediately (letting users be aware of their risk), or vendors that fix an
obscure bug that's not being exploited slowly. In the end, if users want to be
free from all risk, they should be finding and mitigating these issues
themselves... anything you get for free out of someone else's goodwill is a
benefit.

