
Google Researcher Publishes Windows 10 Zero-Day Security Vulnerability - jaden
https://www.forbes.com/sites/daveywinder/2019/06/12/warning-windows-10-crypto-vulnerability-outed-by-google-researcher-before-microsoft-can-fix-it/
======
helper
Tavis didn't write the bug he just found it (through a lot of hard work). This
was free security research given to Microsoft. He gave them a very reasonable
amount of time before disclosing the bug (if the disclosure window was 180
days and MS missed it people would be complaining just the same as 90 days).

There's no reason why someone else couldn't discover this bug and exploit it.
I would rather know that I am vulnerable then be ignorant and assume my
software was safe when it in fact was not.

Thanks taviso for all the great security work you do. (Also 2004 me would like
to thank you for your cool fvwm configs).

~~~
oblio
> (Also 2004 me would like to thank you for your cool fvwm configs).

So much time wasted^W invested in those FVWM configs... I could never get it
working quite as magically as Tavis Ormandy or Thomas Adam made it look like.

------
michaelt

      "Personally I think it's a bit harsh,"
      Wright says, "every fix is different
      and they should allow for some
      flexibility in their deadline."
    

As far as I can tell, (1) this is a denial-of-service bug, not a privilege
escalation or remote root exploit, i.e. a low-severity bug; (2) it is unlikely
any code depends on the infinite loop triggering, meaning this fix doesn't
call for great architectural upheval; and (3) the deadline was already
extended to 91 days, rather than the usual 90.

If you'd give out deadline extensions for this bug you'd give them out for
almost any bug, so you may as well not have deadlines at all.

~~~
nocturnial
For anyone wondering why the one (1) day extra, microsoft has a fixed patching
schedule. The patches were released on june 11 patch tuesday. They needed the
extra day to check if it was included in the june 11 patches.

~~~
gpm
Does anyone else think that microsoft's policy here is ridiculous?

"We know your stuff is broken to the point of being insecure and a risk to
your business because we screwed up when making it. We know how to fix it.
We've done the work to fix it. No we won't actually fix it until a few days
from now.

~~~
CGamesPlay
No. If you sold cars and realized that there were some buttons you could push
on the AC unit that would cause it to catch fire, you wouldn’t remotely shut
off my car to perform the repairs while I was driving down the highway.

The customers who “need” patches have a business to run, and forcing their
computer to reboot in the middle of the workday for some service that may not
be exposed at all on their network would be a good reason to avoid Microsoft
products for said customer.

~~~
cf498
Are there actually businesses who just use the normal windows updater?
(Ignoring smaller businesses without IT departments for a second). I assumed
the forced patching at boot/reboot was a consumer version thing? A unforeseen
update from microsoft can just shut down your business?

~~~
technion
Whilst servers are in a different category, multiple Windows Updates have
changed the way updates work. Look at the Dual Scan situation[0]. People who
had central management applied one update and suddenly found desktops also
accepting updates from the Internet.

Then you've got the fact that "Professional Edition" was once a perfectly fine
solution for businesses, but suddenly the ability to properly control updates
like you suggest required Enterprise Edition. These aren't the only issues.

There's always someone who points out that if you have basically unlimited
free time you can stay on top of all of it, but at the end of the day a lot of
businesses still find surprise updates happening. I just got a sales call for
a third party business product with the tagline "Disable Updates automatically
applying (Yes, REALLY!)" as a listed feature.

Finally you can top it all off with the BYOD trend, where people often expect
to run their own machines without management software.

[0] [https://www.thewindowsclub.com/dual-scan-windows-
update](https://www.thewindowsclub.com/dual-scan-windows-update)

~~~
cf498
Thanks for the insight

------
Aissen
To anyone who still thinks a 90-days deadline (with up to 14 additional days
for patch release alignment) isn't fair enough, I invite you to look at the
timeline for this report:

[https://blog.quarkslab.com/reverse-engineering-broadcom-
wire...](https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-
chipsets.html)

This is is remote code exec on _any device_. Yet without hard deadlines,
vendors stall, lie, etc. This isn't the first example of this. There has been
many throughout the past. Project Zero's policy is actually very well thought,
and state of the art IMHO.

~~~
kriro
Quite frankly, a multi billion dollar software company like Microsoft should
be ashamed of themselves for not fixing a 0-day in 90 days. Even with all the
non-coding involved and rolling it out properly they should probably be
ashamed if they can't do it in a week.

~~~
wglb
How about not putting the flaw in in the first place?

~~~
Operyl
Who writes perfect code? Generally speaking, I find the more people working on
a single codebase the more chance you have for introducing flaws.

~~~
wglb
There are many examples of near perfect code.

~~~
mrguyorama
Yet you did not name examples?

~~~
AnaniasAnanas
How about NaCl and basically almost everything made by DJB?

------
noname120
Can we change the link to the original source[1]? The current article[2] is
sensationalized and contains inaccuracies.

[1]
[https://twitter.com/taviso/status/1138469651799728128](https://twitter.com/taviso/status/1138469651799728128)

[2]
[https://www.forbes.com/sites/daveywinder/2019/06/12/warning-...](https://www.forbes.com/sites/daveywinder/2019/06/12/warning-
windows-10-crypto-vulnerability-outed-by-google-researcher-before-microsoft-
can-fix-it/)

------
olliej
It's not a zero day, it's a 91 day. Some bugs can be complex to do root cause,
fix, and verify a bug. But 3 months for what _appears_ to be a validation
failure seems more than sufficient.

Obviously we'll need to wait until the actual fix comes out to see if the fix
was more substantial.

~~~
_wmd
I've been around infosec for 21 years and this is still a 0day. That term has
no strong definition, certainly not one that would allow precise
interpretation as above, but in this case even a vague sense of what it means
covers the situation easily: _users_ have had no time to patch

~~~
all_blue_chucks
Can confirm. "Zero day" means you've had zero days to patch. The term has been
used this way since, IIRC, the late 1990s. See Phrack 53 for an example:

[http://www.textfiles.com/magazines/PHRACK/PHRACK53](http://www.textfiles.com/magazines/PHRACK/PHRACK53)

~~~
alltakendamned
Wrong. "zero day" means the _vendor_ has had zero days notice. Few companies
and even users patch the same day a fix comes out.

~~~
ghusbands
Words are used to communicate, and language is fluid and changes over time.
Clearly, zero-day is being used and understood by many to mean simply
"unpatched", and so that is a reasonable definition. If ever you're arguing
that a significant proportion of people are using language incorrectly, you're
probably on the wrong side of history.

~~~
heyoni
Don’t you just love it when people pull out their dusty tomes to prove to you
that you’re wrong? It’s so pedantic yet also incredibly ignorant of how
dynamic languages are.

I got yelled at once for using the word “cheap” to mean “inexpensive” once and
wish you had been there with me.

------
Operyl
His Twitter thread about it, complete with the usual complaining about the 90
day policy from the gallery:
[https://twitter.com/taviso/status/1138469651799728128](https://twitter.com/taviso/status/1138469651799728128)

(I think the policy is fine, personally).

------
MattSteelblade
The bug report [https://bugs.chromium.org/p/project-
zero/issues/detail?id=18...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1804)

------
altmind
Seems to be a DoS against the application using cryptoapi. certutil <cer>
seems to hang but can be killed without negative effects on the system. Ant
timeouts in cryptoapi ops will prevent this. According to the report:
Severity-low

I'm really dont think forbes is a good media for publishing the digest like
this - the public there is very broad and dont have the expertise to evaluate
what've been presented.

------
syn0byte
If you see a bridge or a building with cracks and signs of structural
weakness, be sure not to tell anyone, you might start a panic. Instead
directly contact the engineering firm and give them at least 90 days to
rectify the issue before telling the public.

If you experience a defect in your automobile that causes your steering to cut
out intermittently do not alert other users of the same make and model.
Instead contact the manufacturer and give them 90 days to fix the issue
internally and mail you a new part.

If a drug you are taking causes a serious reaction quietly contact the maker
of the drug directly...

See how incredibly stupid "reasonable disclosure" sounds in other industries?

------
ClassyJacket
"As already mentioned, Project Zero has a 90 day disclosure deadline and this
was applied to this vulnerability. It was first reported by Ormandy on March
13, then on March 26 Microsoft confirmed it would issue a security bulletin
and fix for this in the June 11 Patch Tuesday run."

How is that a zero day? Isn't it a 91-day? What is the meaning of zero day in
this context if there were actually 91 days between reporting to Microsoft and
public release?

~~~
anaisbetts
Users / IT Admins got zero-day'd, Microsoft didn't

~~~
masklinn
So not a zero-day.

~~~
ghusbands
Words are used to communicate, and language is fluid and changes over time.
Clearly, zero-day is being used and understood by many to mean simply
"unpatched", and so that is a reasonable definition. If ever you're arguing
that a significant proportion of people are using language incorrectly, you're
probably on the wrong side of history.

------
brynet
Lately OpenBSD has been consistently pushing out new security errata, with as
quick as a ~3 day turnaround from finding/reporting to released fix, even for
difficult issues; like Intel MDS.

If OpenBSD can do that, why can't Microsoft.

~~~
xyzzyz
Because if OpenBSD pushes out broken patch, nobody will care, as this is
business in usual in free software world, shit breaks, WITHOUT ANY WARRANTY
and all that. On the other hand, if Microsoft does that, customers paying
millions of dollars will get pissed.

That said, 100+ days to push out a patch is indeed ridiculous.

~~~
brynet
Except OpenBSD isn't shipping broken patches.. so I'm struggling to see your
point.

There's a pretty substantial difference between 3 days and 90 days (or 100).
And one could argue that any amount of days after the embargo ends, is plenty
opportunity for their paying customers to remain vulnerable without having
provided any fixes, regardless of whether it is broken or not.

~~~
xyzzyz
I seriously doubt that OpenBSD can ensure that their patches don’t break their
users in 3 days. Additionally, if their patches do break their users, OpenBSD
can, unlike Microsoft, claim that it’s working as intended, and if you don’t
like it, tough shit. Microsoft doesn’t really have this as an option.

~~~
qaq
You are extremely generous in assuming Big Corp is using whole 90 days for fix
and validation. In might have being sitting in a backlog for 90% of that time.

------
protomyth
It is curious that Google is perfectly fine keeping an Intel embargo for a
long while when it affects them, but is very strict about disclosure when the
exploit affects others.

~~~
auiya
Why do you assume Google wouldn't be affected by a Windows bug? Have you
forgotten about the compromise of their corp networks by a Chinese APT in
2008/9 which leveraged Windows as the attack surface? The reason for
disclosures like this to expedite bug fixes is because they have skin in the
game.

~~~
protomyth
There is a rather large difference between Google’s own OSes, software, and
services; and the stuff Google uses. Google has the resources to mitigate
problems with what they use from others much faster than most customers of the
their competitors.

------
cyberbase
Notices, pressure or teeth, should be effective and reduce harm... 1. Notify
Manufacture w Details, Start 90 Day Clock. 2. 90 Days, Notify public of
discovery and notice date, NO public details. Notify Reputable Security
Vendors of details to prep defense of un-patched bug. 3. 180 days release
limited details publicly and date of notices to MFG and Sec Vendors. THIS will
build public pressure on whole ecosystem and limit impact.

~~~
Operyl
At step 2: any release of any information is enough to get people looking in
the right general direction.

------
dagaci
Writing code and especially bug fixing issues with complicated code is not as
deterministic, as most people imagine. And any developer knows that they
should definitely expect the unexpected! but few seriously wonder whats going
on when we agree to estimate for them.

So getting up-tight and blaming engineers for having delays is just as random
as having a 90 day deadline.

------
jzzmnn
June 12, 2019 Huge Cybersecurity Global Alert which proves Microsoft patches
won't fix 2006-2019 front and backdoor vulnerabilities created by FVEY, Nine,
Fourteen Spying Eyes Google belongs too.

------
zelon88
I really can't wait until Microsoft does this to Google and Google sues them
into the sunset. Something tells me big G wouldn't like a taste of it's own
medicine in this department.

~~~
Operyl
Except .. Project Zero has released stuff affecting other Google teams before.
It’s universal.

------
boringuser1
Lots of people pretending Google has Microsoft's best interests at heart.

~~~
CydeWeys
Where is this happening?

------
leereeves
The majority of users won't see this notice. They'll be more vulnerable
because it was published and they still won't know it.

Disclosing the details like this hurts innocent bystanders.

~~~
Dylan16807
Leaving bugs unpatched hurts innocent bystanders.

Disclosure schedules reduce time-to-patch by a _lot_. But only if they have
teeth.

~~~
leereeves
Project Zero just told everyone how to exploit a bug that won't be fixed for a
month.

Even if that is (arguably) better than "having no teeth", that doesn't make it
a good idea. Perhaps they can find better teeth, a response that doesn't
involve helping bad actors when vendors fail to patch quickly.

~~~
Dylan16807
> Perhaps they can find better teeth

Feel free to suggest!

But _wanting_ something to be true isn't enough. And I can assure you,
everyone _wants_ that.

~~~
leereeves
Why not publish the existence of the vulnerability without any details?

That is the only information most people will get from the disclosure anyway.
Only the black hats are helped by disclosing the details.

~~~
dvdkon
Blackhats knowing is what makes companies patch the vulnerabilities. Not
enough people care about there being an undisclosed vulnerability for the
company to expend resources.

~~~
leereeves
Microsoft doesn't care about fixing vulnerabilities unless Google forces them
to?

~~~
wysifnwyg
Not many companies care about fixing vulnerabilities until they actually have
to.

