
Google posts Windows 8.1 vulnerability after 90 days - mmorris
http://www.engadget.com/2015/01/02/google-posts-unpatched-microsoft-bug/
======
cheald
This story is surprisingly hostile to Google. A 90-day window after which the
bug is published is about as responsible as responsible disclosure gets. The
headline really rubs me the wrong way, as though Google raced to publish this
vulnerability to spite Microsoft.

Not talking about the bug doesn't mean it's not there, but talking about it
sure makes people aware that they should perhaps take extra precautions until
Microsoft patches the bug. The attitude that "you're giving info to the evil
hackers and now we're all unsafe!11" is the very essence of the fallacy of
security by obscurity - your ignorance of a bug is not guarantee of others'
ignorance of it. Pinning blame on Google for putting us all at risk is the
exact wrong response; Microsoft is at blame for taking more than three months
to fix a critical security bug, which has been there for even longer.

This sentiment is very visible in the comment section - the story's suggestion
that Google did something wrong here, and the torrent of clueless commenters
raging about how evil Google is being is disheartening, to say the least. I
wonder how much of that is a result of the story's tone.

~~~
giovannibajo1
On the other hand, project zero publishes kiddies-ready exploits for their
vulnerabilities, which is a very questionable practice for vulnerabilities
which are still in the wild. Even if patches were available, it would be far
better to wait for most devices to be patched before releasing a full exploit.
They did this with iOS and now with Windows. We are now waiting for such
useful ready-to-use exploits for major Android versions as well.

~~~
cheald
Metasploit does the same thing, and we've managed to not have the internet
implode yet.

Yours is the standard argument against _any_ form of disclosure. I'm not
discounting it, because no disclosure has its merits, but responsible
disclosure satisfies both an ethical imperative (you can't let people believe
they're secure if you know otherwise) and provides pressure on vendors to fix
their software, when the vendor might otherwise deem it not worth the time or
money to fix the issue, which leaves their customers vulnerable.

The basic idea behind disclosure is "we might not be the first people to find
this, and we definitely won't be the last, so let's remove all doubt and rob
the bad guys of the element of surprise". Responsible disclosure is intended
to permit responsible vendors to fix the issue before wide publication, but an
uncooperative vendor doesn't mitigate the reality that the bug exists and will
eventually be found by someone less benevolent.

~~~
boracay
It's still just an excuse. Of course there's no liability in computing so no
one actually have to come to terms with that.

------
dragonwriter
Why isn't the source's headline "Microsoft fails to patch privilege-escalation
vulnerability within 3 months"?

~~~
btian
Because that would cause Microsoft to shift their advertising budget
elsewhere.

Just being practical.

------
DominikD
It's more nuanced than article or commenters on HN want it to be. If there's a
constant communication channel between companies and there's a reason to
believe that patch can't be created in 90 days, sticking to deadlines seems to
prioritize the wrong things.

On the other hand if MS wasn't responsive enough and upfront about the time
it'd take to patch and reasons for that, then sure, 90 days seems more than
needed leeway for Microsoft. But I don't know how things worked and I've seen
enough to assume that both scenarios are possible.

------
doe88
I think the initial principle of the disclosure policy is good, it is intended
to put a bit of pressure on _bad_ vendors to fix their bugs. That said I don't
think we can classify MS as a _bad_ vendor. They fix lot of critical issues
every years, they certainly have their own internal teams working on security
issues, they're _responsibles_.

Vendors with a quite good track record should be allowed to have some slip
ups. You cannot compare a vendor who doesn't fix anything on time with one
that usually fix issues promptly but occasionally shows a delay on a report.
The process should take that into account. I think the binary handling by
Google on this one is not very well thought-out.

------
lawnchair_larry
What a terrible linkbait headline.

~~~
dang
We edited the title in an attempt to make it more neutral.

------
mcintyre1994
> It is important to note that for a would-be attacker to potentially exploit
> a system, they would first need to have valid logon credentials and be able
> to log on locally to a targeted machine.

Are Microsoft downplaying or is this genuinely quite minor? The article
discusses a disgruntled employee and since all their money comes from
Enterprise presumably disgruntled employee can cause major damage is a pretty
huge problem?

~~~
scarmig
A not-particularly informed take:

It means that every user effectively has root privileges. Which means that
every user can eavesdrop on other users, view their saved data and files
(unless encrypted on disk), intercept their network communications,
impersonate them, steal their passwords (system, application, external web
sites).

How bad that is depends on your particular use case. But for pretty much any
setup where security is a concern or there's any sensitive data at stake, this
is a very serious issue.

~~~
jenscow
However, in the case of Windows, this issue isn't that much severe as it would
be on a unix-like, for example.

With the set up of Windows servers I've seen, only the admin logs in anyway.
It's not really used as a "multi-user" system per-se, where you get different
users logging in at the same time. It does happen, but it's not common.

~~~
scarmig
Hahah, I figured Windows might be slightly better about this, hence the self-
admitted uninformed take.

Could you clarify, though: do you mean to say Windows isn't as vulnerable
because of cultural reasons (i.e. Windows systems aren't multi-user usually)
or because of technical ones (they support something like SELinux out of the
box)?

~~~
jenscow
The _impact_ isn't as severe, for cultural reasons.

------
dang
Url changed from [http://www.pcworld.com/article/2864312/google-discloses-
unpa...](http://www.pcworld.com/article/2864312/google-discloses-unpatched-
windows-vulnerability.html), which points to this.

------
Siecje
This is going to be more common when Windows 7 is no longer supported
2015-01-13.

~~~
_delirium
Windows 7 has security support through January 2020 [1]. What's ending this
month is "mainstream support", which seems to mean new features, phone
support, etc. [2]

[1] [http://windows.microsoft.com/en-
us/windows/lifecycle](http://windows.microsoft.com/en-us/windows/lifecycle)

[2] See point 6 at
[http://support2.microsoft.com/gp/lifepolicy](http://support2.microsoft.com/gp/lifepolicy)

