
Google discloses another Windows security issue after deadline exceeded - doe88
https://code.google.com/p/google-security-research/issues/detail?id=128
======
RogerL
So there are 3 issues [1] against OS X, released a while ago, and one against
Microsoft. Why the HN focus on the Windows bugs? At least Microsoft is
communicating with Google, and have patches planned, just not on the exact
timeline of the arbitrary 90 day deadline. Is there something about the OS X
ones that doesn't warrant the same exposure/discussion?

[1] [https://code.google.com/p/google-security-
research/issues/li...](https://code.google.com/p/google-security-
research/issues/list)

~~~
username223
I think the issue is not the bug count, but that Microsoft tells Google "we
will release a fix on day X," and Google says "X is past an arbitrary day we
chose, so sad" and discloses a zero-day. Some people think it's an
irresponsible PR stunt by Google, others that Microsoft would just put off
fixes forever if Google didn't do this.

Maybe there's a similar story with OS X, but there doesn't seem to be a public
record of it.

~~~
ahoge
> _[...] and discloses a zero-day._

90-day, you mean. It's only zero-day if they had zero days to come up with a
solution. That's what "zero-day" means.

~~~
Truff
Actually, 0-day refers to the time since public disclosure.

~~~
ahoge
If that would be the case then we would have another term for the thing I just
described, because that's the worst case scenario.

Anyhow, the Wikipedia article disagrees with you, too. Got any sources for
your definition?

------
tszming
In another news, google stop fixing security bugs which cover 60% of the
current android users (4.3 or older). Not saying microsoft is right, but they
just dropped windows xp support last year (that is >10 years of support).

[1] [http://arstechnica.com/security/2015/01/google-wont-fix-
bug-...](http://arstechnica.com/security/2015/01/google-wont-fix-bug-
hitting-60-percent-of-android-phones/)

~~~
Karunamon
Thank the carriers for being jerks for that one. I know on the last time this
article came up I took a hard line on them, but upon further reflection, it's
not like they can just write a patch and have it out in a week. Heck, it takes
_months_ for point releases to go through acceptance testing at the carriers,
and probably not insignificant amounts of cash.

At least they're starting to own more of the ecosystem. I wouldn't expect this
to be as big of a problem on newer devices.

~~~
r00fus
Carriers not rolling out updates a) doesn't waive Google's responsibility to
roll out patches to their largest OS cohort and b) is really all Google's
fault because they let the carriers get away with it and have never reigned
them in even after years of incompetence on the carriers' part.

It's not an excuse.

~~~
bestnameever
Why are you blaming Google, and not Samsung, HTC, LG? Aren't they the ones who
produce software updates for their phones?

I really don't see how Google is stopping them from updating their handsets.

~~~
r00fus
See the beauty of the situation is that _they are all at fault_. However, only
one company makes the core OS software these hardware manufacturers run on.

Perhaps if Google provided the update and the pressure could be put on the
manufacturers to roll out the update to their paying customers...?

~~~
Karunamon
That assumes that you can make enough consumers with these (relatively) older
devices care loud enough for any "pressure" to be applied to the
manufacturers.

Security updates aren't sexy and don't get applied unless they include shiny
things along with them.

~~~
r00fus
Right now, the customers have zero power because Google and the manufacturer
simply point fingers at each other as to who's to blame.

Releasing the update gives the customer power to press for pushing their
manufacturers.

The whole model where carriers or manufacturers can send updates is
ridiculous. Carriers update baseband. Manufacturers should defer to google for
Core OS updates and Google Play. The fact that they're even involved is simply
a recipe for disappointment.

It's bad for everyone because compromised machines simply reward and embolden
the criminals which will eventually increase the harm to everyone who ins't a
criminal.

------
FesterCluck
It should be noted as a point on this specific bug that, since wasn't fixed in
the EXTRA time allotted and subsequently disclosed, this is a good thing.
Impersonation is something that Windows Administrators can readily disable and
manipulate via Group Policies and Active Directory. There's not a one-fix-for-
all disable in this case, because impersonation is used in very nuanced ways.
That being said, every organization can quickly and with a little effort
tighten up their impersonation rights.

------
cLeEOGPw
What I would like for Google to do is instead of publishing the details of the
bug, after the deadline they would publish vague summary of vulnerability, so
people would know it exists, but not quite able to exploit it right away. That
would both inform people about danger and put pressure on MS, but without
puting so much risk onto systems.

~~~
hawleyal
That is not providing information about how to protect against the
vulnerability regardless of a patch from Microsoft. Full disclosure is the
only way to go.

------
misterdai
I can understand both points of view with the disclosure of the security
issue. A while ago I discovered some security issues with Adobe ColdFusion and
Railo. I wish I had put a deadline on disclosing the Adobe ColdFusion issues,
as they dragged their feet so much (with admitting it was an issue and
progressing with a fix) that at points I felt like throwing in the towel.
Regrettably, instead of lighting a fire under their ass, I waited. At the time
I was working on an open source side project, which would have pointed fingers
towards where the issue was for any curious people.

I ended up halting development of my project while I waited for Adobe, to the
point where I no longer wanted to work on it. I had stopped for too long and I
didn't want to dig anything else up. Having no legal type knowledge myself or
knowing anyone who could offer such advice, I was also too concerned to reveal
anything for fear or any legal reprise.

So, the threat of security disclosure is warranted to pressure others into
putting in the effort. However, the impact of the disclosure should be
considered. If it will seriously affect others (who aren't responsible for the
fix) and put them at risk, there should be the flexibility there to work with
them on a deadline.

~~~
sjwright
Did Railo fix the bug?

~~~
misterdai
They fixed one of the issues I reported. I don't believe I had official
confirmation of the other issue I had with Railo being resolved. I probably
should try it out again on their latest version, but I don't use Railo and
haven't found myself with much fondness for ColdFusion either.

But I should probably pull my thumb out and check ;)

------
nurb
Google should ask money to keep it secret longer. Around 30 000$ a day IMO.
Then give this money back to android device manufacturers scammed by
Microsoft.

------
mrmondo
As they should do, Microsoft is notoriously bad at security patching and have
had more than enough time to issue a suitable fix. It won't be until we start
doing this will all (closed sourced) vendors that'll we'll actually see
improvements - otherwise what incentives for these company's are there? Making
themselves look good is their primary objective, right next to sales.

------
eyeareque
Hopefully this inspires change within Microsoft's development processes.
Security issues are a big deal. While 90 days is difficult for them (and other
companies), I'm sure with some investment on process improvement and or hiring
more staff, they can get these fixes out faster. They owe it to their
customers to do the right thing.

~~~
icehawk219
Somehow I foresee Microsoft trying to rush out a security patch to a hugely
complicated piece of software so it can be distributed to hundreds of millions
of devices running countless hardware configurations just to appease Google
ending very poorly for everyone but Google's marketing department.

~~~
eyeareque
Is it unreasonable to expect a company like Microsoft to be able to release a
stable fix to protect their customers within 90 days?

------
danesparza
What software is this for? Chrome? It's not clear from the bug report.

------
dkarapetyan
Dick move by Google.

~~~
amaks
Yeah, Google really should not really worry about discovering all those
endless Windows vulnerabilities and let all those hacks (such as Sony's) to
continue. Security by obscurity.

------
NigerianPrince_
The first thing Microsoft does when they learn about a zero-day is to hand it
to the NSA. Microsoft doesn't get to fix it until the NSA tells Microsoft
they're done exploiting it. Google may be pissed about this. They've been
pissed off before about NSA's shenanigans.

~~~
WorldWideWayne
I suspect that Google is an NSA front organization, which is why Google
_appears_ to be pissed at the NSA.

In any case, I think both Microsoft and Google would be high value targets for
all sorts of infiltration by the NSA, whether it's sanctioned by the power
structures of these companies or not.

~~~
0xDOOD
So HN has gone from seeing Google's name on a PRISM slide, to assuming it's
entirely an NSA outfit?

Apple was on one of those slides. I suppose they're an NSA front organization
as well?

~~~
WorldWideWayne
I'm just a single HN'er and I wasn't really thinking of PRISM... I was
thinking more along the lines of how obviously valuable it would be to the NSA
to either A) start companies like Google or B) infiltrate them.

I also said that I _suspect_ that's the case, not the I _assume_ it to be.
Given that the NSA seems to do what it wants and the obvious motivation for
infiltrating or starting companies like Google...I think the suspicion is
warranted.

------
yuhong
Doubling the deadline to 180 days is probably reasonable IMO.

~~~
markcerqueira
Might be, but I'm sure if it's important they would allocate resources to
getting it fixed ASAP.

I doubt the fix for this and testing takes 90 days, or even 45 days.

~~~
rinon
This apparently _does_ take that long, but should absolutely not.

~~~
higherpurpose
Either Google is sending Microsoft bug reports like rapid-fire, and Microsoft
has already fixed dozens of them that we haven't found out about - or for some
_strange_ reason, Microsoft didn't fix the only two bugs Google reported in
the last 90 day period.

If that's the case, then either Microsoft _forgot_ about them, or they
carefully orchestrated a PR scandal against Google (wouldn't be the first time
- like the time they built an unauthorized Youtube app that Google
_specifically_ told them not to build, and then notified the whole media about
it, putting words in the reporters' mouths).

~~~
teraflop
Well, Google _has_ been sending Microsoft (and other vendors) lots of other
bug reports: [https://code.google.com/p/google-security-
research/issues/li...](https://code.google.com/p/google-security-
research/issues/list?can=1&sort=-id)

What I find interesting is that there are at least a couple of cases in which
bugs were marked as being subject to the 90-day disclosure deadline, but not
made publicly visible until days or weeks after the deadline had passed.

[https://code.google.com/p/google-security-
research/issues/de...](https://code.google.com/p/google-security-
research/issues/detail?id=111)

[https://code.google.com/p/google-security-
research/issues/de...](https://code.google.com/p/google-security-
research/issues/detail?id=113)

