
Google Goes Public with Unpatched Microsoft Edge and IE Vulnerability - uber1geek
https://bugs.chromium.org/p/project-zero/issues/detail?id=1011
======
rattray
Looks like they thought this would get fixed:

> I will not make any further comments on exploitability, at least not until
> the bug is fixed. The report has too much info on that as it is (I really
> didn't expect this one to miss the deadline).

Worth mentioning that "Goes Public" implies there was a human who pulled the
trigger; it was a bot:

> This bug is subject to a 90 day disclosure deadline. If 90 days elapse
> without a broadly available patch, then the bug report will automatically
> become visible to the public.

...

> Deadline exceeded -- automatically derestricting

~~~
DINKDINK
>"Goes Public" implies there was a human who pulled the trigger; it was a bot:

Meaningless distinction, a human designed the bot that pulled the trigger.
Building a robot that then murders someone doesn't absolve the designer from
the ramifications of what they built.

~~~
dsacco
It's not meaningless. It would be more appropriate to compare it to a human-
designed insurance algorithm that will refuse to offer a discount for
extenuating circumstances. That's not so much an analogy as it is a
reimplemented example of the same philosophy in practice.

The meaningful distinction is that a human can be persuaded to extend the
deadline, at least in theory. A bot cannot be persuaded to do anything, and if
a deadline passes an action is triggered like a dead man's switch. In one
scenario, a human needs to maintain the decision to uphold that deadline
without bias every single time it comes into question. In the other, they only
have to do it once: when the bot is initially designed.

They're different things entirely. Arguing that they're not is like arguing
that it's easy to maintain a diet or exercise regimen because you just have to
uphold a New Year's resolution for a week. This has important ramifications
for a security disclosure deadline, because it (theoretically) reduces bias.
There are other elements of a disclosure that can still elicit bias, but at
least the deadline time itself will not be one of them.

------
andreyf
This is not the first time Google has disclosed unpatched vulns in Microsoft
product [1]. Anyone know any more?

What's up with them not being able to patch on time? How is _90 days_ not
enough to get a patch out the door? That's a quarter, for goodness' sake!

1\.
[https://news.ycombinator.com/item?id=12841672](https://news.ycombinator.com/item?id=12841672)

~~~
user5994461
Because it takes time to write a fix, test it, test it some more to make sure
it doesn't break any of you 1 billion users, then ship it, then wait some more
because people ain't updating that often.

That's in total contrast to web development where you can deploy a fix in ~ 1
hour to all your users simultaneously.

~~~
bArray
> Because it takes time to write a fix, test it, test it some more to make
> sure it doesn't break any of you 1 billion users, then ship it,

Hasn't stopped Microsoft pushing bad updates in the past.

> then wait some more because people ain't updating that often.

That's a problem with their update model, security waits for nobody.

------
george_ciobanu
"Project Zero's disclosure deadline policy has been in place since the
formation of our team earlier in 2014. It's the result of many years of
careful consideration and industry-wide discussions about vulnerability
remediation. Security researchers have been using roughly the same disclosure
principles for the past 13 years (since the introduction of "Responsible
Disclosure" in 2001), and we think that our disclosure principles need to
evolve with the changing infosec ecosystem. In other words, as threats change,
so should our disclosure policy.

On balance, Project Zero believes that disclosure deadlines are currently the
optimal approach for user security - it allows software vendors a fair and
reasonable length of time to exercise their vulnerability management process,
while also respecting the rights of users to learn and understand the risks
they face. By removing the ability of a vendor to withhold the details of
security issues indefinitely, we give users the opportunity to react to
vulnerabilities in a timely manner, and to exercise their power as a customer
to request an expedited vendor response."

From [https://www.engadget.com/2015/01/02/google-posts-
unpatched-m...](https://www.engadget.com/2015/01/02/google-posts-unpatched-
microsoft-bug/)

~~~
user5994461
> On balance, Project Zero believes that disclosure deadlines are currently
> the optimal approach for user security

You mean, like when they disclosed the cloudflare vulnerability after about a
week and then the web turned into a race to whomever could find older-than-a-
week cache with valuable information.

~~~
govg
There was a discussion on this in the report itself; the vulnerability was far
too huge for it to go undisclosed for 90 days, I believe.

~~~
Buge
Basically it was required to be disclosed for it to be "fixed" further. The
action that needed to be taken was for everyone to delete their web caches.
And everyone can't delete their web caches unless they know about the
vulnerability.

------
johnsmith21006
Google owns a decent chunk of CloudFlare. They shared the flaw as they should
last week.

I see nothing close to Google trying to get MS. Instead it is what should be
done.

Mow me with things like Scrougle and MS replaced YouTube as with their own i
probably would not be so nice.

Look at Amazon will not allow Chromecast to be sold on their site. Personally
i would have removed Amazon from their search engine but not Google.

Look at Uber. If i was Google i would use my power to destroy but not Google.

Feel how ever you want about Google but let's at least be fair.

~~~
ErikAugust
Uber is being sued by Google.

~~~
adventured
They should be sued. The theft of corporate property that occurred was
serious. In that scenario, Uber is not the victim.

~~~
ErikAugust
I don't disagree.

------
ErikAugust
Project Zero is taking names lately. I wonder if other firms will "retaliate"
with their own Project Zero-style security teams.

~~~
andreyf
That's the kind of retaliation I can get behind whole-heartedly :-)

~~~
ErikAugust
Yeah, there would likely be a real net-positive to corporations trying to
damage each other's credibilities via security disclosures. (No sarcasm - I
believe it).

~~~
xs
Unless, the retaliation is done by the NSA where they don't want any more of
their precious 0 days getting leaked.

~~~
CobrastanJorji
NSA guy #1: "Hey, Fred, Google released another Microsoft zero day. Those
things cost us millions to buy. Can we punish Google somehow?"

NSA guy #2: "Sure, let's release our Google zero day!"

#1: "Oh, but didn't we spend millions on that?"

#2: "Yeah, but it'll really screw up Google!"

#1: "Okay, do it."

Google: "Oh my, thanks for pointing out that exploit. We're so glad the NSA is
getting back to its mandate to alert American companies and organizations when
it had identified security holes. And....fixed. Let us know if you find any
more!"

~~~
bitmapbrother
Thanks NSA! Where do you want us to send the bounty award to?

~~~
user5994461
No need, it's already been debited from your account.

------
nunez
I'm glad they aren't playing around with the 90 day limit.

~~~
mtgx
They actually have a 14-day grace period now, but only if the vendor says it
has a patch that's almost ready to go (and can be deployed within that 14-day
period).

So I guess Microsoft missed both of those deadlines.

~~~
dpark
> _So I guess Microsoft missed both of those deadlines._

No. It was 90 days from the time the bug was filed to the time it
automatically disclosed. There was no additional 14-day period (for whatever
reason).

~~~
qeternity
The grace period isn't automatic, otherwise that would just be a 104 day
window. The grace period applies when the vendor has been in communication
with P0 that a patch is in the works and will be released within 2 weeks of
the end of the 90 day window. Presumably that didn't happen here.

~~~
dpark
I wasn't proposing that it was automatic. "For whatever reason" means just
that. I wasn't making any statement about why there was no additional 14-day
window.

------
lettersdigits
> This bug is subject to a 90 day disclosure deadline. If 90 days elapse
> without a broadly available patch, then the bug report will automatically
> become visible to the public.

Is this a common pattern in the bugs world ? publicizing a critical bug after
90 days of no response ?

~~~
Ajedi32
Not sure about 90 days specifically, but as far as the general principle goes,
yes:
[https://en.wikipedia.org/wiki/Responsible_disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure)

------
certifiedloud
I guess when they say 90 days they really mean it.

------
ipsin
The bug doesn't make it clear; was this issue reported to Microsoft?

I wasn't sure if I missed a sign of notification, or if vendors are
automatically cc'd/whitelisted on restricted bugs for their products.

------
rattray
How is Microsoft's track record on security generally these days?

~~~
tptacek
_Quite good_ , comparable with that of Google and Apple. Each of those three
companies are good at different things. No big tech firm is as good at
vulnerability research as Google; none is better at hardware security than
Apple; none is better at security architecture and design than Microsoft.
Google and Microsoft have the two largest, most ambitious security programs in
technology.

You should be wary of anyone who casually tells you that Microsoft is bad at
security. There are things Microsoft might not be great at, but it's
complicated.

~~~
jimrandomh
> None is better at security architecture and design than Microsoft

This is an interesting claim; most of what I (and probably most people) think
about Microsoft software security is informed by its earlier history, where it
was doing pretty badly overall. What has Microsoft been up to lately that's
impressed you with their security architecture/design?

~~~
tptacek
When Microsoft's platform code was notably weak, pretty much everyone else's
was too. There was a time when they were maybe 2-3 years behind the state of
the art on Unix servers, but the state of the art at the time wasn't good, and
that time is mostly past.

For something like 10 years, Microsoft's been punching their weight with
secure runtimes in particular, especially given the handicap they work with
due to compatibility requirements. They're not perfect. But nobody is.

Here's a good recent example:

[https://medium.com/@justin.schuh/securing-browsers-
through-i...](https://medium.com/@justin.schuh/securing-browsers-through-
isolation-versus-mitigation-15f0baced2c2#.24fivh6ht)

~~~
nsgi
How does this compare to Google pioneering security architecture in Chrome,
which gave it a strong record in Pwn2Own, and eventually became the basis for
security in other browsers, including Edge?

~~~
tptacek
Not sure what you're looking to hear from me. By a nose, I think Google has
the best security team in the industry.

------
thehardsphere
How often do these deadlines get missed?

~~~
JoshTriplett
And perhaps even more critically: by which vendors? Who consistently misses
the deadline?

~~~
brainfog
Judging by [https://bugs.chromium.org/p/project-
zero/issues/list?can=1&q...](https://bugs.chromium.org/p/project-
zero/issues/list?can=1&q=label%3ADeadline-
Exceeded&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=ids),
it looks like Apple, Adobe and Microsoft are the main vendors who miss
deadlines, although I don't know how many other vendors Project Zero focuses
on in total.

~~~
vorpalhex
That doesn't terribly surprise me. More/larger products, more opportunity to
miss bugs or not be agile enough to work on them.

------
JepZ
Is it normal that IE and Edge bugs are getting reported to the chromium bug
tracker?

~~~
mcintyre1994
I think project zero at Google use the Chromium bug tracker - maybe Google use
it for all public bug stuff? I'm not sure why Chromium and not something more
general though.

~~~
christop
Quite a few projects have issue trackers hosted on that hostname:
[https://bugs.chromium.org/hosting/](https://bugs.chromium.org/hosting/)

I believe those projects switched to using this instance of the Monorail bug
tracker since Google Code shut down.

~~~
akaij
All of those projects are related to Chrome/Chromium, and maybe P0 is a part
of the same team, all under @laparisa? [http://www.googblogs.com/why-attend-
usenix-enigma-2/](http://www.googblogs.com/why-attend-usenix-enigma-2/) here
you can see her introducing Ben Hawkes.

~~~
christop
I don't think that they're all related. Gerrit, for example, isn't part of
Chrome; it was initially developed for Android, AFAIK. Nor is Monorail. I
think Breakpad even predates Chrome.

But it's quite likely they all had their bug trackers on Google Code.

------
Havoc
As undemocratic-y as it sounds these big corps should really talk to each
other more...

------
jwilk
Please use the original title.

~~~
ClassyJacket
"Microsoft Edge and IE: Type confusion in
HandleColumnBreakOnColumnSpanningElement" ?

This really isn't a useful headline. It provides no information about the
actual relevant event of Google releasing the bug. It just seems like any
mundane bug report.

~~~
jwilk
The original title is not great, but it's good enough.

Editorializing titles is against HN guidelines.

------
plandis
Was Microsoft even notified about this? I didn't see any indication on the
linked page.

------
euyyn
Can we have the title of the post conform more to that of the thing it links
to?

~~~
lawnchair_larry
The original title is completely meaningless without context. It's linking to
a bug tracker. I would say that this title is neutral, descriptive, and
appropriate.

~~~
euyyn
> The original title is completely meaningless without context.

That's why I said "conform more".

