
Disclosing vulnerabilities to protect users - nnx
https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
======
greggman
All browsers have about the same amount of bugs but Chrome's design or as they
say "defense in depth" acknowledges that there will always be bugs so tries to
make it as hard as possible for bugs to allow bad things.

Compare vulnerabilities

Chrome 6% code execution, 0.4% gain privileges

Firefox 48% code execution, 8.4% gain privileges

Safari 60% code execution, 9.4% gain privileges

IE 79% code execution, 7.2% gain privileges

Edge 55% code execution, 16.4% gain privileges

Before you complain Firefox and IE are older is older we can compare just the
last 2 years of vulerabilities

[https://docs.google.com/spreadsheets/d/1nqBd7zmg6grVBEws_UPX...](https://docs.google.com/spreadsheets/d/1nqBd7zmg6grVBEws_UPXFBIdZT_0ISjIaHPK4cJvjII/edit?usp=sharing)

I expect Firefox's newer stats to get better on this front as they move to
electrolysis and servo

It's interesting to note that Safari has zero "gain privileges bugs" for the
last 2 years even if it has 22x the code execution bugs as Chrome

[http://www.cvedetails.com/product/15031/Google-
Chrome.html?v...](http://www.cvedetails.com/product/15031/Google-
Chrome.html?vendor_id=1224) [http://www.cvedetails.com/product/3264/Mozilla-
Firefox.html?...](http://www.cvedetails.com/product/3264/Mozilla-
Firefox.html?vendor_id=452) [http://www.cvedetails.com/product/2935/Apple-
Safari.html?ven...](http://www.cvedetails.com/product/2935/Apple-
Safari.html?vendor_id=49) [http://www.cvedetails.com/product/9900/Microsoft-
Internet-Ex...](http://www.cvedetails.com/product/9900/Microsoft-Internet-
Explorer.html?vendor_id=26)
[http://www.cvedetails.com/product/32367/Microsoft-
Edge.html?...](http://www.cvedetails.com/product/32367/Microsoft-
Edge.html?vendor_id=26)

~~~
fjarlq
It looks like you've made several errors quoting from cited spreadsheet.

Aren't these the correct numbers according to the spreadsheet?

    
    
      Browser vulnerabilities 2015/01 - 2016/10
      =========================================
      Browser  Code Execution  Gain Privileges
      -------  --------------  ---------------
      Chrome            2.89%            0.58%
      Firefox          43.59%            2.88%
      Safari           69.11%            0.00%
      IE               69.08%            6.07%
      Edge             55.22%            2.24%
    

Source:
[https://docs.google.com/spreadsheets/d/1nqBd7zmg6grVBEws_UPX...](https://docs.google.com/spreadsheets/d/1nqBd7zmg6grVBEws_UPXFBIdZT_0ISjIaHPK4cJvjII)

~~~
greggman
I didn't quote from the spreadsheet. I quoted from the totals on the webpages.
In other words, the quoted values are from when each browser was first created
to today. The spreadsheet is just 2015-2016

~~~
fjarlq
Oh, I see, thanks. Well, I've copied in the values for just the past two years
for easy comparison, then!

------
XparXnoiAx
It should be pointed out that most vulnerabilities are, in fact, being
exploited before they are patched. Citation in this article:
[https://medium.com/@xParXnoiAx/irresponsible-
disclosure-52d0...](https://medium.com/@xParXnoiAx/irresponsible-
disclosure-52d08cddcd07)

~~~
fulafel
So that's linking to a Forbes article that's paraphrasing this study from
2012:
[https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12...](https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf)

It doesn't support your assertion but it's still interesting 2008-2010 data
from an antivirus vendor. It's talking about about how long some
vulnerabilities were exploited by malware before getting disclosed, use in
targeted attacks, and so on.

~~~
XparXnoiAx
The study says that most vulnerabilities were being exploited before being
disclosed.

~~~
fulafel
I don't think it says that about the set of all vulnerabilities (IOW -
citation needed!).

It does say "In this paper, we consider only exploits that have been used in
real-world attacks before the corresponding vulnerabilities were disclosed" so
it's unsurprising that in their dataset this is the case :)

~~~
XparXnoiAx
Yeap, you're right, I misread. Here is a quote from the paper: "15% of these
exploits were created before the disclosure of the corresponding
vulnerability." So there's a lower bound.

------
eganist
Hm.

> Chrome's sandbox [...] prevents exploitation of this sandbox escape
> vulnerability.

It reads to me as though Google disclosed an 0day to promote Google Chrome.

This is fine.

•••

Edit: [http://venturebeat.com/2016/10/31/google-discloses-
actively-...](http://venturebeat.com/2016/10/31/google-discloses-actively-
exploited-windows-vulnerability-just-10-days-after-reporting-it-to-microsoft/)

> A source close to the company also shared that the exploit Google describes
> requires the Adobe Flash vulnerability. Since Flash has been patched, the
> Windows vulnerability is mitigated.

If the immediate risk has been mitigated (barring other unknown attack
vectors, this was the immediate one of which Google appears to have been
aware), this makes the disclosure seem even more shamelessly promotional. I'd
presume the Flash vuln would be to enable drive-by exploitation, so if that
risk is mitigated, then they really seriously could've let this one wait.

~~~
magicalist
> Chrome's sandbox [...] _on Windows 10_ [...] prevents exploitation of this
> sandbox escape vulnerability.

the Windows version is an important part of that statement since it's unclear
from this what versions of Windows are affected by the vulnerability.

~~~
eganist
> since it's unclear from this what versions of Windows are affected by the
> vulnerability.

If anything, this just makes it worse, since it tells me Windows 7 users are
SOL.

~~~
magicalist
> _If anything, this just makes it worse_

Makes what worse? There's no mention of other browsers (so how could this be
an ad for Chrome? Is Edge vulnerable? Is Firefox?) and the plain implication
is that Chrome on Windows 7 is indeed SOL.

~~~
eganist
> There's no mention of other browsers (so how could this be an ad for Chrome?
> Is Edge vulnerable? Is Firefox?)

If this wasn't an ad and was merely a security disclosure, I'd have expected
appropriate research into which configurations mitigate the risk, _not_ just a
single configuration which happens to favor the browser maker.

Add on top of that the trivialization of "Windows 10" as the noun in a second-
order preposition of place as well as the reference to Chrome as the primary
subject of the sentence, and even basic analysis of the sentence in question
shows a bias.

~~~
holtalanm
The disclosure came from Google. Of course there's a bias if they spent time
coming up with a mitigation within their software. They aren't responsible for
other browsers, so why would they research fixes within those browsers? That
assumption is just plain idiotic.

They are under NO responsibility to research each and every possible fix.
Hell, they technically didn't even have to come up with a mitigation for
Chrome.

~~~
eganist
> They are under NO responsibility to research each and every possible fix.
> Hell, they technically didn't even have to come up with a mitigation for
> Chrome.

Then they should've waited until an official fix was out. They know one's
being actively worked on. They know the primary exploit path (via Flash) was
patched. To my earlier point: they should've just waited.

> That assumption is just plain idiotic.

That's not necessary. You might not see my face, but I'm still a person
deserving of some amount of respect.

~~~
tptacek
Exactly what is the benefit of them waiting until an official fix is released
if they have evidence of actual exploitation? How is anyone better off not
knowing the details of a vulnerability that people are exploiting already? I'm
having trouble making sense of your arguments on this thread, and I really am
trying.

~~~
eganist
> How is anyone better off not knowing the details of a vulnerability that
> people are exploiting already?

This question is strange. On the one hand, the disclosure scares users into
switching to Chrome even though Microsoft asserts Edge offers protection. On
the other hand, the disclosure actually does _not_ disclose the details of a
vulnerability that people are exploiting already.

Would you rather have had the disclosure include the exact vulnerability?

I've addressed your other questions surrounding the benefits and drawbacks in
other threads. No point in re-hashing them.

~~~
tptacek
No, you can't move the goalposts like this. You just said Google should have
_waited to disclose until a complete fix was published_. In asserting that,
you must also assert you'd rather have Google disclose nothing than something.

~~~
eganist
I would rather Google disclose nothing to the public until there's a fix, or
at least until a far-further-along date than 7 days from the initial
disclosure to Microsoft.

Now that that's settled:

I didn't move the goalposts at all. I called into question the inconsistency
in your implied assertion that people know the details thanks to this
disclosure:

> How is anyone better off not knowing the details of a vulnerability that
> people are exploiting already?

People do not know the details. The disclosure gave enough to inform those not
privy on where to look. It did not inform the world as to the details of the
issue.

I'd rather Google have disclosed nothing because as I've stated in the vast
majority of my other comments. My position hasn't changed: no one is benefited
by a public disclosure here other than

• Google (getting people to use Chrome as a defensive measure even though
arguably Edge has this one covered), and

• any unprivy malware authors who now know where to look.

Microsoft isn't going to act any more quickly here. Security vendors are
already rolling out mitigations. Google's only advice was "use our browser"
even though there are multiple solutions, both in terms of software (Edge) and
advising on user actions for the general untargeted population. They included
nothing other than:

> Chrome's sandbox [...] prevents exploitation of this sandbox escape
> vulnerability.

You asserted that they disclosed the details, which Google did not.

So now that my position is set clearly in stone without you able to turn it
around with an argument about moving goalposts, let's get back to my current
question: Since you asserted that Google disclosed the details _even though
they did not_ , would you rather have had the disclosure include the exact
vulnerability?

Edited for formatting.

~~~
tptacek
Lots more words, but we're back to the exact same place we were before:
there's active exploitation of the bug, and you think Google should hide that
fact to give Microsoft breathing room. That is an... unorthodox position to
take.

~~~
eganist
> you think Google should hide that fact to give Microsoft breathing room.

[https://news.ycombinator.com/item?id=12842909](https://news.ycombinator.com/item?id=12842909)

I have full confidence that one of the most mature software security groups in
tech isn't looking for breathing room on an 0day. Since you've been scouting
out my posts, you know better than to put words in my mouth given that one of
my biggest assertions here is that Microsoft's already moving as fast as it
can and that a disclosure speeds nothing up here.

> Lots more words

I appreciate the attempt at a dodge, so I'll get right back to it: since you
asserted that Google disclosed the details _even though they did not,_ would
you rather have had the disclosure include the exact vulnerability?

~~~
tptacek
I would rather have what we got than nothing. You would rather have nothing. I
still don't understand your argument.

------
jdright
Well done! That should be the rule, anything else is hypocritical.

~~~
Analemma_
No, "hypocritical" would be disclosing critical vulnerabilities in a
competitor's product after a week of notification, when you yourself stop
shipping security updates for your mobile operating system after two years;
instead suggesting "buy a new phone!" as the solution. But no one would be
that sleazy.

~~~
Buge
It's 3 years of security updates for Pixel and Nexus phones.

~~~
Ph0X
And that's a minimum guaranty. We have yet to see if they truly stop or keep
going.

~~~
kuschku
No? We've seen Nexus devices being dropped after only 16 months of support.

~~~
guelo
I don't believe that's true. The shortest update life span was the 2011 Galaxy
Nexus for 20 months. Ever since then the models have been updated for 3 years
or more.

~~~
kuschku
No? They got 2.5 years of security updates after release (and not 2 years of
security updates after sale, as EU law demands), and they certainly only get
18 months of feature updates after release.

The Nexus 5 was already dropped in October 2015, having been released in
October 2013.

Same with the Nexus 6 (it was dropped yesterday, being 2 years old).

It’s always been 18-24 months of updates max, and only if you buy on release
day.
[https://support.google.com/nexus/answer/4457705#nexus_device...](https://support.google.com/nexus/answer/4457705#nexus_devices)

~~~
dmix
That page you linked to says otherwise

> Nexus devices get security patches for at least 3 years from when the device
> first became available, or at least 18 months from when the Google Store
> last sold the device, whichever is longer.

Google is still releasing security patches for Nexus 5

[http://www.androidpolice.com/2016/08/01/august-security-
patc...](http://www.androidpolice.com/2016/08/01/august-security-patches-
rolling-august-1st-august-5th-levels/)

The most recent one for Nexus 5 aka Hammerhead was this month: M4B30X, Oct
2016

[https://developers.google.com/android/images](https://developers.google.com/android/images)

You're mistaking the major version releases (6.x.x vs 7 x.x) with security
patches, they are not promising major updates here only security patches for
6.x.x.

~~~
kuschku
> or at least 18 months from when the Google Store last sold the device,
> whichever is longer.

Which is illegal, EU law demands 24 months from when it was lost sold anyway.

> they are not promising major updates

That’s another issue, many security features are only added in major updates
(sandboxing Mediaserver, etc).

So you only get hotfixes, and not long-term fixes.

------
kovrik
Probably a very stupid question, but I'm wondering if containers (which are
extremely popular nowadays) can help us to improve web security?

What I mean is, that all major browsers are trying to create their own sandbox
environment to be more secure, right? But maybe it is better to do the other
way round: give them all permissions, but put them in a controlled and
restricted sandbox environment (container). And browser window will be just a
small app that talks to that container, sends requests and gets resulting page
(rendered) and just shows it? So, it will literally have no access to outside
of the container.

As a bonus, it decouples UI from backend.

Asking, because the purpose of containers is to isolate and create sandbox
environments, and the purpose of browser is to render and show web pages. So
why do browsers care about security, if we already have containers?

Or that makes no sense and gives no advantage/security?

~~~
viraptor
> major browsers are trying to create their own sandbox environment

This is partially true: for example there are sandboxes considering the
website origin and related restrictions, but on the process level browsers
reuse the system mechanism instead of implementing their own. For example on
linux, chrome uses seccomp and a number of other ways to separate the ui from
the backend. Windows has its own solutions for this.

So I don't think it's right to say they create their own sandboxes. At least
not in a NIH meaning.

Containers are just a fancy package for the protections offered directly by
namespaces and other existing restrictions. User namespaces are already used
in chrome sandboxes for example
([https://chromium.googlesource.com/chromium/src/+/master/docs...](https://chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md#User_namespaces_sandbox.md))

------
voltagex_
Does anyone know which version of Chrome this was fixed in? This may force
$EMPLOYER to finally update from an unholy mix of 50 and 53.

~~~
jrowley
Why would your employer fix you to a specific version of chrome? Thats
bizarre.

~~~
acdha
Never underestimate the degree to which enterprise IT departments view change
as something to be feared. I once heard someone say that they wanted to delay
Chrome updates until their security team could review them — said review
process basically being waiting in a backlog for weeks and then someone
searches for CVEs posted on that version.

~~~
protomyth
> Never underestimate the degree to which enterprise IT departments view
> change as something to be feared.

Never underestimate the management's ability to fire a Enterprise IT workers
for applying an update that the developer's swear changes no behavior in the
companies enterprise software, but actually does.

// been on both sides, we suck at testing and risk assessment in this
profession

~~~
acdha
Definitely — when you see people afraid to do something, that almost always
indicates a deeper organization problem.

------
besselheim
Advertising the details of an exploitable vulnerability before the vendor has
patched is protecting users now? I don't buy this motive at all.

~~~
stanleydrew
> I don't buy this motive at all.

OK I'll bite. What do you think the motive is?

According to the post's byline, it was written by Neel Mehta and Billy Leonard
of the Threat Analysis Group at Google. Are you questioning their professional
judgement and claiming they are individually biased?

If not, are you suggesting that there is some management directive to look for
Windows exploits and publish them on an aggressive timeline in order to
embarrass Microsoft publicly? Do you think professional security researchers
would abide by such a directive?

~~~
besselheim
Yes, I believe what you describe in your second paragraph is most likely to be
the case, given that coordinated disclosure is the standard approach to
protecting users.

~~~
zodiac
Waiting for coordinated disclosure should not delay disclosure indefinitely,
though. Google decided on 7 days as per
[https://security.googleblog.com/2013/05/disclosure-
timeline-...](https://security.googleblog.com/2013/05/disclosure-timeline-for-
vulnerabilities.html?m=1)

~~~
besselheim
I can't imagine that Microsoft have refused to fix this vulnerability though,
otherwise this would have been mentioned in the blog post.

There's no good reason for Google not to respect coordinated disclosure here.
Making an arbitrarily tight deadline their policy isn't protecting users.

~~~
fulafel
The cited motivation was "it's being exploited in the wild". It's better to
enable the rest of the world to defend against it.

~~~
besselheim
This is flawed reasoning, as the vast majority of people will defend against
it by installing the patch.

~~~
fulafel
Well, here we get to the eternal debate about whether this trumps other
considerations. Back before vulnerability researchers started putting credible
deadlines to these things, vendors would sit on patches for months while the
vulnerabilities were being exploited widely and were open secrets. A rough
consensus seems to be that the common good is best served by these disclosure
deadlines.

Also there's the consideration that security-critical environments who pay
attention these have much more value-at-risk than the average Windows user.
You want your safety critical systems who pay attention to be protected.

~~~
besselheim
I don't think this is the case here though. It's been a few days since
reporting the vulnerability, not months.

We don't yet know if this was being widely exploited (versus being a niche
exploit used by an APT, for example), but it will be now either way.

------
pianoben
What an interesting comment on the state of corporate relationships; Google
actively delayed disclosure of an impactful vulnerability for Apple
([https://news.ycombinator.com/item?id=12795332](https://news.ycombinator.com/item?id=12795332)).

I wonder why they would not do the same for Microsoft?

~~~
blinkingled
Google did not claim they were aware of active exploitation of the Apple
vulnerability whereas for this Windows one, they claim knowledge of it being
exploited actively.

------
nulagrithom
Incidentally this reminds me, I recall that Angular 1.x was banned from
Firefox add-ons... Was the vulnerability ever made public?

~~~
45h34jh53k4j
yeah, it does eval(); no vuln, just a specific design choice that breaks the
security model of the browser plugins.

Basically the plugin operates at a higher level than the regular page DOM, so
by running angular from a plugin you gain the ability to both execute
(arbitrary) javascript from the page but also read/write to the disk. very
bad. cannot be fixed. arbitrary code execution by design.

------
jacquesm
I like the fact that they disclose the vulnerabilities but I'd be even more
interested in _where_ they are exploited.

------
thinkMOAR
Personally i'm still not convinced this is good or bad.

Protect users AND educating script kiddies, this is a hard trade off, and all
lazy updating users will be more vulnerable then before.

(more being more script kiddies, not so much more vulnerabilities).

As long as it is done responsible and vendors are given chances to fix this
before. Not disclosing is worse i guess in any case.

However, "We encourage users to verify that auto-updaters have already updated
Flash"

While adobe recommends to not install it, meh.. :)

~~~
cmdrfred
Script kiddies used to mean someone who downloaded a DOS tool for example and
ran it. As far as I know Google didn't release such a tool, nor is one
available. Did the definition change?

~~~
thinkMOAR
Why a 'dos' tool? They download 'scripts/utils' and simply use them and call
themselves hackers. They don't always do a denial of service attack. That
never changed, but perhaps you never learned it correctly.

Telling the world about vulnerabilities is a knife that cuts on two sides.
Inform users about security. Inform wankers how to abuse stuff.

~~~
cmdrfred
Just an example:

"someone who downloaded a DOS tool for example"

------
ainiriand
win32k.sys, the fractal of bugs.

------
us0r
Here is a question for the armchair (or real) lawyers - How does disclosing
this not run afoul of the law?

~~~
xenophonf
In the U.S. people are guaranteed by law to express themselves as they see
fit, without government interference except in the most constrained cases. A
security vulnerability disclosure does not meet any of the constrains I can
think of off-hand: not incitement, not libel (written) nor slander (spoken),
not child pornography, not obscenity, not false advertising, etc.

[https://en.wikipedia.org/wiki/United_States_free_speech_exce...](https://en.wikipedia.org/wiki/United_States_free_speech_exceptions)

------
bitmapbrother
From VentureBeat:

>Microsoft harshly criticized the disclosure. “Today’s disclosure by Google
puts customers at potential risk,” a Microsoft spokesperson said. “We
recommend customers use Windows 10 and the Microsoft Edge browser for the best
protection.”

Really? Because I thought "your customers" were already at risk for an in the
wild zero day exploit that's currently being used to infect Windows computers.
How dare Google warn the public to allow them the time to take precautionary
steps. I guess they think it's better for their customers to take it up the
ass until they figure out how to patch it.

~~~
TallGuyShort
Given Microsoft's well-known cadence for releases, it might be prudent for
Google to update their policy to 2 weeks in some cases (e.g. not yet observed
being actively exploited) so that something reported to Microsoft right before
an update doesn't get disclosed right before they can reasonably release an
update without moving heaven and earth.

But if it's being actively exploited? Yes, thank you Google for letting us
know ASAP. Would indeed be irresponsible not to in this case.

~~~
anfedorov
Not moving heaven and earth, just fixing it in a week when you're notified
that there's a critical vuln that's actively being exploited against your
users. Yes, Google could lower the bar two two weeks, or three, or four, but
IMO, even a week is way more than should be necessary: for actively exploited
bugs of this magnitude, disclosure should really be 24-48 hours after
notification, tops. Perhaps 24 hours to other vendors like Firefox / Opera,
and 48 hours to public.

This is not a "wait until the next release cadence" kind of issue, but more
like a "scramble all jets and work through the weekend" kind. If I were a
Windows user, I don't think there's anything else I'd want MS to work on over
fixing an actively exploited remote priv escalation vuln.

Google's security team worked through their Christmas vacations when they had
an attack awhile back. To give other companies 7 days to patch their software
is really quite generous.

~~~
dfox
Except this issue is _local_ privilege escalation that is mostly only relevant
for defense-in-depth scenarios that involve sandboxing.

------
bshastry
We sell your data and in return make browsing safe for you so we can sell more
of your data. Clever Google. Really clever...

------
based2
[https://en.wikipedia.org/wiki/Responsible_disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure)

