Worse? Did you miss the part where this vuln is being actively exploited? I'd much prefer if Google disclosed this sort of thing to trusted software vendors immediately and the public within 24-48 hours of finding out.
> Did you miss the part where this vuln is being actively exploited?
Not at all. That's actually the crux of my argument that this is promotional.
Google, Microsoft, and Facebook all collaboratively met at an event outside defcon this year called bountycraft. In it, they shared their practices handling vulnerability disclosure and other related events. All three have arguably the best secure development lifecycles in tech right now. All three are intimately aware of each other's practices.
Microsoft is assuredly fixing this into overtime. Microsoft assuredly knew this was in use in the wild. They're already working beyond full speed, and Microsoft has a history of sharing mitigations with third party security vendors. Given the relationship I described above, Google certainly knows all of this and knows that Microsoft won't be able to act any faster to handle this.
No one is served well by this disclosure except for two parties:
· Unprivy malware authors (the vast majority) who are now actively researching this disclosure.
· Google, by convincing users to use their browser for protection.
Or it's just P0 following their policy. Which is the only way P0 can maintain credibility and exert pressure on vendors to fix things. Especially after Google management just publicly overrode them regarding an Apple vulnerability a week or so ago.
> A longstanding policy doesn't make it a good one.
If this was a disclosure by the books, there would've been broader, less overtly promotional mitigations discussed.
Project zero would be better off reformulating its disclosure policy here if credibility is what they're going for. Sometimes it's healthier to admit being wrong.
While it might assuage some kneejerk skepticism like this, I don't think they're obligated to omit that Chrome has mitigations in place when disclosing a vulnerability.
You're absolutely right. I'd rather have preferred a few different responses, such as including multiple mitigating strategies, even if they're user actions such as browsing only trusted sites until a patch is released.
That said, even if the wording was "Browsers such as Chrome which block win32k.sys system calls using the Win32k lockdown mitigation on Windows 10 prevent exploitation of this sandbox escape vulnerability," I would've given them a partial pass.
No one is served well by this disclosure except
for two parties...
You missed one: the general public benefits from these disclosures.
Even though this gives an information advantage to an attacker (e.g., aforesaid "unprivy" malware authors), as a member of the general public, I would rather know that I'm vulnerable to some attack. I might change my behavior to limit my exposure. I may take additional precautions that would otherwise be too costly were it not for the additional risk. I might choose to accept the risk and continue working normally. My point is that by not disclosing, the security researcher makes my risk management choices for me, and I am not convinced they have my best interests at heart.
Likewise, public disclosure makes it possible for the customers of a software vendor to pressure them into addressing the vulnerability in a more timely fashion. Otherwise, these companies will not take security issues seriously. I have seen that pattern repeat over and over and over. The only way to get vendors to change is to name and shame, hit 'em in their wallet and hit them hard. Microsoft does SDLC now because of full disclosure, not in spite of it.
I can't give you a direct one short of saying I've interacted with their security teams and know their protocols to some extent. The indirect color I added to this image was from the Bountycraft interlude. Up to you if you want to trust any or all of that; you have every right not to.
Microsoft is assuredly fixing this into overtime. Microsoft assuredly knew this was in use in the wild. They're already working beyond full speed, and Microsoft has a history of sharing mitigations with third party security vendors.
And they still can't fix it in 7 days? Well, then they have to shape up or be replaced by a competitor who can. It's harsh, but customers benefit.
