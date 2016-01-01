Hacker News new | comments | show | ask | jobs | submit login
Google Goes Public with Unpatched Microsoft Edge and IE Vulnerability (chromium.org)
Looks like they thought this would get fixed:

> I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn't expect this one to miss the deadline).

Worth mentioning that "Goes Public" implies there was a human who pulled the trigger; it was a bot:

> This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

> Deadline exceeded -- automatically derestricting

I think the person making that comment is confused about how this works. The bug was filed in November. The deadline passed before the comment was made.

The "Deadline exceeded -- automatically derestricting" comment was posted on Feb 23, 90 days[0] after Nov 25.

The account that posted it, hawkes@google.com, is listed[1] as the "owner" of Project Zero, which implies to me that they may be a user account, but quite likely one that has a script running under its permissions.

There certainly could be a human-controlled kill-switch to this release process, of course, and it's possible that "hawkes" manually goes through a list of vulnerabilities every day and clicks "release".

[0] http://www.convertunits.com/dates/90/daysfrom/Nov+25,+2016 [1] https://bugs.chromium.org/u/1279493906/

> there was a human who pulled the trigger; it was a bot:

is it a human or a bot?

GP is saying "although the headline makes it sound like a human did this, it was actually a bot, as the following text from the tracker shows:"

A human programmed the bot.

But the bot pulled the trigger :-)

A bot.

This is not the first time Google has disclosed unpatched vulns in Microsoft product [1]. Anyone know any more?

What's up with them not being able to patch on time? How is 90 days not enough to get a patch out the door? That's a quarter, for goodness' sake!

1. https://news.ycombinator.com/item?id=12841672

To be fair to MS, a local bank switched their systems and introduced a vuln that leaves the username and password in the form as it opens the account in a new tab. It's still there 3 weeks later.

Edit: This is sarcasm but the bank story is true.

To make matters worse, Microsoft has just completely skipped this month's patch bundle. As in no other security bug will be fixed until next month.

reply


They still release "out-of-band" patches for critical security bugs. There was one a few days ago for Flash Player that presumably would have been in February's patch bundle but was too important to wait for the next one.

Presumably these two facts are related? I would assume this was supposed to get patched this month within the 90 day deadline but some last minute issue delayed the patch.

They probably are. However, I also expect them to be related because of Microoft's own decisions of integrating security patches with one another, instead of keeping them more modular: the so called "patch bundle" policy. It's hard to believe that say some Flash bug couldn't be patched because of some other unrelated bug.

But I hope Microsoft can prove me wrong and explain in detail next month why it couldn't deliver any of the 20-30+ bug patches because of a couple of other unrelated and broken patches.

Google also has full interest in showing Microsoft failures. Microsoft could do the same about Chrome. How goid are competitive markets.

Sad to see this downvoted, but it's definitely war of some sort between Google and Microsoft and Google actively targeting MS products could easily be a factor. Altruism it likely isn't.

Keep in mind that the Google docs/drive/whatever suite is the competitor for Microsofts Office 365 product.

Has Google ever released info about an unpatched critical bug on their own systems/applications?

Project Zero is taking names lately. I wonder if other firms will "retaliate" with their own Project Zero-style security teams.

reply


That's the kind of retaliation I can get behind whole-heartedly :-)

Yeah, there would likely be a real net-positive to corporations trying to damage each other's credibilities via security disclosures. (No sarcasm - I believe it).

Unless, the retaliation is done by the NSA where they don't want any more of their precious 0 days getting leaked.

NSA guy #1: "Hey, Fred, Google released another Microsoft zero day. Those things cost us millions to buy. Can we punish Google somehow?"

NSA guy #2: "Sure, let's release our Google zero day!"

#1: "Oh, but didn't we spend millions on that?"

#2: "Yeah, but it'll really screw up Google!"

#1: "Okay, do it."

Google: "Oh my, thanks for pointing out that exploit. We're so glad the NSA is getting back to its mandate to alert American companies and organizations when it had identified security holes. And....fixed. Let us know if you find any more!"

If they can't manage to fix a severe security hole within 90 days, I'd say that they deserve to have their credibility destroyed.

I'm with GP on that we need more programs like project zero.

I feel like you might be sarcastic, but I really do think so.

No sarcasm, I think so too.

Yes, I'll happily support Microsoft finding bugs in all the Android devices on the market. No to mention it would be paid work anyway, considering the billions of dollars a year Microsoft is making extracting royalties for bogus patents from Android OEMs.

Please get angry and do it Microsoft! Show Google how it's done.

The sad part is that the majority of Android users won't see those fixes anyway.

I hope they do! If this sort of team becomes commonplace we may have a good shot at a lot better standard level of security. (Or we may have a chance of it devolving into a corporate shitshow between rivals, idk... I can hope though)

Disclosure: work at Google, but very far away from security.

It's their new marketing department I heard ;-)

I believe Google would be happy to see more people funding security research.

Google owns a decent chunk of CloudFlare. They shared the flaw as they should last week.

I see nothing close to Google trying to get MS. Instead it is what should be done.

Mow me with things like Scrougle and MS replaced YouTube as with their own i probably would not be so nice.

Look at Amazon will not allow Chromecast to be sold on their site. Personally i would have removed Amazon from their search engine but not Google.

Look at Uber. If i was Google i would use my power to destroy but not Google.

Feel how ever you want about Google but let's at least be fair.

Uber is being sued by Google.

They should be sued. The theft of corporate property that occurred was serious. In that scenario, Uber is not the victim.

I don't disagree.

I'm glad they aren't playing around with the 90 day limit.

They actually have a 14-day grace period now, but only if the vendor says it has a patch that's almost ready to go (and can be deployed within that 14-day period).

So I guess Microsoft missed both of those deadlines.

Suppose you need 30 days to very thoroughly test your patches before making them generally available.

This still leaves 60 days for fixing the actual bug. It really seems ample time.

> So I guess Microsoft missed both of those deadlines.

No. It was 90 days from the time the bug was filed to the time it automatically disclosed. There was no additional 14-day period (for whatever reason).

The grace period isn't automatic, otherwise that would just be a 104 day window. The grace period applies when the vendor has been in communication with P0 that a patch is in the works and will be released within 2 weeks of the end of the 90 day window. Presumably that didn't happen here.

reply


I wasn't proposing that it was automatic. "For whatever reason" means just that. I wasn't making any statement about why there was no additional 14-day window.

I think OP meant that Microsoft missed the deadline by not even having the fix ready that would have earned them the 14 day grace period.

or they did not communicate anything to P0

There is always an additional 14-day period on offer, but the vendor has to choose to use it, and has to actually land the patch within the 14 extra days.

So, a deadline miss is often really a 104 (!!) day deadline miss. As an industry that's trying to refocus on security, surely we can do better than that.

I guess when they say 90 days they really mean it.

How often do these deadlines get missed?

And perhaps even more critically: by which vendors? Who consistently misses the deadline?

Judging by https://bugs.chromium.org/p/project-zero/issues/list?can=1&q..., it looks like Apple, Adobe and Microsoft are the main vendors who miss deadlines, although I don't know how many other vendors Project Zero focuses on in total.

That doesn't terribly surprise me. More/larger products, more opportunity to miss bugs or not be agile enough to work on them.

How is Microsoft's track record on security generally these days?

> Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each).

https://www.avecto.com/news-and-events/news/94-of-critical-m...

Umm, not that great. Whatever security features they are adding to Windows 10, they seem to be overshadowed by all the other crap they're putting in Windows 10.

reply


reply


It would make sense that more are found in W10 (which was 5-17mos in 2016) than W8 (which was 40-52mos in 2016), because of their relative time on the market.

To answer the question, we'd have to look at W10 at this point in its life-cycle compared to W8 at a similar point (and control for things like more active vuln researchers).

(I think you meant to reply to the parent)

I figure it is a slow news day for Google so they do one of these to generate some publicity.

