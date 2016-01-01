> I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn't expect this one to miss the deadline).
Worth mentioning that "Goes Public" implies there was a human who pulled the trigger; it was a bot:
> This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
...
> Deadline exceeded -- automatically derestricting
The account that posted it, hawkes@google.com, is listed[1] as the "owner" of Project Zero, which implies to me that they may be a user account, but quite likely one that has a script running under its permissions.
There certainly could be a human-controlled kill-switch to this release process, of course, and it's possible that "hawkes" manually goes through a list of vulnerabilities every day and clicks "release".
[0] http://www.convertunits.com/dates/90/daysfrom/Nov+25,+2016
[1] https://bugs.chromium.org/u/1279493906/
is it a human or a bot?
What's up with them not being able to patch on time? How is 90 days not enough to get a patch out the door? That's a quarter, for goodness' sake!
1. https://news.ycombinator.com/item?id=12841672
Edit: This is sarcasm but the bank story is true.
But I hope Microsoft can prove me wrong and explain in detail next month why it couldn't deliver any of the 20-30+ bug patches because of a couple of other unrelated and broken patches.
Keep in mind that the Google docs/drive/whatever suite is the competitor for Microsofts Office 365 product.
Has Google ever released info about an unpatched critical bug on their own systems/applications?
NSA guy #2: "Sure, let's release our Google zero day!"
#1: "Oh, but didn't we spend millions on that?"
#2: "Yeah, but it'll really screw up Google!"
#1: "Okay, do it."
Google: "Oh my, thanks for pointing out that exploit. We're so glad the NSA is getting back to its mandate to alert American companies and organizations when it had identified security holes. And....fixed. Let us know if you find any more!"
I'm with GP on that we need more programs like project zero.
Please get angry and do it Microsoft! Show Google how it's done.
Disclosure: work at Google, but very far away from security.
I see nothing close to Google trying to get MS. Instead it is what should be done.
Mow me with things like Scrougle and MS replaced YouTube as with their own i probably would not be so nice.
Look at Amazon will not allow Chromecast to be sold on their site. Personally i would have removed Amazon from their search engine but not Google.
Look at Uber. If i was Google i would use my power to destroy but not Google.
Feel how ever you want about Google but let's at least be fair.
So I guess Microsoft missed both of those deadlines.
This still leaves 60 days for fixing the actual bug. It really seems ample time.
No. It was 90 days from the time the bug was filed to the time it automatically disclosed. There was no additional 14-day period (for whatever reason).
So, a deadline miss is often really a 104 (!!) day deadline miss. As an industry that's trying to refocus on security, surely we can do better than that.
https://www.avecto.com/news-and-events/news/94-of-critical-m...
Umm, not that great. Whatever security features they are adding to Windows 10, they seem to be overshadowed by all the other crap they're putting in Windows 10.
It would make sense that more are found in W10 (which was 5-17mos in 2016) than W8 (which was 40-52mos in 2016), because of their relative time on the market.
To answer the question, we'd have to look at W10 at this point in its life-cycle compared to W8 at a similar point (and control for things like more active vuln researchers).
