The protocol in question is entirely internal. They could rip it out and replace it with something totally different, apps shouldn't notice.
The CTF server can also be made to validate its inputs much better, again, no compat impact.
This is another case where Google seems to just take delight in screwing Microsoft and its users here. The 90 day deadline is meant for vendors who don't take security seriously, but Microsoft do. I'm not sure what is gained by releasing this before it's fixed.
Microsoft dropped the ball for the first 75 days.
> I hope you agree that I adequately communicated this attack to you, it seems like some wires got crossed at Microsoft and it didn't get clearly passed along to the engineering team. We're at day 75 now, I think the solutions I can think of for this attack would require a lot of compat testing with IMEs, so I'm hoping you can expedite this now that we're all on the same page.
edit: For clarity, the context of my quote is talking specifically about the session attack, not all issues raised.
No, we don't know that. Companies that were deemed serious have been caught dragging and taking their time with no proof of progress whatsoever (just like in this case?). And think of the message it would send to other (supposedly non-serious) companies: "you've given more time to MS, why not me ? It's only fair".
Just like democracy, the P0 policy is the worst form of disclosure, except for all the others.
Also, please don't conflate this with EternalBlue, there's no remote component here.
You mean where the US government decided to not notify Microsoft for 5 years?
Or you mean where Microsoft decided to publicly announce the vulnerability despite not having provided patches for millions of unsupported systems?
These organization the "take security seriously sure make Project Zero look very responsible by comparison.
> for what?
To let people whose security has been compromised for over a decade do what they can to mitigate
The only fixes here come from MS. Until then, the more people that know, the worse it is.
If no third parties have access to it, this sounds promising for a fix. I suspect that third party keyboards and assistive devices probably talk this protocol though...