Hacker News new | past | comments | ask | show | jobs | submit login

No, I don't think so.

The protocol in question is entirely internal. They could rip it out and replace it with something totally different, apps shouldn't notice.

The CTF server can also be made to validate its inputs much better, again, no compat impact.

This is another case where Google seems to just take delight in screwing Microsoft and its users here. The 90 day deadline is meant for vendors who don't take security seriously, but Microsoft do. I'm not sure what is gained by releasing this before it's fixed.




> The 90 day deadline is meant for vendors who don't take security seriously, but Microsoft do.

Microsoft dropped the ball for the first 75 days.

> I hope you agree that I adequately communicated this attack to you, it seems like some wires got crossed at Microsoft and it didn't get clearly passed along to the engineering team. We're at day 75 now, I think the solutions I can think of for this attack would require a lot of compat testing with IMEs, so I'm hoping you can expedite this now that we're all on the same page.[1]

[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=18...

edit: For clarity, the context of my quote is talking specifically about the session attack, not all issues raised.


Yes, large companies sometimes screw up. The project zero policy on this is wrong and downvotes won't change my mind on that. You know perfectly well that MS will fix it once the right people are in the case, the 90 day "deadline" with working exploit just risks another EternalBlue type situation where the exploit gets used in real attacks and causes real damage, for what?


> You know perfectly well that MS will fix it once the right people are in the case,

No, we don't know that. Companies that were deemed serious have been caught dragging and taking their time with no proof of progress whatsoever (just like in this case?). And think of the message it would send to other (supposedly non-serious) companies: "you've given more time to MS, why not me ? It's only fair".

Just like democracy, the P0 policy is the worst form of disclosure, except for all the others.

Also, please don't conflate this with EternalBlue, there's no remote component here.


> just risks another EternalBlue type situation where the exploit gets used in real attacks and causes real damage, for what?

You mean where the US government decided to not notify Microsoft for 5 years?

Or you mean where Microsoft decided to publicly announce the vulnerability despite not having provided patches for millions of unsupported systems?

These organization the "take security seriously sure make Project Zero look very responsible by comparison.

> for what?

To let people whose security has been compromised for over a decade do what they can to mitigate


They can't do anything to mitigate. What are they meant to do, rewrite parts of Windows by themselves?

The only fixes here come from MS. Until then, the more people that know, the worse it is.


> The protocol in question is entirely internal.

If no third parties have access to it, this sounds promising for a fix. I suspect that third party keyboards and assistive devices probably talk this protocol though...




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: