Guru3D.com
  • HOME
  • NEWS
    • Channels
    • Archive
  • DOWNLOADS
    • New Downloads
    • Categories
    • Archive
  • GAME REVIEWS
  • ARTICLES
    • Rig of the Month
    • Join ROTM
    • PC Buyers Guide
    • Guru3D VGA Charts
    • Editorials
    • Dated content
  • HARDWARE REVIEWS
    • Videocards
    • Processors
    • Audio
    • Motherboards
    • Memory and Flash
    • SSD Storage
    • Chassis
    • Media Players
    • Power Supply
    • Laptop and Mobile
    • Smartphone
    • Networking
    • Keyboard Mouse
    • Cooling
    • Search articles
    • Knowledgebase
    • More Categories
  • FORUMS
  • NEWSLETTER
  • CONTACT

New Reviews
Radeon Series RX 6700 XT preview & analysis
Corsair MM700 & Corsair Katar Pro XT Review
Guru3D Rig of the Month - February 2021
ASUS GeForce RTX 3060 STRIX Gaming OC review
EVGA GeForce RTX 3060 XC Gaming review
MSI GeForce RTX 3060 Gaming X TRIO review
PALIT GeForce RTX 3060 DUAL OC review
ZOTAC GeForce RTX 3060 AMP WHITE review
Fractal Design Meshify 2 Compact chassis review
Sabrent Rocket 4 PLUS 2TB NVMe SSD review

New Downloads
FurMark Download v1.25
MSI Afterburner 4.6.3 Final Stable Download
Display Driver Uninstaller Download version 18.0.3.7
Guru3D RTSS Rivatuner Statistics Server Download 7.3.0 Final
Media Player Classic - Home Cinema v1.9.10 Download
GeForce 461.72 WHQL driver download
AIDA64 Download Version 6.32.5640 beta
CrystalDiskInfo 8.11.2 Download
AMD Radeon Adrenalin Edition 21.2.3 driver download
GPU-Z Download v2.37.0


New Forum Topics
Review: MSI GeForce RTX 3060 Gaming X TRIO Radeon RX 6700 XT would have a starting price of 479 USD and see better availability AMD Radeon Software Adrenalin 2020 Edition 21.2.3 RTSS 6.7.0 beta 1 NVIDIA Announces Financial Results for Fourth Quarter and Fiscal 2021 GeForce 461.72 WHQL drivers: download & discussion AMD announces Radeon RX 6700 XT 12GB at 479 USD, launches on March 18th MSI has released Motherboard BIOS's for AGESA 1.2.0.0 Intel Re-Confirms March 30 for Rocket Lake-S Launch [Mod Driver] NimeZ Radeon Software - Signature Edition




Guru3D.com » News » Google Exploit Announcements put customer at potential risk says Microsoft

Google Exploit Announcements put customer at potential risk says Microsoft

by Hilbert Hagedoorn on: 11/01/2016 01:46 PM | source: | 27 comment(s)
Google Exploit Announcements put customer at potential risk says Microsoft

Google discloses actively exploited Windows vulnerability just 10 days after reporting it to Microsoft. Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild.

That means attackers have already written code for this specific security hole and are using it to break into Windows systems reports venturebeat today.

A 0-day vulnerability is a publicly disclosed security flaw that wasn’t known before. In other words, the company that makes the software has not yet issued a patch for it. Indeed, Microsoft has not released a fix nor issued an advisory for this flaw. Google described this particular Windows vulnerability as follows:

The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.

Also on October 21, Google shared a Flash vulnerability (CVE-2016-7855) with Adobe, which that company patched on October 26. That means users can simply update to the latest version of Flash. For the other security flaw, Google merely recommends “to apply Windows patches from Microsoft when they become available for the Windows vulnerability.”

A web plugin like Flash is a lot less complex than an operating system like Windows. This is one of the reasons why Google’s policy for actively exploited critical vulnerabilities — namely publicly disclosing details after seven days — is so controversial. Many software companies argue that a week is not enough time to code, test, and issue a patch for a security flaw. Google prefers to make the public aware sooner rather than later, but many security researchers maintain that details should only be shared once a patch is available. This is not the first time that Google has disclosed Windows vulnerabilities before a patch was ready. In fact, the company did this for Windows 8.1 twice in January 2015. Microsoft understandably wasn’t pleased, but this time around is even more serious. Both of those earlier vulnerabilities weren’t being actively exploited.

We have reached out to Microsoft regarding Google’s disclosure today and will update you if we hear back.

Update at 12:45 p.m. Pacific: Microsoft issued a statement, though the company did not share when a patch could be expected.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

A source close to the company also shared that the exploit Google describes requires the Adobe Flash vulnerability. Since Flash has been patched, the Windows vulnerability is mitigated. That said, Microsoft still needs to plug the security hole as it could be leveraged in other types of attacks.







« Intel Kaby Lake Processors Confirmed in Product Change Notification · Google Exploit Announcements put customer at potential risk says Microsoft · Transcend SSD230 Series with 3D NAND Flash »

Related Stories

Google explains reasons behind 30-minute service outage - 01/27/2014 08:52 AM
Following one of the longer cross-service outages for Google in recent memory, the search and software giant sent out an apology and explanation for today's occurrences. According to the Official Goo...

Tour the Titanic with Google Earth - 04/16/2012 09:21 AM
Google Earth has made possible to tour a 3D model of the ship as it lies in pieces on the bottom of the Atlantic Ocean. ...

Google Earth gets Improved - 01/29/2012 12:39 PM
Google has published Google Earth 6.2. This new release offers a seamless globe, as the search giant devised a way to harmonize aerial photography taken on different dates and under different lighting...

Google exits China, routes traffic to Hong Kong - 03/23/2010 11:23 AM
A shame that this had to happen really, but clever solve. After weeks of negotiations with Chinese authorities, Google has stopped censoring results on its Chinese search engine. Starting today, visit...

Get famous on Google Earth - 03/29/2009 10:01 AM
Hehe .. too funny really. An 18-year old UK fellah thought the best way to get noticed on Google Earth would be to paint a giant 60 feet phallus on the flat roof of his parent's mansion. His parents o...


6 pages 1 2 3 4 5 6


kinggavin
Senior Member



Posts: 297
Joined: 2014-11-06

#5353446 Posted on: 11/01/2016 11:59 AM
google are as bad as microsoft personlly i dont trust anything they say about security risks , i have a win 7 32 bit which i removed some microsofts junk and i never update it if u dont want virus you need a good non microsoft firewall and a good vpn

rl66
Senior Member



Posts: 2741
Joined: 2007-05-31

#5353460 Posted on: 11/01/2016 01:13 PM
Google did the right thing, make noise and force m$ to actually fix the problem instead of pulling crap.

Now this hussle not just between coders.

google is a pure imperialist company and represent evil :3eyes:

not that M$ is good... but...

SSD_PRO
Senior Member



Posts: 178
Joined: 2013-02-07

#5353461 Posted on: 11/01/2016 01:20 PM
Google did the right thing, make noise and force m$ to actually fix the problem instead of pulling crap.


Have to agree. While it is akin to bullying, it takes a company as big as Google to make this happen. Microsoft provides the OS and Microsoft is responsible for security of its own code. Google is helping them by reporting and allows 10 days before reporting publicly. If they dropped the 10 days, what incentive does Microsoft have to expedite a resolution? Feet to fire - pull feet back or watch them melt.

Microsoft has publicly said 10 days is too short as the correct code must undergo validation testing. This is a feet dragging excuse made by every tech company. SSD has problem that needs correction by firmware? Company says the fix is undergoing testing. New BIOS to correct memory instability? Company says the fix is undergoing testing. New code to fix security exploit? Company says the fix is undergoing testing. Problem is, if they knew how to validate properly the flaw wouldn't be there in the first place. More time for testing is just a delay tactic.

ubercake
Senior Member



Posts: 214
Joined: 2014-06-11

#5353462 Posted on: 11/01/2016 01:41 PM
So does this mean I should or should not use a PC until it's fixed?
;)

Turanis
Senior Member



Posts: 1748
Joined: 2014-08-15

#5353467 Posted on: 11/01/2016 01:49 PM
You should stay in basement 'till then. :D


Battle between Corporations,nothing new. ;)
M$$$ wants some market share from Google,nothing new.Chrome is bad, IE & Edge are good,yeah right.

6 pages 1 2 3 4 5 6


Post New Comment
Click here to post a comment for this news story on the message forum.


Guru3D.com © 2021