ASUS ROG STRIX Scope keyboard review
GALAX GeForce RTX 2070 Super WTF review
ADATA Spectrix S40G 512GB NVMe M.2 SSD review
Red Dead Redemption 2: PC graphics performance benchmark review
XFX Radeon RX 5700 XT THICC III Ultra review
Promo: URcdkey Halloween sale Windows 10 Pro for 11$
Guru3D Rig of the Month - October 2019
MSI GeForce GTX 1660 SUPER GAMING X review
Gigabyte GTX 1660 SUPER GAMING OC review
Palit GeForce GTX 1660 SUPER GamingPRO OC review
Google Exploit Announcements put customer at potential risk says Microsoft
Google discloses actively exploited Windows vulnerability just 10 days after reporting it to Microsoft. Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild.
That means attackers have already written code for this specific security hole and are using it to break into Windows systems reports venturebeat today.
A 0-day vulnerability is a publicly disclosed security flaw that wasn’t known before. In other words, the company that makes the software has not yet issued a patch for it. Indeed, Microsoft has not released a fix nor issued an advisory for this flaw. Google described this particular Windows vulnerability as follows:
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Also on October 21, Google shared a Flash vulnerability (CVE-2016-7855) with Adobe, which that company patched on October 26. That means users can simply update to the latest version of Flash. For the other security flaw, Google merely recommends “to apply Windows patches from Microsoft when they become available for the Windows vulnerability.”
A web plugin like Flash is a lot less complex than an operating system like Windows. This is one of the reasons why Google’s policy for actively exploited critical vulnerabilities — namely publicly disclosing details after seven days — is so controversial. Many software companies argue that a week is not enough time to code, test, and issue a patch for a security flaw. Google prefers to make the public aware sooner rather than later, but many security researchers maintain that details should only be shared once a patch is available. This is not the first time that Google has disclosed Windows vulnerabilities before a patch was ready. In fact, the company did this for Windows 8.1 twice in January 2015. Microsoft understandably wasn’t pleased, but this time around is even more serious. Both of those earlier vulnerabilities weren’t being actively exploited.
We have reached out to Microsoft regarding Google’s disclosure today and will update you if we hear back.
Update at 12:45 p.m. Pacific: Microsoft issued a statement, though the company did not share when a patch could be expected.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
A source close to the company also shared that the exploit Google describes requires the Adobe Flash vulnerability. Since Flash has been patched, the Windows vulnerability is mitigated. That said, Microsoft still needs to plug the security hole as it could be leveraged in other types of attacks.
Google explains reasons behind 30-minute service outage - 01/27/2014 08:52 AM
Following one of the longer cross-service outages for Google in recent memory, the search and software giant sent out an apology and explanation for today's occurrences. According to the Official Goo...
Tour the Titanic with Google Earth - 04/16/2012 09:21 AM
Google Earth has made possible to tour a 3D model of the ship as it lies in pieces on the bottom of the Atlantic Ocean. ...
Google Earth gets Improved - 01/29/2012 12:39 PM
Google has published Google Earth 6.2. This new release offers a seamless globe, as the search giant devised a way to harmonize aerial photography taken on different dates and under different lighting...
Google exits China, routes traffic to Hong Kong - 03/23/2010 11:23 AM
A shame that this had to happen really, but clever solve. After weeks of negotiations with Chinese authorities, Google has stopped censoring results on its Chinese search engine. Starting today, visit...
Get famous on Google Earth - 03/29/2009 10:01 AM
Hehe .. too funny really. An 18-year old UK fellah thought the best way to get noticed on Google Earth would be to paint a giant 60 feet phallus on the flat roof of his parent's mansion. His parents o...
nick0323
Senior Member
Posts: 949
Joined: 2010-02-24
Senior Member
Posts: 949
Joined: 2010-02-24
#5353678 Posted on: 11/01/2016 11:48 PM
They done it to promote the use of their Chrome browser as it doesn't suffer from the exploit.
Well, it seems Edge is more secure than Chrome and other browsers according to this article...http://www.windowscentral.com/microsoft-edge-takes-top-spot-over-chrome-and-firefox-new-security-report
They done it to promote the use of their Chrome browser as it doesn't suffer from the exploit.
Well, it seems Edge is more secure than Chrome and other browsers according to this article...http://www.windowscentral.com/microsoft-edge-takes-top-spot-over-chrome-and-firefox-new-security-report
tsunami231
Senior Member
Posts: 9717
Joined: 2003-05-24
Senior Member
Posts: 9717
Joined: 2003-05-24
#5353679 Posted on: 11/01/2016 11:50 PM
I dont think this good idea on googles part a Browser is far cry from an OS exploit
why would out there own issues with there own os then not doing so makes them look like hypocrites.
I dont think this good idea on googles part a Browser is far cry from an OS exploit
Problem is, Google is risking users.....and their Android platform is just as insecure as Windows, if not more so. When is Google going to start notifying the public as to known exploits in Android? Android still has vulnerabilities that have existed since Gingerbread....
why would out there own issues with there own os then not doing so makes them look like hypocrites.
rhysiam
Junior Member
Posts: 18
Joined: 2016-01-05
Junior Member
Posts: 18
Joined: 2016-01-05
#5353716 Posted on: 11/02/2016 03:48 AM
I don't think that's accurate. Google could wait a month, for example, and then announce the vulnerability. That would look even worse for Microsoft because it would then be clear that they'd had plenty of time to address the issue and either weren't able to (thus incompetent) or didn't bother (thus ignoring security vulnerabilities in their products). Now that would be a massive PR issue for MS, much worse than not addressing the issue in a week/10 days... which is a tight time-frame for an issue like this.
What does Google lose by delaying the announcement for a longer period of time; say a month for example? In my eyes, they lose nothing other than the opportunity to tarnish MS' reputation a little.
Have to agree. While it is akin to bullying, it takes a company as big as Google to make this happen. Microsoft provides the OS and Microsoft is responsible for security of its own code. Google is helping them by reporting and allows 10 days before reporting publicly. If they dropped the 10 days, what incentive does Microsoft have to expedite a resolution? Feet to fire - pull feet back or watch them melt.
I don't think that's accurate. Google could wait a month, for example, and then announce the vulnerability. That would look even worse for Microsoft because it would then be clear that they'd had plenty of time to address the issue and either weren't able to (thus incompetent) or didn't bother (thus ignoring security vulnerabilities in their products). Now that would be a massive PR issue for MS, much worse than not addressing the issue in a week/10 days... which is a tight time-frame for an issue like this.
What does Google lose by delaying the announcement for a longer period of time; say a month for example? In my eyes, they lose nothing other than the opportunity to tarnish MS' reputation a little.
PrMinisterGR
Senior Member
Posts: 7004
Joined: 2014-09-27
Senior Member
Posts: 7004
Joined: 2014-09-27
#5353717 Posted on: 11/02/2016 03:52 AM
I don't think that's accurate. Google could wait a month, for example, and then announce the vulnerability. That would look even worse for Microsoft because it would then be clear that they'd had plenty of time to address the issue and either weren't able to (thus incompetent) or didn't bother (thus ignoring security vulnerabilities in their products). Now that would be a massive PR issue for MS, much worse than not addressing the issue in a week/10 days... which is a tight time-frame for an issue like this.
What does Google lose by delaying the announcement for a longer period of time; say a month for example? In my eyes, they lose nothing other than the opportunity to tarnish MS' reputation a little.
Google hates Microsoft because that's the only real competitor they have. Apple is slowly going the way of the dodo, meanwhile Microsoft stuff seem to be even more innovative than Apple stuff.
Apple is dead (in the long run), the only thing remaining between Google and total global domination is Microsoft.
I don't think that's accurate. Google could wait a month, for example, and then announce the vulnerability. That would look even worse for Microsoft because it would then be clear that they'd had plenty of time to address the issue and either weren't able to (thus incompetent) or didn't bother (thus ignoring security vulnerabilities in their products). Now that would be a massive PR issue for MS, much worse than not addressing the issue in a week/10 days... which is a tight time-frame for an issue like this.
What does Google lose by delaying the announcement for a longer period of time; say a month for example? In my eyes, they lose nothing other than the opportunity to tarnish MS' reputation a little.
Google hates Microsoft because that's the only real competitor they have. Apple is slowly going the way of the dodo, meanwhile Microsoft stuff seem to be even more innovative than Apple stuff.
Apple is dead (in the long run), the only thing remaining between Google and total global domination is Microsoft.
Dch48
Senior Member
Posts: 1822
Joined: 2011-10-09
Senior Member
Posts: 1822
Joined: 2011-10-09
#5353718 Posted on: 11/02/2016 04:05 AM
Are Windows 7 updates fixed by chance? I have had W7 updates disabled for the last 6 months.. and would re-enable if it happens to be functioning again..
Windows Update works just fine in Windows 7. My laptop has had no problems.
HeavyHemi
Senior Member
Posts: 6277
Joined: 2008-10-27
Senior Member
Posts: 6277
Joined: 2008-10-27
#5353720 Posted on: 11/02/2016 04:08 AM
Google hates Microsoft because that's the only real competitor they have. Apple is slowly going the way of the dodo, meanwhile Microsoft stuff seem to be even more innovative than Apple stuff.
Apple is dead (in the long run), the only thing remaining between Google and total global domination is Microsoft.
Google...or MS...world domination...that's almost like picking between Trump and Clinton.... I don't see why Google can't wait a bit longer prior to publishing exploits.
Google hates Microsoft because that's the only real competitor they have. Apple is slowly going the way of the dodo, meanwhile Microsoft stuff seem to be even more innovative than Apple stuff.
Apple is dead (in the long run), the only thing remaining between Google and total global domination is Microsoft.
Google...or MS...world domination...that's almost like picking between Trump and Clinton.... I don't see why Google can't wait a bit longer prior to publishing exploits.
Dch48
Senior Member
Posts: 1822
Joined: 2011-10-09
Senior Member
Posts: 1822
Joined: 2011-10-09
#5353722 Posted on: 11/02/2016 04:10 AM
No, it means you shouldn't use Win10 but most sensible people know that already 
The sensible, non tin foil hat wearing people, ARE using Windows 10.
Dch48
Senior Member
Posts: 1822
Joined: 2011-10-09
Senior Member
Posts: 1822
Joined: 2011-10-09
#5353724 Posted on: 11/02/2016 04:16 AM
Really a dickhead move by Google.
Really a dickhead move by Google.
PrMinisterGR
Senior Member
Posts: 7004
Joined: 2014-09-27
Senior Member
Posts: 7004
Joined: 2014-09-27
#5353729 Posted on: 11/02/2016 05:01 AM
I completely get what you mean, but to my defense, Google has been much friendlier to Apple than to Microsoft.
Google...or MS...world domination...that's almost like picking between Trump and Clinton.... I don't see why Google can't wait a bit longer prior to publishing exploits.
I completely get what you mean, but to my defense, Google has been much friendlier to Apple than to Microsoft.
schmidtbag
Senior Member
Posts: 4491
Joined: 2012-11-10
Senior Member
Posts: 4491
Joined: 2012-11-10
#5353855 Posted on: 11/02/2016 02:25 PM
I don't really get what people are so upset about. Sure, Google didn't have to publicly release the info on how to exploit this, but I see it as a good thing since it puts pressure on MS to get it fixed. If this was just some small hack that only a handful of people knew about, MS would probably take their time. But since it's a big deal and is already exploited, MS needs to be on their toes.
But guess what - Google is a customer of MS, too. They have their own users with Windows-based PCs and they want what's best for their employees. So yeah, I don't think it was all that unreasonable for Google to be pushy about this.
Also, I wouldn't say Chrome can be so readily comparable to Windows. But if you're going to point out vulnerabilities from web browsers, why stop at Chrome? The finger can be pointed right back at MS regarding Edge. When it comes to a feature-complete web browser, vulnerabilities are inevitable. It is virtually impossible to stop every single one without the browser becoming a chore to use or too limited.
I don't really get what people are so upset about. Sure, Google didn't have to publicly release the info on how to exploit this, but I see it as a good thing since it puts pressure on MS to get it fixed. If this was just some small hack that only a handful of people knew about, MS would probably take their time. But since it's a big deal and is already exploited, MS needs to be on their toes.
But guess what - Google is a customer of MS, too. They have their own users with Windows-based PCs and they want what's best for their employees. So yeah, I don't think it was all that unreasonable for Google to be pushy about this.
Also, I wouldn't say Chrome can be so readily comparable to Windows. But if you're going to point out vulnerabilities from web browsers, why stop at Chrome? The finger can be pointed right back at MS regarding Edge. When it comes to a feature-complete web browser, vulnerabilities are inevitable. It is virtually impossible to stop every single one without the browser becoming a chore to use or too limited.
sykozis
Senior Member
Posts: 21050
Joined: 2008-07-14
Senior Member
Posts: 21050
Joined: 2008-07-14
#5353874 Posted on: 11/02/2016 03:20 PM
I dont think this good idea on googles part a Browser is far cry from an OS exploit
why would out there own issues with there own os then not doing so makes them look like hypocrites.
Google has allowed vulnerabilities to exist in Android since Gingerbread. Yet, they never announce to the world that the vulnerabilities, which they've known about for several years now, have not been fixed...
I dont think this good idea on googles part a Browser is far cry from an OS exploit
why would out there own issues with there own os then not doing so makes them look like hypocrites.
Google has allowed vulnerabilities to exist in Android since Gingerbread. Yet, they never announce to the world that the vulnerabilities, which they've known about for several years now, have not been fixed...
Click here to post a comment for this news story on the message forum.
Senior Member
Posts: 7713
Joined: 2005-12-06
Microsoft has publicly said 10 days is too short as the correct code must undergo validation testing. This is a feet dragging excuse made by every tech company. SSD has problem that needs correction by firmware? Company says the fix is undergoing testing. New BIOS to correct memory instability? Company says the fix is undergoing testing. New code to fix security exploit? Company says the fix is undergoing testing. Problem is, if they knew how to validate properly the flaw wouldn't be there in the first place. More time for testing is just a delay tactic.
That's just not true. It is impossible to test for every possible configuration these days. No hardware/software is going to be released bug free. It's just not possible. And rather than push out a fix immediately that could potentially break something for a large number of other users, they need to test it properly. It's smart business. Otherwise, you'll end up getting sued by all the entitled idiots in the world.