For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement. The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll), which is a library that enables applications to use graphics and formatted text on both the video display and a local printer.
According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable. Following subsequent tests, the researcher resubmitted his bug report in November, which Microsoft failed to patch in the 90 days interval Google allows vendors to fix bugs before going public with its reports.
This is the second time Google has taken this step against Microsoft after in November 2016 it disclosed details about a zero-day exploited by a cyber-espionage group known as APT28 (Strontium) a few days before Microsoft's November Patch Tuesday. Back then, Google said it took this step to allow users to protect themselves until Microsoft published a patch. Microsoft's Terry Myerson, Executive Vice President, Windows and Devices Group, didn't see it the same way, describing Google's actions as "disappointing" because it put customers at greater risk of exploitation.
Related Stories
It's reported that, as of 11 April, patches are available for a security bug in Microsoft Office and in Wordpad which was disclosed to the company in October. The flaw was widely exploited after McAfee blogged about it. It affects Microsoft Office 2007 SP3 and Windows Vista SP2; the latter was released in May 2009 and the former in October 2011.
In related news, The Register (nonCloud-flare link) says that
[...] CVE-2017-0210 in Internet Explorer, and CVE-2017-2605 in Office – are being actively attacked in the wild by miscreants and the Dridex malware. That latter bug has no patch, by the way: Microsoft just switched off an exploited PostScript filter by default.
further information: CVE-2017-0199
coverage:
related story:
After Microsoft Delays Patch Tuesday, Google Discloses Windows Bug
(Score: 0) by Anonymous Coward on Monday February 20 2017, @07:06PM
I would rather they push it a bit than release a borked one.
Lets say for nice round numbers there are 100million people running windows. Lets say 1% of the computers eats themselves. That is 1 million broken computers. They are playing with a scale that where lots of people have a bad day.
We *want* MS to get this right. I have suffered through a couple of botched windows updates. It is not fun.
(Score: 0) by Anonymous Coward on Monday February 20 2017, @07:19PM
Yes, but perhaps we'd also like it if they took security seriously in the first place. There's no good reason for them to delay the fixes that they believe are ready just so they can make enterprise customers happy by releasing them all at once.
Considering that most Windows users aren't in a position to test the patches, it's quite irresponsible of MS to delay patches arbitrarily based on things other than testing.
(Score: 2) by bob_super on Monday February 20 2017, @08:16PM
There could be a gentlemen's agreement between Google and Microsoft, where the latter politely requests another month of non-disclosure to tweak a particularly unstable patch. Google could request proof that work is in progress, and hold off.
Now we have the bug in the wild and a few weeks' window to a fix...
(Score: 4, Interesting) by zocalo on Monday February 20 2017, @08:31PM
Besides, since MS has stopped giving advance notice of what it will be patching each month, we don't actually know for certain that they were even going to patch the bug this month anyway. It's *thought* that they were, but with MS that's hardly a guarantee, is it?
UNIX? They're not even circumcised! Savages!
(Score: 2, Insightful) by aristarchus on Monday February 20 2017, @07:34PM
We *want* MS to get this right. I have suffered through a couple of botched windows updates. It is not fun.
No, *we* don't. We want MS to get it wrong, and die, but then, they already have. You, on the other hand, seem to be suffering from Stockholm Syndrome! Seek help! "Hey, over here!! Found another victim of the Bowling Green Stockholm Swedish Massacre!!!"
(Score: 0) by Anonymous Coward on Monday February 20 2017, @07:42PM
Oh yes I *love* fixing broken computers. I have nothing better to do with my day. If you will excuse me I am off to fix my linux box. It has decided to only show half of any list controls.
Windows *is* the desktop market. Deal.
Linux *is* the embedded/server market. Deal.
"Hey, over here!! Found another victim of the Bowling Green Stockholm Swedish Massacre!!!"
That has jack and shit to do with this? Perhaps you should stop watching news and actually do something. But if you want politics here you go. https://www.youtube.com/watch?v=V1ulkykn7jc [youtube.com]
(Score: 0) by Anonymous Coward on Monday February 20 2017, @09:51PM
That has jack and shit to do with this?
You must be new here. Most of what ari posts is only marginally intelligible or related to the topic at hand.
(Score: 2, Redundant) by aristarchus on Monday February 20 2017, @11:16PM
Most of what ari posts is only marginally intelligible or related to the topic at hand.
Yes, of course. Indulge me, however! Marginal intelligibility can be the fault of the poster, or of the reader. Same goes for relevance. Do try to keep up.
Our original AC here seemed to me to be a generic Micro$erf shill, possibly a bot. But I thought that would be a rude thing to say. So I opted to suggest that perhaps Microsofties these days are deluded and held captive by their failing proprietor, much as victims of the "Stockholm Syndrome" will come to sympathize with and even support their captors.
And of course, Stockholm is in Sweden, and as everyone knows, something terrible happened in Sweden, as reported in Florida, by someone who listens to Faux news. Do the connections make sense now, my dear AC? Do I need to explain it one more time?
(Score: 0) by Anonymous Coward on Tuesday February 21 2017, @01:15AM
Do the connections make sense now, my dear AC? Do I need to explain it one more time?
Loud and clear. You are an ass with the mentality of a twelve year old who still thinks replacing $ for S is ROTFLMAOBBQ funny still. Got it.
Also today I learned from aristarchus that I am a microsoft shill. Where do I sign up for my shill money? Do they have some sort of payment system?
And of course, Stockholm is in Sweden, and as everyone knows, something terrible happened in Sweden,
Again you are trying to make it political. Perhaps you need to re-evaluate who you are and why you are posting on the internet. There are plenty of political boards out there to spew you stupid junk. I may suggest https://www.reddit.com/r/politics/ [reddit.com] They like making sweeping generalizations there. I have even heard you can get paid to do it too.
My point is I wanted them to go slow and actually fix it right before giving me broken software. Somehow you turned that into I am a shill. You are mental.
(Score: 2, Insightful) by aristarchus on Tuesday February 21 2017, @01:33AM
My point is I wanted them to go slow and actually fix it right before giving me broken software. Somehow you turned that into I am a shill. You are mental.
Now I see your point! But that does not affect my point, which is that you have no right to speak for "us". You are a Microsoft user? You want them to "fix" it? This would be funny, if it were not so sad. Not sure which is worse, the "wanting", or the believing a fix is possible. There is only one solution: You must cease using proprietary software. You are hurting the rest of the world. Whether you are being paid to do this or not is not relevant. And you do seem to be a bit touchy about the whole thing. Do you think that Mi¢rǿṩoʄt could come up with a patch for your attitude? You seem to be incorrectly identifying "mentals".
(Score: 0) by Anonymous Coward on Tuesday February 21 2017, @03:51PM
so you're saying you enjoy botched windows upgrades. got it.
(Score: 2) by aristarchus on Tuesday February 21 2017, @06:18PM
so you're saying you enjoy botched windows upgrades. got it.
Actually, I am saying I have never seen one! The last Windoxa system I ran was Win95. Oh, wait, that means I must have seen some, but there was no internet with Win95, only some patched together TCP/IP stack called Trumpet using winsock, or something, so the botch usually involved floppy disks. But I haven't "enjoyed" Micro$erf "upgrays" since circa 1996. You can do the same thing! Come to the Linux side! Now with systemd, to make windows refugees feel more at home. Act now, before there is another executive order banning refugees.
(Score: 0) by Anonymous Coward on Monday February 20 2017, @11:29PM
Windows *is* the desktop market. Deal.
But it doesn't have to be that way for you as an individual if you refuse to use proprietary software, as you should.
(Score: 1) by WillR on Tuesday February 21 2017, @02:40PM
We can't all be ACs living in mom and dad's basement into our 40s.
(Score: 2) by LoRdTAW on Tuesday February 21 2017, @01:30PM
It's not stockholm syndrome, it's survival. As an individual, I can vote with my feet/wallet. But that only works at the individual level. At work I have to get shit done. That requires productivity software that is written by companies who only care about market share and that happens to be Windows. I don't like it. But we have to live with it. Wishing Windows dies when no decent alternative exists besides an over priced walled garden or a scatterbrained mess is a naive at best.
(Score: 0) by Anonymous Coward on Wednesday February 22 2017, @12:09AM
You have my condolences, you poor bastard! But then, just who are you calling a scatterbrained mess?
(Score: 2) by JoeMerchant on Tuesday February 21 2017, @01:24AM
Without this kind of pressure, they never get around to releasing any patches. Historically proven.
🌻🌻 [google.com]
(Score: 2, Insightful) by Anonymous Coward on Monday February 20 2017, @07:08PM
apology for poor english
where were you when microsoft dies?
i was sat at home using linux when google ring
'microsoft is kill'
'no'
(Score: 2) by wonkey_monkey on Monday February 20 2017, @08:04PM
That's really rather poetic.
systemd is Roko's Basilisk
(Score: 2) by Gaaark on Tuesday February 21 2017, @12:35AM
It's a MS H1B outsourced haiku!
MS been berry berry good to me.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Tuesday February 21 2017, @12:36AM
We really need a +1 Poetic mod. For the quality of modding is not strain'd; it falleth like the gentle rain from heaven.
(Score: 5, Insightful) by jcross on Monday February 20 2017, @08:03PM
The quote sounds less like bullshit if you flip it around: "Google's Mateusz Jurczyk, of Project Zero, didn't see it the same way, describing Microsoft's actions as "disappointing" because it put customers at greater risk of exploitation."
(Score: 2, Insightful) by Anonymous Coward on Monday February 20 2017, @08:12PM
The problem is that both sides are 100% correct.
Google's position: This is now a known exploit, and if we found it there is a good chance somebody else has already found it and is using it. By keeping it a secret people will continue to be exploited with no way to protect themselves, and companies have a long of not fixing problems which aren't actively publicized. We need to publicize it so people can take precautionary steps, and to put pressure on Microsoft to fix the problem.
Microsoft's position: By releasing the details of this exploit, you have guaranteed that the entire world knows about it. Obviously there will be some black-hat hackers who did not know about this before but now do, especially low skilled black-hats. As such, by releasing details of the exploit prior to a fix being put in place, you have made more people more vulnerable from more attacks than before.
That's what makes the morality behind these types of public bug reports questionable regardless of what you do. It is very much a damned if you do, damned if you don't type situation.
(Score: 4, Insightful) by https on Monday February 20 2017, @10:28PM
You are exceptionally mistaken. At least one "side" is very far from 100% correct, namely, more black hats knowing about an exploit does not change the number of computers (or people) vulnerable to that exploit.
Offended and laughing about it.
(Score: 2, Disagree) by Hairyfeet on Tuesday February 21 2017, @03:43AM
Would you say the same if this was another Linux bug like Shellshock or Ghost? The problem with Google's line of thinking is it is basically an is ought fallacy [wikipedia.org] in that because there IS one person who knows of this flaw (The Google researcher) that there OUGHT to be a bunch of hackers that already know this....where is the evidence to back up this assertion? There isn't any. As we saw with shellshock just because there is a bug in the wild does NOT mean its being exploited, the bug in Bash lasted how many years? Something like 2 decades wasn't it? Before it was exploited.
All Google has done is make 100% certain that this WILL be exploited and it will be because of them.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by tangomargarine on Tuesday February 21 2017, @03:46PM
it is basically an is ought fallacy
The name of that page is actually "is-out problem", not fallacy. Apparently there's philosophical arguments for both sides of it.
Critics of religion have argued that the is–ought distinction threatens the validity of secular ethics, by, in the critics' view, rendering secular ethical systems subjective and arbitrary.[4]
namely, more black hats knowing about an exploit does not change the number of computers (or people) vulnerable to that exploit.
You didn't actually speak to the GP's point, either. If X computers are vulnerable to it, you can either have A) a single hacker with the resources to disseminate malware widely, or B) a group of hackers that are rather lazy or ineffectual. In either case, the same number of computers are still vulnerable.
Would you say the same if this was another Linux bug like Shellshock or Ghost?
At least we know with certainty that Hairyfeet would be bitching about it.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by tangomargarine on Tuesday February 21 2017, @03:48PM
*is-ought, blarg
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Wednesday February 22 2017, @08:44AM
But you see, RumbaOleo, it becomes a fallacy when you misspell it! Or when you fallaciously attempt to derive an "ought" (normative statement) from an "is" (descriptive statement). So, simply, just because Microsoft has a dwindling monopoly in fact, that does not mean that it should, and it certainly does not mean that you should collaborate and re-enforce said monopoly. "You may say that I'm a dreamer; But I'm not the only one."
(Score: 2) by tangomargarine on Wednesday February 22 2017, @03:45PM
Is-Ought is an ethical problem; it's not a justification for stuff you don't like being evil.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Tuesday February 21 2017, @02:49PM
i think it makes sense to disclose early if a 0-exploit is detected being used.
after all we are not completely reliant on closed-sourced M$ ... we have firewalls and can
opt not to use a certain software/component or disable it (in the mean time)?
(Score: 1, Insightful) by Anonymous Coward on Tuesday February 21 2017, @03:11PM
Microsoft could solve this problem easily, you know. By going back to the previous patch model, with separate patches per problem, instead of these mega-patches they've been using to force telemetry updates and who knows what else on people. But they want the control in information siphoning instead of security. Really can't blame any of that on Google.
(Score: 4, Interesting) by mcgrew on Monday February 20 2017, @08:27PM
Agreed. Like I said [mcgrewbooks.com] way back in 2002:
mcgrewbooks.com mcgrew.info nooze.org
(Score: 3, Insightful) by Gaaark on Tuesday February 21 2017, @12:50AM
Ab-so-whorely!!!! If Ms won't take security as a high priority, let the user do so. If the user knows jack shit, that is their and MS's problem.
Reveal the hole and force MS to either dither at their users expense (which they did before secure OS's came along and forced them to deal with security and stability) or release good patches.
Why are people supporting MS's bad user support??? I just don't get it!
Window sucks, MS support sucks. And yet people keep carrying the monkey.
Just. Don't. Get. It.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 4, Insightful) by cafebabe on Monday February 20 2017, @11:02PM
So, getting out of the current computer "security" farce relies on mis-aligned interests between corporations? And when those interests align, we won't know the details? We're screwed.
1702845791×2