Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Monday February 20 2017, @06:24PM   Printer-friendly
from the black-hats-now-have-a-month-to-play dept.

For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement. The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll), which is a library that enables applications to use graphics and formatted text on both the video display and a local printer.

According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable. Following subsequent tests, the researcher resubmitted his bug report in November, which Microsoft failed to patch in the 90 days interval Google allows vendors to fix bugs before going public with its reports.

This is the second time Google has taken this step against Microsoft after in November 2016 it disclosed details about a zero-day exploited by a cyber-espionage group known as APT28 (Strontium) a few days before Microsoft's November Patch Tuesday. Back then, Google said it took this step to allow users to protect themselves until Microsoft published a patch. Microsoft's Terry Myerson, Executive Vice President, Windows and Devices Group, didn't see it the same way, describing Google's actions as "disappointing" because it put customers at greater risk of exploitation.

Source:
https://www.bleepingcomputer.com/news/microsoft/after-microsoft-delayed-patch-tuesday-google-discloses-windows-bug/


Original Submission

Related Stories

Microsoft Closes Word/Wordpad Hole—6 Months after Report 3 comments

It's reported that, as of 11 April, patches are available for a security bug in Microsoft Office and in Wordpad which was disclosed to the company in October. The flaw was widely exploited after McAfee blogged about it. It affects Microsoft Office 2007 SP3 and Windows Vista SP2; the latter was released in May 2009 and the former in October 2011.

In related news, The Register (nonCloud-flare link) says that

[...] CVE-2017-0210 in Internet Explorer, and CVE-2017-2605 in Office – are being actively attacked in the wild by miscreants and the Dridex malware. That latter bug has no patch, by the way: Microsoft just switched off an exploited PostScript filter by default.

further information: CVE-2017-0199

coverage:

related story:
After Microsoft Delays Patch Tuesday, Google Discloses Windows Bug


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday February 20 2017, @07:06PM

    by Anonymous Coward on Monday February 20 2017, @07:06PM (#469380)

    I would rather they push it a bit than release a borked one.

    Lets say for nice round numbers there are 100million people running windows. Lets say 1% of the computers eats themselves. That is 1 million broken computers. They are playing with a scale that where lots of people have a bad day.

    We *want* MS to get this right. I have suffered through a couple of botched windows updates. It is not fun.

    • (Score: 0) by Anonymous Coward on Monday February 20 2017, @07:19PM

      by Anonymous Coward on Monday February 20 2017, @07:19PM (#469388)

      Yes, but perhaps we'd also like it if they took security seriously in the first place. There's no good reason for them to delay the fixes that they believe are ready just so they can make enterprise customers happy by releasing them all at once.

      Considering that most Windows users aren't in a position to test the patches, it's quite irresponsible of MS to delay patches arbitrarily based on things other than testing.

      • (Score: 2) by bob_super on Monday February 20 2017, @08:16PM

        by bob_super (1357) on Monday February 20 2017, @08:16PM (#469414)

        There could be a gentlemen's agreement between Google and Microsoft, where the latter politely requests another month of non-disclosure to tweak a particularly unstable patch. Google could request proof that work is in progress, and hold off.
        Now we have the bug in the wild and a few weeks' window to a fix...

        • (Score: 4, Interesting) by zocalo on Monday February 20 2017, @08:31PM

          by zocalo (302) on Monday February 20 2017, @08:31PM (#469422)
          There could have been (let's get the correct case), and there's certainly precedent as Google has done exactly that before, e.g. with Apple, but it seems that in this case that didn't happen. Timing may have a lot to do with that, of course; MS only seemed to pull Patch Tuesday on the day itself via a curt one liner on their blog and Google's disclosure grace period expired only a few days later, prompting the disclosure. Whatever went wrong with the patch release, contacting Google probably wasn't all that high on the agenda until it was too late and since Google is very clear on what their disclosure policies are and sticking too them the end result was inevitable.

          Besides, since MS has stopped giving advance notice of what it will be patching each month, we don't actually know for certain that they were even going to patch the bug this month anyway. It's *thought* that they were, but with MS that's hardly a guarantee, is it?
          --
          UNIX? They're not even circumcised! Savages!
    • (Score: 2, Insightful) by aristarchus on Monday February 20 2017, @07:34PM

      by aristarchus (2645) on Monday February 20 2017, @07:34PM (#469396) Journal

      We *want* MS to get this right. I have suffered through a couple of botched windows updates. It is not fun.

      No, *we* don't. We want MS to get it wrong, and die, but then, they already have. You, on the other hand, seem to be suffering from Stockholm Syndrome! Seek help! "Hey, over here!! Found another victim of the Bowling Green Stockholm Swedish Massacre!!!"

      • (Score: 0) by Anonymous Coward on Monday February 20 2017, @07:42PM

        by Anonymous Coward on Monday February 20 2017, @07:42PM (#469399)

        Oh yes I *love* fixing broken computers. I have nothing better to do with my day. If you will excuse me I am off to fix my linux box. It has decided to only show half of any list controls.

        Windows *is* the desktop market. Deal.

        Linux *is* the embedded/server market. Deal.

        "Hey, over here!! Found another victim of the Bowling Green Stockholm Swedish Massacre!!!"
        That has jack and shit to do with this? Perhaps you should stop watching news and actually do something. But if you want politics here you go. https://www.youtube.com/watch?v=V1ulkykn7jc [youtube.com]

        • (Score: 0) by Anonymous Coward on Monday February 20 2017, @09:51PM

          by Anonymous Coward on Monday February 20 2017, @09:51PM (#469456)

          That has jack and shit to do with this?

          You must be new here. Most of what ari posts is only marginally intelligible or related to the topic at hand.

          • (Score: 2, Redundant) by aristarchus on Monday February 20 2017, @11:16PM

            by aristarchus (2645) on Monday February 20 2017, @11:16PM (#469489) Journal

            Most of what ari posts is only marginally intelligible or related to the topic at hand.

            Yes, of course. Indulge me, however! Marginal intelligibility can be the fault of the poster, or of the reader. Same goes for relevance. Do try to keep up.

            Our original AC here seemed to me to be a generic Micro$erf shill, possibly a bot. But I thought that would be a rude thing to say. So I opted to suggest that perhaps Microsofties these days are deluded and held captive by their failing proprietor, much as victims of the "Stockholm Syndrome" will come to sympathize with and even support their captors.

              And of course, Stockholm is in Sweden, and as everyone knows, something terrible happened in Sweden, as reported in Florida, by someone who listens to Faux news. Do the connections make sense now, my dear AC? Do I need to explain it one more time?

            • (Score: 0) by Anonymous Coward on Tuesday February 21 2017, @01:15AM

              by Anonymous Coward on Tuesday February 21 2017, @01:15AM (#469527)

              Do the connections make sense now, my dear AC? Do I need to explain it one more time?
              Loud and clear. You are an ass with the mentality of a twelve year old who still thinks replacing $ for S is ROTFLMAOBBQ funny still. Got it.

              Also today I learned from aristarchus that I am a microsoft shill. Where do I sign up for my shill money? Do they have some sort of payment system?

              And of course, Stockholm is in Sweden, and as everyone knows, something terrible happened in Sweden,
              Again you are trying to make it political. Perhaps you need to re-evaluate who you are and why you are posting on the internet. There are plenty of political boards out there to spew you stupid junk. I may suggest https://www.reddit.com/r/politics/ [reddit.com] They like making sweeping generalizations there. I have even heard you can get paid to do it too.

              My point is I wanted them to go slow and actually fix it right before giving me broken software. Somehow you turned that into I am a shill. You are mental.

              • (Score: 2, Insightful) by aristarchus on Tuesday February 21 2017, @01:33AM

                by aristarchus (2645) on Tuesday February 21 2017, @01:33AM (#469536) Journal

                My point is I wanted them to go slow and actually fix it right before giving me broken software. Somehow you turned that into I am a shill. You are mental.

                Now I see your point! But that does not affect my point, which is that you have no right to speak for "us". You are a Microsoft user? You want them to "fix" it? This would be funny, if it were not so sad. Not sure which is worse, the "wanting", or the believing a fix is possible. There is only one solution: You must cease using proprietary software. You are hurting the rest of the world. Whether you are being paid to do this or not is not relevant. And you do seem to be a bit touchy about the whole thing. Do you think that Mi¢rǿṩoʄt could come up with a patch for your attitude? You seem to be incorrectly identifying "mentals".

                • (Score: 0) by Anonymous Coward on Tuesday February 21 2017, @03:51PM

                  by Anonymous Coward on Tuesday February 21 2017, @03:51PM (#469729)

                  so you're saying you enjoy botched windows upgrades. got it.

                  • (Score: 2) by aristarchus on Tuesday February 21 2017, @06:18PM

                    by aristarchus (2645) on Tuesday February 21 2017, @06:18PM (#469800) Journal

                    so you're saying you enjoy botched windows upgrades. got it.

                    Actually, I am saying I have never seen one! The last Windoxa system I ran was Win95. Oh, wait, that means I must have seen some, but there was no internet with Win95, only some patched together TCP/IP stack called Trumpet using winsock, or something, so the botch usually involved floppy disks. But I haven't "enjoyed" Micro$erf "upgrays" since circa 1996. You can do the same thing! Come to the Linux side! Now with systemd, to make windows refugees feel more at home. Act now, before there is another executive order banning refugees.

        • (Score: 0) by Anonymous Coward on Monday February 20 2017, @11:29PM

          by Anonymous Coward on Monday February 20 2017, @11:29PM (#469495)

          Windows *is* the desktop market. Deal.

          But it doesn't have to be that way for you as an individual if you refuse to use proprietary software, as you should.

          • (Score: 1) by WillR on Tuesday February 21 2017, @02:40PM

            by WillR (2012) on Tuesday February 21 2017, @02:40PM (#469682)
            It does if you have a job, unfortunately.
            We can't all be ACs living in mom and dad's basement into our 40s.
      • (Score: 2) by LoRdTAW on Tuesday February 21 2017, @01:30PM

        by LoRdTAW (3755) on Tuesday February 21 2017, @01:30PM (#469666) Journal

        It's not stockholm syndrome, it's survival. As an individual, I can vote with my feet/wallet. But that only works at the individual level. At work I have to get shit done. That requires productivity software that is written by companies who only care about market share and that happens to be Windows. I don't like it. But we have to live with it. Wishing Windows dies when no decent alternative exists besides an over priced walled garden or a scatterbrained mess is a naive at best.

        • (Score: 0) by Anonymous Coward on Wednesday February 22 2017, @12:09AM

          by Anonymous Coward on Wednesday February 22 2017, @12:09AM (#469939)

          You have my condolences, you poor bastard! But then, just who are you calling a scatterbrained mess?

    • (Score: 2) by JoeMerchant on Tuesday February 21 2017, @01:24AM

      by JoeMerchant (3937) on Tuesday February 21 2017, @01:24AM (#469530)

      Without this kind of pressure, they never get around to releasing any patches. Historically proven.

      --
      🌻🌻 [google.com]
  • (Score: 2, Insightful) by Anonymous Coward on Monday February 20 2017, @07:08PM

    by Anonymous Coward on Monday February 20 2017, @07:08PM (#469381)

    apology for poor english

    where were you when microsoft dies?

    i was sat at home using linux when google ring

    'microsoft is kill'

    'no'

    • (Score: 2) by wonkey_monkey on Monday February 20 2017, @08:04PM

      by wonkey_monkey (279) on Monday February 20 2017, @08:04PM (#469408) Homepage

      That's really rather poetic.

      --
      systemd is Roko's Basilisk
      • (Score: 2) by Gaaark on Tuesday February 21 2017, @12:35AM

        by Gaaark (41) on Tuesday February 21 2017, @12:35AM (#469511) Journal

        It's a MS H1B outsourced haiku!

        MS been berry berry good to me.

        --
        --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
      • (Score: 0) by Anonymous Coward on Tuesday February 21 2017, @12:36AM

        by Anonymous Coward on Tuesday February 21 2017, @12:36AM (#469513)

        We really need a +1 Poetic mod. For the quality of modding is not strain'd; it falleth like the gentle rain from heaven.

  • (Score: 5, Insightful) by jcross on Monday February 20 2017, @08:03PM

    by jcross (4009) on Monday February 20 2017, @08:03PM (#469407)

    The quote sounds less like bullshit if you flip it around: "Google's Mateusz Jurczyk, of Project Zero, didn't see it the same way, describing Microsoft's actions as "disappointing" because it put customers at greater risk of exploitation."

    • (Score: 2, Insightful) by Anonymous Coward on Monday February 20 2017, @08:12PM

      by Anonymous Coward on Monday February 20 2017, @08:12PM (#469412)

      The problem is that both sides are 100% correct.

      Google's position: This is now a known exploit, and if we found it there is a good chance somebody else has already found it and is using it. By keeping it a secret people will continue to be exploited with no way to protect themselves, and companies have a long of not fixing problems which aren't actively publicized. We need to publicize it so people can take precautionary steps, and to put pressure on Microsoft to fix the problem.

      Microsoft's position: By releasing the details of this exploit, you have guaranteed that the entire world knows about it. Obviously there will be some black-hat hackers who did not know about this before but now do, especially low skilled black-hats. As such, by releasing details of the exploit prior to a fix being put in place, you have made more people more vulnerable from more attacks than before.

      That's what makes the morality behind these types of public bug reports questionable regardless of what you do. It is very much a damned if you do, damned if you don't type situation.

      • (Score: 4, Insightful) by https on Monday February 20 2017, @10:28PM

        by https (5248) on Monday February 20 2017, @10:28PM (#469469) Journal

        You are exceptionally mistaken. At least one "side" is very far from 100% correct, namely, more black hats knowing about an exploit does not change the number of computers (or people) vulnerable to that exploit.

        --
        Offended and laughing about it.
        • (Score: 2, Disagree) by Hairyfeet on Tuesday February 21 2017, @03:43AM

          by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Tuesday February 21 2017, @03:43AM (#469559) Journal

          Would you say the same if this was another Linux bug like Shellshock or Ghost? The problem with Google's line of thinking is it is basically an is ought fallacy [wikipedia.org] in that because there IS one person who knows of this flaw (The Google researcher) that there OUGHT to be a bunch of hackers that already know this....where is the evidence to back up this assertion? There isn't any. As we saw with shellshock just because there is a bug in the wild does NOT mean its being exploited, the bug in Bash lasted how many years? Something like 2 decades wasn't it? Before it was exploited.

          All Google has done is make 100% certain that this WILL be exploited and it will be because of them.

          --
          ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
          • (Score: 2) by tangomargarine on Tuesday February 21 2017, @03:46PM

            by tangomargarine (667) on Tuesday February 21 2017, @03:46PM (#469723)

            it is basically an is ought fallacy

            The name of that page is actually "is-out problem", not fallacy. Apparently there's philosophical arguments for both sides of it.

            Critics of religion have argued that the is–ought distinction threatens the validity of secular ethics, by, in the critics' view, rendering secular ethical systems subjective and arbitrary.[4]

            namely, more black hats knowing about an exploit does not change the number of computers (or people) vulnerable to that exploit.

            You didn't actually speak to the GP's point, either. If X computers are vulnerable to it, you can either have A) a single hacker with the resources to disseminate malware widely, or B) a group of hackers that are rather lazy or ineffectual. In either case, the same number of computers are still vulnerable.

            Would you say the same if this was another Linux bug like Shellshock or Ghost?

            At least we know with certainty that Hairyfeet would be bitching about it.

            --
            "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
            • (Score: 2) by tangomargarine on Tuesday February 21 2017, @03:48PM

              by tangomargarine (667) on Tuesday February 21 2017, @03:48PM (#469725)

              *is-ought, blarg

              --
              "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
              • (Score: 0) by Anonymous Coward on Wednesday February 22 2017, @08:44AM

                by Anonymous Coward on Wednesday February 22 2017, @08:44AM (#470062)

                But you see, RumbaOleo, it becomes a fallacy when you misspell it! Or when you fallaciously attempt to derive an "ought" (normative statement) from an "is" (descriptive statement). So, simply, just because Microsoft has a dwindling monopoly in fact, that does not mean that it should, and it certainly does not mean that you should collaborate and re-enforce said monopoly. "You may say that I'm a dreamer; But I'm not the only one."

                • (Score: 2) by tangomargarine on Wednesday February 22 2017, @03:45PM

                  by tangomargarine (667) on Wednesday February 22 2017, @03:45PM (#470228)

                  Is-Ought is an ethical problem; it's not a justification for stuff you don't like being evil.

                  --
                  "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 0) by Anonymous Coward on Tuesday February 21 2017, @02:49PM

        by Anonymous Coward on Tuesday February 21 2017, @02:49PM (#469689)

        i think it makes sense to disclose early if a 0-exploit is detected being used.
        after all we are not completely reliant on closed-sourced M$ ... we have firewalls and can
        opt not to use a certain software/component or disable it (in the mean time)?

      • (Score: 1, Insightful) by Anonymous Coward on Tuesday February 21 2017, @03:11PM

        by Anonymous Coward on Tuesday February 21 2017, @03:11PM (#469705)

        Microsoft could solve this problem easily, you know. By going back to the previous patch model, with separate patches per problem, instead of these mega-patches they've been using to force telemetry updates and who knows what else on people. But they want the control in information siphoning instead of security. Really can't blame any of that on Google.

    • (Score: 4, Interesting) by mcgrew on Monday February 20 2017, @08:27PM

      by mcgrew (701) <publish@mcgrewbooks.com> on Monday February 20 2017, @08:27PM (#469420) Homepage Journal

      Agreed. Like I said [mcgrewbooks.com] way back in 2002:

      In other broken PC news, Rob Lemos (the Linux guy) writes in ZD News of the “Organization for Internet Safety.” This new outfit is supposed to keep your PC secure.

      Microsoft is at the helm. This, of course, means that your data will not be secure. When Microsoft talks “security”, they are talking about Microsoft's security, not yours. They don't give a rat's ass about your security, they care about the security forty billion dollars brings and they're not going to let security holes in their software screw that up for them.

      Lemos reports “The group springs from discussions between Microsoft and a handful of security companies on the responsible reporting of software bugs, known as vulner-abilities, that affect a business' security.”

      To hell with business security; let Microsoft and Sun worry about their own bottom lines. I don't want to wait for a damned patch to some buggy program some incompetent “programmer” hacked out, I want to know about it now, so I can take the offending piece of crap offline until a patch or workaround has been sorted out. The way I look at it, there is a 50% chance a good guy will find a hole first (assuming there are as many good guys as bad guys, which is doubtful). That means half the time the bad guys have found the hole first.

      Meaning that the bad guys have a way into my machine while the good guys are working on a patch, and only I am kept in the dark.

      People, this is not the way it should be done. If you find a hole, tell the software house about it and then scream it from the rooftops. Very Loudly and with venom. Let the world know how absolutely shitty a company has to be to allow their customers to be compromised like that, and let ME know that there is a hole in (say) Opera, so I can switch to IE; or if there is a hole in IIS so I can switch to Apache (wait a minute, IIS IS a hole).

      If it turns out that I like the “alternate” piece of software or hardware better than the original vendor's, then, well, tough shit! Microsoft security is meaningless to me. I'm worried about MY security. And if I unplug the thing, the only way you can hack it is like the Feds do: with a battering ram.

      The guidelines this group is hacking out should spell out clearly that a vendor, when notified of a hole, should immediately tell all of its customers about that hole, and recommend that they shut off the offending service, software, or hardware.

      Don't hold your breath.
      2/23/2002

      --
      mcgrewbooks.com mcgrew.info nooze.org
      • (Score: 3, Insightful) by Gaaark on Tuesday February 21 2017, @12:50AM

        by Gaaark (41) on Tuesday February 21 2017, @12:50AM (#469520) Journal

        Ab-so-whorely!!!! If Ms won't take security as a high priority, let the user do so. If the user knows jack shit, that is their and MS's problem.

        Reveal the hole and force MS to either dither at their users expense (which they did before secure OS's came along and forced them to deal with security and stability) or release good patches.

        Why are people supporting MS's bad user support??? I just don't get it!

        Window sucks, MS support sucks. And yet people keep carrying the monkey.

        Just. Don't. Get. It.

        --
        --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
  • (Score: 4, Insightful) by cafebabe on Monday February 20 2017, @11:02PM

    by cafebabe (894) on Monday February 20 2017, @11:02PM (#469485) Journal

    So, getting out of the current computer "security" farce relies on mis-aligned interests between corporations? And when those interests align, we won't know the details? We're screwed.

    --
    1702845791×2