Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Monday February 20 2017, @06:24PM   Printer-friendly
from the black-hats-now-have-a-month-to-play dept.

For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement. The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll), which is a library that enables applications to use graphics and formatted text on both the video display and a local printer.

According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable. Following subsequent tests, the researcher resubmitted his bug report in November, which Microsoft failed to patch in the 90 days interval Google allows vendors to fix bugs before going public with its reports.

This is the second time Google has taken this step against Microsoft after in November 2016 it disclosed details about a zero-day exploited by a cyber-espionage group known as APT28 (Strontium) a few days before Microsoft's November Patch Tuesday. Back then, Google said it took this step to allow users to protect themselves until Microsoft published a patch. Microsoft's Terry Myerson, Executive Vice President, Windows and Devices Group, didn't see it the same way, describing Google's actions as "disappointing" because it put customers at greater risk of exploitation.

Source:
https://www.bleepingcomputer.com/news/microsoft/after-microsoft-delayed-patch-tuesday-google-discloses-windows-bug/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday February 20 2017, @07:19PM

    by Anonymous Coward on Monday February 20 2017, @07:19PM (#469388)

    Yes, but perhaps we'd also like it if they took security seriously in the first place. There's no good reason for them to delay the fixes that they believe are ready just so they can make enterprise customers happy by releasing them all at once.

    Considering that most Windows users aren't in a position to test the patches, it's quite irresponsible of MS to delay patches arbitrarily based on things other than testing.

  • (Score: 2) by bob_super on Monday February 20 2017, @08:16PM

    by bob_super (1357) on Monday February 20 2017, @08:16PM (#469414)

    There could be a gentlemen's agreement between Google and Microsoft, where the latter politely requests another month of non-disclosure to tweak a particularly unstable patch. Google could request proof that work is in progress, and hold off.
    Now we have the bug in the wild and a few weeks' window to a fix...

    • (Score: 4, Interesting) by zocalo on Monday February 20 2017, @08:31PM

      by zocalo (302) on Monday February 20 2017, @08:31PM (#469422)
      There could have been (let's get the correct case), and there's certainly precedent as Google has done exactly that before, e.g. with Apple, but it seems that in this case that didn't happen. Timing may have a lot to do with that, of course; MS only seemed to pull Patch Tuesday on the day itself via a curt one liner on their blog and Google's disclosure grace period expired only a few days later, prompting the disclosure. Whatever went wrong with the patch release, contacting Google probably wasn't all that high on the agenda until it was too late and since Google is very clear on what their disclosure policies are and sticking too them the end result was inevitable.

      Besides, since MS has stopped giving advance notice of what it will be patching each month, we don't actually know for certain that they were even going to patch the bug this month anyway. It's *thought* that they were, but with MS that's hardly a guarantee, is it?
      --
      UNIX? They're not even circumcised! Savages!