SoylentNews is people
SoylentNews
Google's Project Zero has disclosed a vulnerability in the Microsoft Edge web browser that bypasses the browser's Arbitrary Code Guard (ACG). Project Zero disclosed the bug 14 days after the end of the usual 90-day period, but it apparently wasn't enough time for Microsoft to patch it:
Google's Project Zero initiative tasks its security researchers with finding flaws in various software products developed by the company itself as well as other firms. Back in 2016, it revealed a serious vulnerability present in Windows 10, and reported a "crazy bad vulnerability" in Windows in 2017. Now, the firm has disclosed another security flaw in Microsoft Edge, after the Redmond giant failed to fix it in the allotted time.
[...] According to the Microsoft Security Response Center (MSRC), the problem turned out to be more complex than initially believed, due to which it was given an additional 14-day grace period by Google. Although the company missed this deadline in its February Patch Tuesday too - which forced Google to make the flaw public - Microsoft is confident that it will resolve the issue by March 13, aligning the shipment of the fix with the Patch Tuesday in March.
Also at The Verge and BetaNews.
(Score: 0) by Anonymous Coward on Tuesday February 20 2018, @03:59PM (11 children)
So, it is actually fixed, but not released yet. Why this semi-hard deadline of 90 days (with 2 weeks extension). Couldn't they just wait another few weeks for disclosing it, until the patch is actually released? Why the rush of disclosing it?
(Score: 5, Informative) by takyon on Tuesday February 20 2018, @04:03PM (9 children)
https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html [blogspot.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0, Disagree) by Anonymous Coward on Tuesday February 20 2018, @04:15PM (8 children)
The embargo window is there to make sure that the vendor gets their act together and actually fixes things instead of being a black hole of bug-reports. In this case, Google acted irresponsibly because the intent of the embargo was satisfied: MSFT has been trying to get a fix working but hasn't succeeded in that yet. They could have worked with MSFT to make sure they aren't dragging their feet and actually continue on pushing a fix out but there was no reason for Google to disclose this (or not extend the embargo) aside from being dicks and doing it for a browser that is their direct competitor.
Google acted irresponsibly in this case and there is no excuse!
(Score: 5, Funny) by takyon on Tuesday February 20 2018, @04:24PM (5 children)
So the embargo window is there for a reason... but Google actually ending the embargo (albeit with a 14 day extension) is bad.
What should they do instead? Extend the window repeatedly forever? Then it's no longer a window, it's windows.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2, Funny) by realDonaldTrump on Tuesday February 20 2018, @04:36PM (4 children)
So many people who have computer, they have it for windows. For solitaire, for so many things. They love the solitaire, so interesting! Great job, Bill! Great job, Satya!
(Score: 3, Funny) by realDonaldTrump on Tuesday February 20 2018, @06:07PM (3 children)
It's a day ending in "Y" so dumb & unfair downmodders are "reading." They're not reading. Because the STORY and the other TWEET are about windows! But I tweet about windows, suddenly it's "OFFTOPIC." Not because of what I wrote. Because of who I am!!!!
(Score: 2) by DannyB on Tuesday February 20 2018, @08:20PM
Microsoft should make new Surface laptops powered by Clean Coal. Beautiful Clean Coal.
The people who rely on government handouts and refuse to work should be kicked out of congress.
(Score: 4, Interesting) by captain normal on Tuesday February 20 2018, @08:27PM (1 child)
The story and TFA are about a vulnerabilkity in MS's Edge brower that was discovered by Google's Project Zero. All the posts up to yours are about that toipic. Your post is not. So to me that seems your post could qualify as "Off topic".
If you were down moded, it probably has nothing to do with who you are (or pretend to be). Likely it was because you didn't contribute to the actual discussion.
When life isn't going right, go left.
(Score: 0) by Anonymous Coward on Wednesday February 21 2018, @06:16AM
Oh man, it's Captain Normal, the arch-nemesis of Donald Trump!
(Score: 5, Insightful) by requerdanos on Tuesday February 20 2018, @04:52PM (1 child)
Microsoft is a large enough, not-100%-trustworthy enough organization for a judgment call like that to be fraught with uncertainty. Even now, the patch isn't out, and one may be in the works and may not; all we have are words.
What has certainty is the disclosure program, which is pretty effective. That's a reason that might seem petty and spiteful, might even be petty and/or spiteful, but which was made in line with a policy that has a proven track record of improving security industry-wide.
(Score: 0) by Anonymous Coward on Tuesday February 20 2018, @05:12PM
OP here...
You know what, you're not going to hear this often on the 'tubes, but the way you put it, I think you're right. I hereby recall my original post...
(Score: 1, Interesting) by Anonymous Coward on Wednesday February 21 2018, @09:06AM
The 90 days are there for marketing to get ready to spin it as not a problem, while the customers have no information about how to defend against attacks. If they could get more, they would take it. Before we started the 90 day thing, they would sit on problems for years, not fixing them until the attack became so widely known that they couldn't keep silent anymore.
That marketing are given 90 days to spin it is already a sign that software is not a mature business. Warning customers and telling them how to take preventative measures until the patch is ready should be priority one, higher than even developing a patch.
Imagine if it was discovered that a certain brand of cars had brakes that suddenly stop working. How big would the uproar be if they got 90 days before they are required to tell customers to park their cars and not move them until the brakes have been fixed?