Hey, if you're alerted of something critical and refuse to fix it, why should others stand by and let you get away with not supporting your customers and leaving them at risk?
I guess it could be argued that, since Microsoft had a patch lined up for the 13th, Google should have waited another two days, but I think that generally this sort of behavior is a good idea. It gives the larger companies incentive to fix issues with their products that they otherwise wouldn't.
They asked Google to wait two extra days till they posted it... seems a bit shitty
[QUOTE=Medevila;46910497]Microsoft had months- a solid, known 90 days in which they didn't communicate to Google that they were working on the problem.. hard to feel sympathetic[/QUOTE]
We don't know how much the bug took to fix, and Microsoft did communicate with Google.
It's hard to side with Google on this case.
[QUOTE=Psyke89;46910968]We don't know how much the bug took to fix, and Microsoft did communicate with Google.
It's hard to side with Google on this case.[/QUOTE]
Google told Microsoft they had 90 days, and they gave them 90 days
[QUOTE=viperfan7;46911512]Google told Microsoft they had 90 days, and they gave them 90 days[/QUOTE]
And Microsoft wanted just two days more to release the patch - something that the guys at Google could have granted for the benefit of the consumer.
[QUOTE=Noss;46912127]And Microsoft wanted just two days more to release the patch - something that the guys at Google could have granted for the benefit of the consumer.[/QUOTE]
You have to draw a line though; when you start granting exceptions in one case, where does it stop, what's the new line? So yes, while Microsoft's request seems very reasonable, I can understand why Google didn't oblige it.
I also have a really hard time believing whatever the security vulnerability was, it took Microsoft three whole months to fix, but of course that's just speculation.
[QUOTE=DaMastez;46912204]You have to draw a line though; when you start granting exceptions in one case, where does it stop, what's the new line? So yes, while Microsoft's request seems very reasonable, I can understand why Google didn't oblige it.
I also have a really hard time believing whatever the security vulnerability was, it took Microsoft three whole months to fix, but of course that's just speculation.[/QUOTE]
We aren't playing here, millions of PCs became vulnerable during those 2 days. Google would have a case if Microsoft wasn't working on a fix or weren't communicating with them, they did both and promise the patch on the next scheduled update cycle as to not raise suspicion with a out of cycle patch.
Security companies makes exceptions like this every time, Google didn't and played around with the security of a large userbase. Saying they are in the right here is completly mental, vulnerabilities like this aren't jokes.
Releasing details for a bug that they knew would be addressed in two days anyway is dick move.
Or you dont have to play an oracle and take more than 90 days to fix it.
i like the idea of it all but not giving microsoft the two days to publish it when its pretty well known windows patches come out on tuesdays is kinda shitty. yeah, microsoft had the 90 days, but like it was stated in the article, we, and google, dont know what went into creating the patch. microsoft honestly couldve been working on a fix the entire time and right up to the last minute for all we know. now maybe if microsofts 90 days were up and they wanted another week... then yeah, go ahead and release it google, but when its just 2 days it seems kinda dickish and like a "gotcha" fer sure.
The way the 90 day thing works is that it serves to light a fire under the affected product's developers' asses
microsoft has the technology to do an update on a day other than tuesday
the effect of project zero is lost if google says "eh its ok you get 92 days this time but we'll go public at +90 next time, promise"
from the way the microsoft guy is talking, patch was/is ready, just being held for tuesday
that's not an excuse then, you wanted to avoid having your consumers hit by the exploit, you release your finished fix
[QUOTE=LordCrypto;46915078]The way the 90 day thing works is that it serves to light a fire under the affected product's developers' asses
microsoft has the technology to do an update on a day other than tuesday
the effect of project zero is lost if google says "eh its ok you get 92 days this time but we'll go public at +90 next time, promise"
from the way the microsoft guy is talking, patch was/is ready, just being held for tuesday
that's not an excuse then, you wanted to avoid having your consumers hit by the exploit, you release your finished fix[/QUOTE]
Not everybody can/will update windows immediately, people often leave it for weeks. There's no excuse for google doing what they did, being 2 days late on their imaginary deadlines isn't going to break their system
Seems kind of an asshole thing to do. It's not like Microsoft was denying the bug or anything. They just wanted a few extra days to get the patch out.
[QUOTE=Elspin;46915449][B]Not everybody can/will update windows immediately, people often leave it for weeks.[/B] There's no excuse for google doing what they did, being 2 days late on their imaginary deadlines isn't going to break their system[/QUOTE]
"buuut google, microsoft got 92 days" -- small developer
either they give preferential treatment to microsoft, or the entire purpose of there being a 90 day clock goes away
re: people not updating it, that's not on microsoft at that point, that's on the end user
[QUOTE=LordCrypto;46915078]The way the 90 day thing works is that it serves to light a fire under the affected product's developers' asses
microsoft has the technology to do an update on a day other than tuesday
the effect of project zero is lost if google says "eh its ok you get 92 days this time but we'll go public at +90 next time, promise"
from the way the microsoft guy is talking, patch was/is ready, just being held for tuesday
that's not an excuse then, you wanted to avoid having your consumers hit by the exploit, you release your finished fix[/QUOTE]
Out of cycle updates are rare and will raise suspicion if they happen, as they have done in the past, causing someone to rush of exploit on non-updated machines.
Not to mention companies that use WSUS and only update on cycle.
If the original purpose is completly moot in this case, the patch was done, tested and had a release date. Google acted irresponsibly and could ahve potentialy have put millions of PCs at serious risks.
[editline]13th January 2015[/editline]
[QUOTE=LordCrypto;46915656]re: people not updating it, that's not on microsoft at that point, that's on the end user[/QUOTE]
Throw'm under the bus, that's resposible and the best course of action.
The purpose of releasing the patches on a Tuesday is for far more than just "we like Tuesdays :)"
[QUOTE=Psyke89;46917727]Out of cycle updates are rare and will raise suspicion if they happen, as they have done in the past, causing someone to rush of exploit on non-updated machines.
Not to mention companies that use WSUS and only update on cycle.
If the original purpose is completly moot in this case, the patch was done, tested and had a release date. Google acted irresponsibly and could ahve potentialy have put millions of PCs at serious risks.[/QUOTE]
And instead Microsoft let the time run out giving attackers even longer to exploit machines, along with there being no patch available to users who stay up to date for two days.
If Microsoft asked Google, and they said no, what was the benefit to still wait to release the patch on Tuesday, knowing full well the exploit would be public knowledge for two days?
[QUOTE=DaMastez;46923816]If Microsoft asked Google, and they said no[/QUOTE]
That didn't happen though, Google just went ahead and released the info with no communication.
[QUOTE=Psyke89;46913161]We aren't playing here, millions of PCs became vulnerable during those 2 days. Google would have a case if Microsoft wasn't working on a fix or weren't communicating with them, they did both and promise the patch on the next scheduled update cycle as to not raise suspicion with a out of cycle patch.
Security companies makes exceptions like this every time, Google didn't and played around with the security of a large userbase. Saying they are in the right here is completly mental, vulnerabilities like this aren't jokes.[/QUOTE]
Its only a local privilege escalation exploit, unless combined with with specific remote code execution exploits or in very limited scenario's, it has no significant risk.
I am unsure how raising suspicion would have any impact, considering that the details about the vulnerabilities are released together with the patch.
Security companies, don't have a choice regarding their public release of exploits, publicly releasing exploits regarding Microsoft products would be a violation of their MAPP agreement.
[quote=google]Correspondance Date: 11 Nov 2014
> Microsoft confirmed that they are on target to provide fixes for these issues in February 2015. They asked if this would cause a problem with the 90 day deadline.
< Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended. Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015.
Correspondance Date: 11 Dec 2014
> Microsoft confirmed that they anticipate to provide fixes for these issues in January 2015.[/quote]
Well, seems like Microsoft were suitably warned.
I actually agree with keeping the deadline fixed too, since giving exceptions dulls the point of it in the first place.
Meanwhile, Google doesn't want to patch the native Android Browser to remove a vulnerability.
Why is Google acting like the internet police again? I don't think it matters who "warned" who, Google needs to fuck off and not be posting exploits of the most popular OS on the market.
[QUOTE=Elspin;46915449]Not everybody can/will update windows immediately, people often leave it for weeks. There's no excuse for google doing what they did, being 2 days late on their imaginary deadlines isn't going to break their system[/QUOTE]
all they have to do is make the patch available, not ensure 100 percent adoption
[editline]15th January 2015[/editline]
[QUOTE=Psyke89;46929304]That didn't happen though, Google just went ahead and released the info with no communication.[/QUOTE]
[quote]This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
[/quote]
the terms were very clearly communicated
Sounds like Google was intentionally breaking MS's balls or they're way too strict about the protocol on their own arbitrary number. I don't feel like breaking the number would have been a problem or set a bad precedent in this case.
The point of the project is to pressure lazy devs into fixing security issues they wouldn't otherwise fix, not punish devs who have been working on a patch and have a planned release date for it in the near future.
The point of the project is also to help protect consumers, which this absolutely did not do.
[QUOTE=Ragekipz;46933112]Meanwhile, Google doesn't want to patch the native Android Browser to remove a vulnerability.[/QUOTE]
That's because they can't deliver updates to that browser via Google Play. They can't really update it at all except through ROM updates which aren't pheasible for a variety of reasons. Google is actively trying to phase it out by replacing it with Chrome, which can be updated.
So, Google's bitching about an exploit in Windows that people didn't know about while Microsoft was just being slow to fix it, meanwhile, Google knows well that Android 4.3 and below have an exploit in them and refuse to fix it.
[QUOTE=gk99;46939223]So, Google's bitching about an exploit in Windows that people didn't know about while Microsoft was just being slow to fix it, meanwhile, Google knows well that Android 4.3 and below have an exploit in them and refuse to fix it.[/QUOTE]
The difference being is that they have, it's just that carriers refuse to update the os
[QUOTE=Juniez;46937672]all they have to do is make the patch available, not ensure 100 percent adoption[/QUOTE]
The point was that if google hadn't acted like pre-schoolers the patch would be available for people to get before/immediately as people knew the fault. That way the only people at risk would be the people not updating, and the people who are slow to update would have more time to do so before people were ready to take advantage of it.
I generally like google but this is one of the dumbest things they've ever done, their initiative is not as important as the mountains of people that could have been left vulnerable
The point of the 90 day deadline is to say to the devs "fix it as soon as possible", not "oh heres a problem we found you should probably fix that". Google here was showing that it means business, that they are not just bluffing. Google wanted it fixed [B]within[/B] 90 days, not in 90 days.
[QUOTE=redsoxrock;46940062]The point of the 90 day deadline is to say to the devs "fix it as soon as possible", not "oh heres a problem we found you should probably fix that". Google here was showing that it means business, that they are not just bluffing. Google wanted it fixed [B]within[/B] 90 days, not in 90 days.[/QUOTE]
Google's program is [b]not as important as the security of millions of people[/b]. The entire point of their program is to force teams to fix security holes faster, and microsoft being 2 days late on a deadline is not going to destroy the entire value of their program. All they've ended up doing is compromise people's security of millions as part of their program to encourage better security. Good job, google!
Sorry, you need to Log In to post a reply to this thread.