Google Releases More Windows Bugs 263
An anonymous reader writes: Just days after Google angered Microsoft by releasing information about a Windows security flaw, they've now released two more. "The more serious of the two allows an attacker to impersonate an authorized user, and then decrypt or encrypt data on a Windows 7 or Windows 8.1 device. Google reported that bug to Microsoft on Oct. 17, 2014, and made some background information and a proof-of-concept exploit public on Thursday. Project Zero is composed of several Google security engineers who investigate not only the company's own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically publicly posts details and sample attack code if the bug has not been patched." Microsoft says there's no evidence these flaws have been successfully exploited.
No evidence (Score:2, Funny)
Microsoft: "There's no evidence these flaws have been successfully exploited."
Google: "Then why are you wearing that fake mustache and goatee?"
Re:No evidence (Score:5, Insightful)
FTFY.
Re:No evidence duhh (Score:2)
"Microsoft says there's no evidence these flaws haven't been successfully exploited."
Regardless of their meaning that's a ridiculous things to say, obtaining evidence to show the flaws haven't been exploited is infeasible. It's like saying there is no evidence proving that god does not exist.
YET... (Score:2)
>> Microsoft says there's no evidence these flaws have been successfully exploited.
Re: (Score:3)
"...so we're going to wait until the bot herders have sucked in a few million more machines before bothering to patch it."
WHAT is WRONG with you, ms?? If I'm reading that right, google is doing precisely what is necessary to light a fire under MS's ass to get the bugs fixed. It isn't really even that. They're basically telling us they don't consider it to be a big deal until it starts getting exploited. By making that comm
Hope the trend continues. (Score:5, Interesting)
Free markets! Competition!! That is what made America, what it is.
I wish such fierce competition exists in all spheres of the economy.
Re: (Score:3)
sitting on a macpro here at work, I'd say let's just have Apple fix yosemite bugs and problems. Not worrying about a dust speck in someone else's eye while they have two by four in their own
Re: (Score:2)
Apple won't fix shit. Their team doesn't have the experience to deal with the complexity MS has to deal with. Jeez, they couldn't, even make iOS 6 run smoothly on the 3GS phone which turned most of those phones into slow ass pieces of shit. Don't get me started on the last big iOS release or the map issues they encountered!
MAC deals with a very limited scope of hardware and a limited number of permutations which in turn reduces the complexity of any patch. MS on the other hand has to deal with billions of p
Cryptonomicon: Shanghai Banks (Score:4, Interesting)
I'm reminded of Neal Stephenson's description of Shanghai banks on the eve of World War 2:
Continue reading ... [cryptonomicon.com]
ever call support? everybody does it (Score:2)
"he did it! he did it!" yeah, they're taught that song at birth.
Re: (Score:3, Insightful)
THIS is the issue. NOT finding and disclosing.
Both times MS has had a fix ready (last time) or in the pipeline (This time, fix started but not ready due to buggyness).
"90 days, or DIE!!!" Rules should have exceptions, especially if the companies have been responsive AND have good reasonable reasons for a delay - which does include MS.
Disclosure for a bug that's being worked on? While refusing to fix bugs in your own software?
Bad Google BAD! *Smacks the nose*
Re: (Score:3, Insightful)
In all seriousness, when the hell did we vote an advertising company as the security czar for the Internet?
Not only is releasing right now stupid - patch Tuesday isn't for another month, so they've just done maximum damage - but we've seen what happens when outside forces try to rush MS security patches. Things get broken in hilarious-but-awful ways.
When you're dealing with a codebase as large as Windows and have to maintain compatibility across an impossibly large array of
Re: (Score:2)
Boo hoo. So the alternative is allow Microsoft's entire customer to be hacked at will, because Microsoft doesn't want to dedicate resources necessary to resolve a coding issue within 90 days? Security by obscurity.
Re: (Score:2, Insightful)
Some times you need to dig through code and figure out what the hell's going on so you can figure out why it's broken and fix it. And it's not like Google is the only one submitting bugs.
Re: (Score:2)
Posting notices of critical security flaws after giving 90 days for a company to fix it are security researchers' way to tell CORPORATIONS how IMPORTANT it is to design and release secure products.
If you don't do it, marketing will say that security flaw X can't be fixed because too many customers depend on the "insecure" feature. And the COO will say, "why can't you reveal it one year later, so we don't have to hire 12 people to get a fix within 90 days? We can hire 3 people instead." Eventually, some
Re: (Score:2)
You should probably know that you cannot hire 12 or 3 people AND get them up to speed enough to fix the bug in 90 days. It'll take 30 to 60 just to hire them.
There does need to be some kind of deadline or too many corporations will just pay a bit of lip service and forget all about it, but not everything fits neatly into a 90 day window that starts with no warning.
Google is developing quite a rep for being impossible to reason with (literally, there exists no contact available to mere mortals for anyone who
Re:Hope the trend continues. (Score:5, Insightful)
Microsoft was informed of the issue, and developed a patch, but it was due to Microsoft's own internal policies that the patch could not be included in the monthly update. There was probably some internal cut-off date or some other bureaucratic bullshit that prevented it. Google doesn't care about Microsoft's internal BS. Why should it?
Microsoft could have released the patch as an out-of-band update. Google wasn't insisting that it be released on the monthly schedule.
Re: (Score:2)
It's an automated system? Who automated it? The passenger you refer to didn't design the elevator. It was Google's decision to create this process.
Microsoft developed a patch, but didn't do it quite right and missed last Patch Tuesday. People in software make mistakes all the time.
Microsoft established Patch Tuesday for reasons, primarily to allow admins to plan testing of security updates and the like. You're saying Microsoft has to abandon that because Google can't automate a process decently.
Re: (Score:3)
As the article you linked suggests, what good would a fix do? The whole reason that someone might still be running 4.3 or below is that the phone manufacturers do not push updates. Google could fix 4.3 and below, but the manufacturers are no more likely to push that update than they are to just push a higher (and thus supported) version. The vast majority of people installing their own firmware aren't going to cry over 4.3, either. Why install a custom ROM with an obsolete Android?
Re: (Score:2)
Why install a custom ROM with an obsolete Android?
I still install new custom ROMs with obsolete Android because it runs much smoother on my obsolete hardware. (I'm only addressing your last question here, I don't really have an opinion one way or the other about the rest of the post)
Re: (Score:2)
If Google fixes it in AOSP then you can at least grab a fixed version with Cyanogenmod or other custom builds. At least for tech folks the main thing holding them back from moving up may be device drivers for the newer kernel.
Re: (Score:2)
Call it an act of faith.
If patching old code does motivate even one vendor/carrier to get off their arse and release a security update then success...
Re: (Score:2)
Re:Hope the trend continues. (Score:5, Insightful)
"Except without the public posting of them."
Except the menace of the public posting seems to be the only way for the vendor to move forward.
Is my bet that if Microsoft were doing their best effort to patch the bug and keep informed Google about it and the expected resolution time, they wouldn't have released the information.
Re: (Score:3, Informative)
Someone who didn't read the article. One of the comments in the 'more serious of the two bugs' indicated that Microsoft INFORMED them that the patch was lined up for January, but was pulled and rescheduled for February. You lost your bet, by Google's own bookkeeping. Try for another?
Re: (Score:2)
What if the check was in the mail and the dog did eat your homework because you got pizza grease all over it and he loves pizza too?
Or would you prefer reading about how a security patch made your think you were fixed but wasn't or even how it bricked your system because instead of a few more weeks to get it right, they have to rush it out?
Re: (Score:2)
If the company had a history of never patching vulnerabilities or even being spotty and refusing to support new products, then it makes sense to out them immediately.
But Microsoft has been issuing monthly patches for supported versions of Windows for years.
Yes, they'll delay or rescind a patch once in a while when it breaks things. Any company can be in that position though, and that's OK too provided they reissue a good patch when it's ready.
Instead of publishing exploit details and POC code automatically
Re: Hope the trend continues. (Score:3)
Those who might exploit the bug won't wait for the vendor to get its act together.
Re: (Score:2)
I'm curious if the exploits can be used to correct the encryption installed by ransomware criminals.
Re: (Score:2)
The sample exploit code is necessary because the corporate response after "I need more than 90 days" is "oh, its not a serious security bug".
Re: (Score:2)
This is necessary if the vendor blows off the bug report. It is not necessary if the vendor is actively working on the problem and has a scheduled fix release date.
Re: (Score:2)
And how do you prove they're working on the problem in a manner which will result in a quick resolution? Instead of hiring minimum wage flunkys to take calls and say "We're working hard on the problem. Its just a matter of weeks..".
Re: (Score:2)
That's what Microsoft's response to one of the security bugs. And then they started bitching after Google produced an exploit based on that "trivial" bug.
Re: (Score:2)
It's much cheaper to have someone else do it?
90 days may be a little short (Score:5, Insightful)
but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.
90 days is really long (Score:5, Informative)
But CERT Also Allows Variances (Score:2)
90 days is really long. The US CERT vulnerability disclosure policy is 45 days as described in http://www.cert.org/vulnerabil... [cert.org] (see that more more details). The problem is that you have to balance two conflicting needs; in the words of the CERT, "the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively."
It's definitely a fine balancing act, and regardless your opinion on the Google vs Microsoft disclosure debate, I am glad that we are having a public debate about it.
Vulnerabilities cannot really be effectively categorized (look at the attempts from MITRE, for example). Some are due to simple programming errors and can be fixed and rolled out immediately. Some are deeper architectural problems that, even if an "easy" fix, have a whole ecosystem of software built around that wrong behavior. A one-size-fits-a
Re: (Score:2)
Some are deeper architectural problems that, even if an "easy" fix, have a whole ecosystem of software built around that wrong behavior..
Google, or the world, do not have an obligation to tolerate Microsoft's willingness to market a fatally flawed product because a whole industry "expects" to take advantage of an insecure feature. It is no different that a fatally flawed skyscraper design. When such a building or bridge comes about, the world doesn't require architects or engineers to keep quiet about a safety flaw, because people already use it. The owner/design company is required to produce an effective correction to the problem, or th
Re: (Score:2)
I'm no fan of MS (and I'm sure my posting history will bear that out), but there are other considerations here. No, MS shouldn't get a complete skate on this. They have proven that they need their feet held to the fire to get things to happen. BUT, there needs to be some slack in the system. If they appear to have been working on the problem in earnest and have a release plan, it's worth giving them time to complete it.
Unlike a building with a flaw, there aren't lives at stake here and releasing the details
Re: (Score:2)
But what gives Google the right to do what they're doing?
What right? The right for the general public to utilize computer products SAFE from thieves and infrastructure terrorism.
They're just as guilty as Microsoft when it comes to security problems and shitty insecure software. Why should they spend their money on announcing other people's flaws, rather than fixing their own?
They are guilty of the same security problems and shitty software. And they should be punished in the commercial markets the way as Microsoft. If they commit the same crime as Microsoft, they should suffer the same penalties. NOT be complicit in covering up competitors' crimes, because they're criminals too.
Especially when Microsoft already has fixed pending and just needs a bit more time to ensure they don't cause even worse problems?
Who honestly thinks that forcing someone to rush out a less-tested patch is a good idea, just because Google has a hard-on for playing the fake superhero?
Microsoft has not always been diligent in correcting security problems, and I'
Re: (Score:2)
90 days is really long when you don't have a massive base to run testing and regression against. Let's just say that the fix is adding a bounds check to the input for a single function. The engineer assigned to the bug adds the bounds check and unit tests to make sure it behaves now. The fix is submitted to the build queue for the (let's say nightly) run to generate the next patch set, and the next production build for Windows. Now QA gets it, and being that this particular item failed for an input, th
Re:90 days is really long (Score:4, Insightful)
I am going to nitpick on your analysis, but I have zero sympathy for Microsoft having (hypothetically) a test system that takes hours to provide a result. This is a company with billions of dollars available to it. Invest in more test hardware if the test systems take too long to run.
Re: (Score:2)
9 Women cannot make a baby in a month.
Re:90 days may be a little short (Score:4, Informative)
but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.
From the article:
In the bug tracker for the impersonation vulnerability, Google said it had queried Microsoft on Wednesday, asking when the flaw would be patched and reminding its rival that the 90 days were about to expire.
"Microsoft informed us that a fix was planned for the January patches but [had] to be pulled due to compatibility issues," the bug tracker stated. "Therefore the fix is now expected in the February patches."
The next Patch Tuesday is scheduled for Feb. 10.
So 90 days is an appropriate time to wait but not 106 days?
It's not like MS was sitting on their hands, they made a patch but found problems in QA and had to do more work to get it working properly. I don't see the rationale for Google maintaining the hard 90 day deadline, maybe extensions allow some complacency on the part of the developer, but you're still not going to see them sitting on issues for months or even years on end. Meanwhile by publishing now Google has created one of two scenarios. 1) Users are going to be left vulnerable to unpatched zero-day expoilts, or 2) users are going to break their systems by installing broken patches.
It's not clear to me how this is better than sitting on the issue for anther 26 days.
Re:90 days may be a little short (Score:5, Insightful)
This is a situation where the "slippery slope" argument really does apply. If Google is just going to sit on bugs until the vendor patches... they're going to end up with bedsores. And no one likes bedsores.
Instead, they embarass the vendors a couple times, and once heads are pulled out of asses and people realize they're not screwing around, they start taking these things seriously.
That's my guess, anyway.
Re: (Score:2)
If the vendor isn't responding, sure, publish after 90 days. If the vendor makes a habit of asking for one-month extensions indefinitely, publish. If the vendor has specific plans and schedules, and has a history of doing more or less the right thing, which describes Microsoft here, sit on the disclosure for a little more time.
Re: (Score:2)
From the article:
In the bug tracker for the impersonation vulnerability, Google said it had queried Microsoft on Wednesday, asking when the flaw would be patched and reminding its rival that the 90 days were about to expire.
"Microsoft informed us that a fix was planned for the January patches but [had] to be pulled due to compatibility issues," the bug tracker stated. "Therefore the fix is now expected in the February patches."
The next Patch Tuesday is scheduled for Feb. 10.
So 90 days is an appropriate time to wait but not 106 days?
It's not like MS was sitting on their hands, they made a patch but found problems in QA and had to do more work to get it working properly.
Technically, it should have been in the November patch set, they should have found the compatibility problem in testing (as they did), and the revised patch should have been in the December patch set. Then the clock would have run out.
So basically the *did* sit on their hands -- for two months.
Re: (Score:2)
but in principle I agree with what Google is doing. In effect they are trying to destroy the market for zero day exploits and forcing the companies involved to not site on their hands and hope nobody uses them.. like cybercriminals and the various three letter agencies.
From the article:
In the bug tracker for the impersonation vulnerability, Google said it had queried Microsoft on Wednesday, asking when the flaw would be patched and reminding its rival that the 90 days were about to expire.
"Microsoft informed us that a fix was planned for the January patches but [had] to be pulled due to compatibility issues," the bug tracker stated. "Therefore the fix is now expected in the February patches."
The next Patch Tuesday is scheduled for Feb. 10.
So 90 days is an appropriate time to wait but not 106 days?
Here is what Google use to say (circa 2010) from most of the same people who make up the Project Zero team (Chris Evans, Michel Zalewski, and others) AFAIK.
Rebooting Responsible Disclosure: a focus on protecting end users [blogspot.ca]:
Update September 10, 2010: We'd like to clarify a few of the points above about how we approach the issue of vulnerability disclosure. While we believe vendors have an obligation to be responsive, the 60 day period before public notification about critical bugs is not intended to be a punishment for unresponsive vendors. We understand that not all bugs can be fixed in 60 days, although many can and should be. Rather, we thought of 60 days when considering how large the window of exposure for a critical vulnerability should be permitted to grow before users are best served by hearing enough details to make a decision about implementing possible mitigations, such as disabling a service, restricting access, setting a killbit, or contacting the vendor for more information. In most cases, we don't feel it's in people's best interest to be kept in the dark about critical vulnerabilities affecting their software for any longer period.
Somewhere along the way they appear to have lost their senses, and enshrine 90-days as some written-in-stone deadline that makes no sense, and is counter to their stated objectives.
Announcing Project Zero [blogspot.ca]
Re: (Score:2)
I wouldn't be surprised if there was a "give an inch, take a mile" kind of situation, where they tried allowing some flexibility and got into a cycle where the vendor kept requesting more time each time around.
Re: (Score:2)
It's not like MS was sitting on their hands, they made a patch but found problems in QA and had to do more work to get it working properly.
And you actually believe that?
Many times, patches are just punted to QA even thought the developer knows full well that they're not going to pass QA. After all, I should know, I'm a software developer myself. Also, I can tell you that finishing the last 10% of a project is always the hardest part. May be it's because we naturally like to work on the easiest parts of a problem first, or may be it's because we don't actually start understanding the real requirements until we're almost finished with the projec
Re: (Score:2)
The only reason its 106 days is because Microsoft doesn't send out patches when available but makes them 'convenient' on patch Tuesdays. If they felt like it, they could release that patch today.
Re: (Score:2)
No.
In effect, and in actuality, Google is being competitive.
Re: (Score:3, Insightful)
If it can install itself when someone doesn't have admin rights, it's malware.
You must hate *nix.
Re: (Score:2)
Can it, though? I would imagine it writes to the user's home directory, which does not require root. Nor does running executable files owned by that user.
Re:90 days may be a little short (Score:4, Informative)
One with user-writable locations not mounted noexec?
"To the best of our knowledge" (Score:3)
> Microsoft says there's no evidence these flaws have been successfully exploited.
Cleverly worded sentence intended to leave the reader with the impression:
"We don't know that there has been a breach, therefore there hasn't been a breach"
when it really means...
"We don't know squat about whether there has been a breach. Maybe all hell has broken lose, and there's no evidence to contradict that either."
Monty Python (Score:2)
I’m reminded of the old “blackmail” skit from Monty Python. Just with less of Terry Jones’ ass hanging out at the piano. I like it!
So I have a question (Score:2)
Re: (Score:2)
No, but maybe Microsoft should. What's good for the goose.
Why in hell is Google doing this? (Score:2)
Releasing Windows bugs is Microsoft's job.
Re: (Score:3, Insightful)
Like Bing doesn't sell data it collected either.
Re: (Score:3)
"And that fact negates the OPs comment how?"
By stating that since Microsoft business practices equal those of Google and then more, it can't be followed that Google is any more evil than Microsoft.
Signed: Captain "So I thought" Obvious
Re: (Score:3)
Because the claim was "they're probably MORE evil" which is a relative claim and hence "they do it too" is in fact a valid argument.
Re:Evil corporation cage match! (Score:4, Insightful)
Re: (Score:2)
For now. For example, Microsoft no longer sells a non-service version of MS Office.
Re: (Score:2)
WUT?
You can buy 2013 in non-subscription, non-365 versions.
Re: (Score:2)
Last I heard, they still sell Office 2013, though they're trying to push 365.
Re: (Score:2)
That's one theory, sure.
Re:Evil corporation cage match! (Score:4, Informative)
I can only assume that Google sells a lot more information.
Google collects information. Google uses that information to determine what ads to show users. But unlike other companies, Google does NOT sell that information.
Re: (Score:2)
Re: (Score:2)
I think long term Google will be worst than MS since it owns access to information and online marketing. At least with MS, you had alternatives. With Google, if you don't use Google to advertise online, your target audience won't find you.
Re: (Score:2)
I love the Ellen Degenerate show and stuff.
Re: (Score:3)
This is degenerate behavior.
Years (decades, now) ago, it was normal to publish vulnerabilities and exploits and discuss them and (try to) force vendors to act.
What is happening now is degenerate.
FTFY (Score:3, Insightful)
I mean the whole point of doing these types of investigations is to slap the competition in the face.
Re: (Score:2)
Microsoft says there's no evidence these flaws have been successfully exploited.
I mean the whole point of doing these types of investigations is to try and prevent exploits from getting out into the wild.
Exactly; which is contrary to Microsoft's position that they don't fix something unless there is an exploit in the wild...
Re: (Score:2)
Google is inserting itself into other's business, when they should be concentrating on their own issues.
When Microsoft fails at security, it impacts Google's core business...
Re: (Score:2)
If that was true, then they would be working with Microsoft to improve their security, not making it worse by automatically disclosing vulnerabilities when the patch is forthcoming.
I think waiting 90 days for the company whose last CEO said he would "fucking kill" google to fix their shit software is pretty generous.
then I fail to see why Microsoft should have to be beholden to Google's asinine 90-day cut-off when even Google doesn't fix it's security bugs within 90 days in many cases.
Yes, Google's 90-day cut-off is asinine: It's twice CERT's standard [cert.org], for example. If we really want these bugs fixed, Google should be disclosing them much earlier.
Re: (Score:2)
Because some jackass CEO blustered, Google has the right to fuck over MS end-users by arbitrarily demanding that MS prioritize their security reports over all others?
Well, no. Because some jackass CEO blustered, I will rub my hands together and chuckle with glee every time Google releases an old, old bug report with security ramifications for their stack of crap. It's Microsoft fucking over the end users, by dropping such a stack of crap on them and then refusing to be responsible about security. If Google can find these bugs, then so can dedicated attackers.
And of course only MS deserves this treatment, because they're MS! Google's vulnerabilities can languish for over 90 days without being disclosed, because they're Google.
If Microsoft wants to find security holes in Google software, and report them after 90 days, then I'm sure Google
Particularly given their Android response (Score:3)
"Oh that's an old version, we aren't going to patch the bug." Really? That's an acceptable response that something that's 3 years old is too old to patch? But somehow, taking 100 days to patch a product that's 5 years old (in 7's case) is too long? Much easier to deal with patch issues if you just declare you only support the latest greatest and require everyone to upgrade all the time, no matter the issues.
MS's response is particularly understandable given the complexity of doing regression testing on the
Re:Particularly given their Android response (Score:4, Insightful)
The other option is that Microsoft could acknowledge reality - they are not fixing things fast enough to resist targeted attacks. MS's statement about it "not being seen in the wild" demonstrates that they don't understand the current state of exploits. Google's hypothetical attacker is one who will go to lengths to keep an exploit from being used specifically so that MS won't fix it. Also a monthly schedule for updates is a huge liability against such an attacker, as they know their window of opportunity. MS is stuck in the old model that an exploit is not important unless it has been seen in the wild. While that is all well and good for preventing worms from spreading (and therefore protecting MS's image) it is not good enough to protect your company's data from a targeted attack that can buy or discover a zero-day vulnerability. That is reality.
Another way to look at it is that people using MS stuff have chosen interoperability over security. Thus the longer patch testing cycle, and the once-a-month updates. Therefore they shouldn't be surprised when it is demonstrated that... they chose interoperability over security.
Re: (Score:2)
Which is not a good excuse for providing guides to exploit a vulnerability when the vulnerability is being addressed by the vendor. That stuff is for vendors who ignore vulnerabilities.
It takes Microsoft time to get fixes out there, and that does have some unfortunate implications. However, being too specific about the bugs makes it easier for more people to exploit them, before the poor users can get a patch.
To put this another way, you may consider Microsoft's security inadequate, but that's hardly
Re: (Score:2)
I am glad Google is sticking to their policies. 3 months is easily enough time to deploy a fix.
As one of Microsoft's end users, I'd much rather be faced with the quantifiable risk of deploying a patch than the unquantifiable risk that every system I own has been compromised, any data on them exfiltrated or encrypted and used to hold me to ransom, and the possibility that my systems have been used to attack others.
For all we know, Microsoft could be playing a PR game by developing patches and then holding th
Re: (Score:2)
Re: (Score:2)
Obviously posted by someone who doesn't work in software development, or has to deal with the fact the software needs to work in millions of configurations and with interdependencies.
Wrong, and wrong.
Plus, the bugs need to be investigated for the root cause. Patching over the flaw doesn't help things since it leaves the vulnerability open.
Yes, thanks for stating how security fixes are supposed to work, in case we all thought Microsoft was going to slap a bandaid on it and call it good.
See shellshock
No. Why are you referencing a completely different vulnerability not even managed by the company? Because they're both vulnerabilities? Because there's a risk someone didn't fully fix an issue once therefore no-one can in future? Newsflash for you: Microsoft has fixed vulnerabilities with the same root cause multiple times oflver the years.
Like say, shellshock
Do y
Re: (Score:2)
Not everyone wants to follow you're ridiculous upgrade cycle.
big fixes are NOT upgrades. bugs are flaws because they were careless and did NOT do proper testing. bug fixes should be pushed out in days, not months. what google is doing is exposing their poor practices.
Re: (Score:2)
Guess how I know you don't have applicable experience or knowledge to make that comment.
Re: (Score:2)
What I'm wondering about all this is, why is Google mud slinging? I can't seem to find a good reason for it. Google only has 2 areas of competition with MS (mobile and search engine). Is Google threatened by the 3% market share MS has?
Re: (Score:2)
Yet another clueless consumer who doesn't understand the nature of the computer security braying their pronouncement of what Google should do.
What's missing in the real world is a litigation avenue where (security) negligence by a (software) company can be address as a class action suit. Now picture companies like Target going bankrupt for their security miscalculation in court, rather than the business hit it took for being publicly embarrassed. Or picture a major bank going under, because of their secur
Re: (Score:2)
Re: (Score:2)
Apple >>>>>>>>>>>>>>>>>>>>>>>>>>>> Google > Microsoft > Blackberry
Re: (Score:2)
Re: (Score:3)
It should read "Google discloses more Windows bugs."
Re:Is that a typo? (Score:5, Informative)
From the bug link:
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public
.
Re: (Score:2)
That's a inappropriate comparison. (Score:3)
Talk about blatant extortion... Perhaps Google should be more concerned about patching the 1,001 vulnerabilities in Android before casting stones at others.
For example, how about this: http://www.extremetech.com/mob... [extremetech.com]
That's a inappropriate comparison.
To patch that vulnerability would require the ability to update Android on existing handsets.
For this to work, the handset manufacturers would have to provide a new version of Android for the given handset.
For this to work, the Android development model of "partner, not Google, productizes Android" would have to change.
For this to work, there would have to be ongoing development on an older hardware platform.
For this to work, there would have to be carrier involvement in ce
Re: (Score:2)
You mean like Apple can on iPhones and MS can on Windows Phones?
I don't have to wait for Dell to provide a new version of Windows for me to patch a security vulnerability.
Re: (Score:2)
and Google is not in a position, as an OS supplier, rather than a phone vendor (which is what Apple is), to force changes in operational model into the carrier or the partner device vendor.
You're full of shit. Google has already been caught forcing all Android vendors to bundle Google's proprietary shit so that they can spy on users data.
"Just an OS Vendor" .. lol.. what a joke.
How does a trademark licence agreement for the use of the "Android(tm)" trademark conflate with them being able to magically update the firmware on phones for which the Android team at Google does not even have full source code, and which the carriers would require recertification for use on their network?
Or do you really not understand how that bundling is achieved through the trademark licensing agreement?
Re: (Score:2)
Re:Playing with fire... (Score:5, Interesting)
MS still holds a lot of Android patents. They can easily do an Apple and forbid use of them, which will completely paralyze Android.
What you mean all those patents that the Chinese outted and nearly the entire tech world found to be not relevant save about as many as you can count on your hands? Yeah, that's really going to stop Android...
Re: (Score:2)
Uh, isn't that what Google's proof-of-concept does - demonstrate the flaw being successfully exploited? Does Microsoft need to see N. Korea exploiting it before they believe it's real?
If you personally create a remote account for a North Korean spy and he uses this exploit to see you power control settings. You really were asking for it, not sure what but something.