Google Discloses Yet Another New Unpatched Microsoft Vulnerability In Edge/IE (bleepingcomputer.com) 73
An anonymous reader quotes BleepingComputer:
Google has gone public with details of a second unpatched vulnerability in Microsoft products, this time in Edge and Internet Explorer, after last week they've published details about a bug in the Windows GDI (Graphics Device Interface) component... The bug, discovered by Google Project Zero researcher Ivan Fratric, is tracked by the CVE-2017-0037 identifier and is a type confusion, a kind of security flaw that can allow an attacker to execute code on the affected machine, and take over a device.
Details about CVE-2017-0037 are available in Google's bug report, along with proof-of-concept code. The PoC code causes a crash of the exploited browser, but depending on the attacker's skill level, more dangerous exploits could be built... Besides the Edge and IE bug, Microsoft products are also plagued by two other severe security flaws, one affecting the Windows GDI component and one the SMB file sharing protocol shipped with all Windows OS versions...
Google's team notified Microsoft of the bug 90 days ago, only disclosing it publicly on Friday.
Details about CVE-2017-0037 are available in Google's bug report, along with proof-of-concept code. The PoC code causes a crash of the exploited browser, but depending on the attacker's skill level, more dangerous exploits could be built... Besides the Edge and IE bug, Microsoft products are also plagued by two other severe security flaws, one affecting the Windows GDI component and one the SMB file sharing protocol shipped with all Windows OS versions...
Google's team notified Microsoft of the bug 90 days ago, only disclosing it publicly on Friday.
Re: (Score:1)
I applaud Google for helping to keep users safe. If you currently use IE or Edge, you should be using something else.
Kafka said it (Score:2)
You become what you hate. It's an astonishingly true aphorism for many reasons. And google is on the path to becoming the new uber asshole.
Unnecessary (Score:1)
Okay, I get the general principle of disclosure - users are at least aware of the issue and can take steps to protect themselves, plus it puts pressure on the supplier to fix the problem thus again benefiting users - but in this case that doesn't make any sense because surely Edge doesn't actually have any users? Are there really people who don't know there are other browsers?
Re: (Score:2)
The discussion in this thread is about users protecting themselves. Work computers are irrelevant: if your work computer is taken over by hackers, so what? If you were putting your personal info on there, that's your own dumb fault. It's not your computer, it's your employer's. The only thing that should happen when your employer's computer gets hacked is your employer suffers data loss and other problems, not you. You only need to notify the IT department that your computer isn't working right and let
What am I missing? (Score:5, Interesting)
Ok, there is no information as to why this would affect any version other than the 64-bit IE that the guy tested. Especially since Edge *supposedly* uses a separate codebase, and this is an exploit in the MSHTML engine anyway
Single process mode? (Score:1)
By default IE spawns multiple processes for tab isolation (like Chrome)
Re: (Score:1)
Edge wasn't a clean rewrite. It's a fork from the IE codebase.
This might be payback... (Score:5, Interesting)
For all of those "Chrome is draining your battery faster than Edge would" notification messages in the Windows notification center when you use Chrome with Windows 10.
That tactic just seems slimy to me. It seems that Microsoft is once again trying to exploit their near monopoly of desktop PC OS's to regain browser market share.
Re: (Score:1)
This is as it should be. Competition, and competitors pointing out the flaws in each others products. That creates more pressure to fix fast - and to test before sw products go out the door which may avoid such embarrasments entirely.
I have no symphathy with anyone wanting/expecting 'grace time' before public disclosure. (Apparently, they got some.) Compare with the open source world, where every exploit is immediately public because the bug tracker is public. You fix a serious error within hours of reporti
Re:This might be payback... (Score:5, Interesting)
If I buy a fridge and the fridge keeps saying "Cottee's codial tastes better than x brand you're using" I would have an issue with that.
I hate that Windows 10 is an advertising vector.
Re: (Score:2)
Ah if only it was that simple.
My work machine is linux mint and is great. My main home pc is dual boot and spends most of its time in mint as well. But there is no substitute for the media editing tools of windows in Linux. Openshot is ok but doesn't hold a candle to CyberDirector. Gimp is not a substitute for photoshop. So in the end I still keep a windows install around.
Re: (Score:1)
This is as it should be. Competition, and competitors pointing out the flaws in each others products. That creates more pressure to fix fast
No, It's creating an annoying and distractive load of bollocks on my notification bar.
Re: (Score:2)
Re: (Score:2)
I'm sorry, but the primary injured party are the users. The manufacturer is at most a secondary victim. So the delay to fix is appropriate. But 90 days is about right. If you hold off forever an unscrupulous manufacturer would just let the problem persist, and once it becomes known to the criminals, it WILL be abused. 90 days may be too long, because they might have found the problem even before Google did, but you need to allow the manufacturer *some* time to fix the problem, because they aren't the p
Re: (Score:1, Informative)
Have you ever done a Google search or used YouTube when not using Chrome. Constant blue bar pop-up up telling you it all works better with Chrome, always comes back even if you press no, time and time again - that is slimy.
Re: (Score:3)
Re: (Score:1)
I'm not seeing this with Lynx.
Re: This might be payback... (Score:2)
The majority of internet users actually.
Re: (Score:1)
Re: (Score:1)
Never get that with Firefox
but but but .. (Score:4, Funny)
Re: (Score:3, Insightful)
Microsoft Edge running under windows is the most secure browser on the planet, Microsoft says so.
As much as it is fashionable to bash MS at this anti MS website I will ask if you think Chrome is any better? It is kind of unfair as of course Google won't disclose it's own bugs.
The problem is anything that executes programs (javascript and flash count even if they are not compiled) from anywhere on an untrusted world wide platform is stupid beyond belief!
Perhaps we can replace javascript once logic can be performed through CSS. Of course at that point I would imagine CSS would then become an attack vecto
Re: (Score:2)
For a long time, this place has been know as the Microsoft slashdot. Do you have anything to say regarding Microsoft's claims regarding the better security in Edge as compared to other browsers?
"Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Windows 8 app container technology
Re: (Score:2)
IE 11/Edge may not be safer. I just feel Chrome kind of has an unfair advantage and I dislike the whole concept we have with the way the web works security wise. If you want a pro MS version of this head to www.neowin.net? Trust me, you will be shocked if you feel this site is pro MS haha.
I go to both sites as I want to hear both sides of stories. There are some on neowin.net who do run Linux in the forums, but it is very anti android and pro MS phone and want exciting new .NET technology or Surface will be
Re: (Score:2)
What is unfair?
Who is stopping Microsoft from starting a similar project to find bugs in Chrome?
Re: (Score:2)
You say "Google won't disclose it's own bugs". I'm not sure I believe that, but I do believe they won't publicize them. But the real question is "Do they fix them?". Of course, that would mean they would need to inspire upgrades...which probably means they would need to disclose the bugs, if not how to abuse them.
OTOH, the was reported a way to evade almost all bugs in recent MicroSoft products ... disable administrator mode. This sounds like it might come with considerable in the way of downsides, but
Re: (Score:3)
Internally "Project Zero" has a second definition - it's the number of Chrome vulnerabilities team members are allowed to investigate.
It's easy to "fix" bugs (Score:1)
When you never test the patches thoroughly......
I've lost track of the amount of times that Chrome updated itself and the new "security enhancements" have broken something irreparably.
There is a reason enterprises use IE, as crappy as it is. MS does do a decent job regression testing.
Re: (Score:2)
On the contrary, the Project Zero team reports bugs to us (I am a Chromium developer), and we fix them. For example, https://googleprojectzero.blog... [blogspot.com] .
So let's take that example. That appears to be the following bug, correct?
https://bugs.chromium.org/p/ch... [chromium.org]
So that bug was reported in January 2014. The patched version of Chromium, M38, was released in October 2014 - much longer than 90 days. Now as far as I can tell, the bug was not made visible to the outside world until October 2014 - am I reading that right? And, if I am, why wasn't it publicly outed sometime in April - the 90-day window Google seems to hold Windows and Mac bugs to?
Re: (Score:2)
Am I missing something? Wasn't the bug report public on January 2014? Do they have an option in their issue tracker to keep bug reports private?
Re: (Score:1)
You don't think they are going public with unpatched Chrome vulnerabilities, no?
Of course people do. They give google the exact same 90 days to respond and release a fix and then go public.
The detail you refuse to listen to is that google actually fixes their flaws within 90 days where microsoft refuses to in most cases, and simply fails to do so even when they say they will eventually get around to it in a few years.
Re: (Score:2)
One hopes that's what's going on, but I don't use Chrome, so I don't follow it closely enough to know. Do *you*? Or are you just being optimistic?
OTOH, Google definitely has a better reputation for fixing bugs than MS does.
Interesting Headline (Score:5, Insightful)
Microsoft fails to patch yet another vulnerability for 90 days?
Right, because isn't so much news as status quo.
These Arent Bugs.. These are features (Score:1)
They are put in the code for use by the NSA...
Disclosure is a tool to get the problem fixed. (Score:5, Insightful)
Microsoft made a choice - to push their big marketing and style changes to all their users by bundling them with necessary security updates. This bad decision means that they can't push out small security-only, no-reboot-required updates on an as-needed basis. It is this profit-driven motive that makes a short disclosure period hard for them. The right way for the world deal with this is keep up the pressure, so they switch back to pushing out small security-only updates as needed when needed; to rebuild their customer's trust that Microsoft's updates won't break people's systems, won't suddenly uninstall legacy software, that sysadmins don't have to put updates through verification because they'll probably break something. This way, vulnerabilities in windows are fixed within days of them being reported.
There is zero excuse for not fixing a vulnerability for 90 days. If something makes it hard for a corporation to fix vulnerabilities quickly, then it is that something that needs to change. Responsible disclosure like this pushes corporations to make such changes.