Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Windows Google Microsoft Security

Google Discloses Exploited Windows Vulnerability 10 Days After Telling Microsoft (venturebeat.com) 101

An anonymous reader writes: Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild. That means attackers have already written code for this specific security hole and are using it to break into Windows systems.In a blog post, security researchers at Google write, "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."
This discussion has been archived. No new comments can be posted.

Google Discloses Exploited Windows Vulnerability 10 Days After Telling Microsoft

Comments Filter:
  • I found the final sentance a little confusing. Does this affect all versions of Windows, or just older ones?
  • by Luthair ( 847766 ) on Monday October 31, 2016 @02:01PM (#53186161)
    Interesting this comes mere days after the story that Google sat on an Apple vulnerability for 5-months? Though maybe given this is being actively exploited the treatment is justifiably different...
    • by bigdady92 ( 635263 ) on Monday October 31, 2016 @02:05PM (#53186201) Homepage
      Apple Market Share: 3-5%
      Windows Market Share: 90%
      Everything else: Math%

      Google wants to put as much pressure on MS to get them to fix the problem as quickly as possible as this vulnerability affects the largest market share of Google's Product.

      We all know all those windows users will blame Chrome for infecting their machine Because Reasons(TM) so let Google force MS into fixing this issue ASAP.

      Apple's vulnerability? Who cares, it affects a microcosm of Google's user base.
      • by AmiMoJo ( 196126 ) on Monday October 31, 2016 @04:19PM (#53187141) Homepage Journal

        No, the difference is that the Windows exploit is being actively used in the wild by malware. It's better to know about it so we can mitigate the risk as much as possible.

        In Apple's case no-one was taking advantage of the flaw, as far as we know, so it was better to keep it quiet while they fixed it.

      • The goal of keeping mum on security vulnerability until the vendor fixes it is to prevent potential attackers from learning about the vulnerability. The discoverer decides that users of the software are better off not knowing about the problem because they'd rather attackers don't know either.

        Here, according to TFA, there are already exploits in the wild. In that situation MS users are already at risk; Google keeping mum can only hurt them (by keeping them ignorant of the vulnerability) but won't help (be

        • by rtb61 ( 674572 )

          Technically speaking also there is the problem of criminal negligence and the culpability that arises from that ie you knew about the fault, you did not tell me and I suffered as a result, that fault now lies with those who kept the risk secret from me. Now that really brushes up super close to wilful culpable criminal negligence. Face the reality, software programmers have got away with a shit bucket ton of stuff they should never have got away with and the law is catching up to them.

      • Apple Market Share: 3-5% Windows Market Share: 90% Everything else: Math%

        Not in phones, tablets, servers, supercomputers, etc.

    • by tlhIngan ( 30335 )

      Interesting this comes mere days after the story that Google sat on an Apple vulnerability for 5-months? Though maybe given this is being actively exploited the treatment is justifiably different...

      Probably because it's exploited.

      If it wasn't exploited, Microsoft has a full 90 days. As it is exploited, well, telling doesn't really hurt anyone - they gave Microsoft a heads up and well, telling people about it doesn't really hurt anyone.

      The Apple one probably wasn't exploited so Google gave extra time knowing

      • by Luthair ( 847766 )
        Depends on how widespread it seems to be really, if there are relatively few instances then it might make sense to not publish it make the entire world aware of it.
  • by Anonymous Coward

    Everyone has vulnerabilities, because there are just too many inconceivable ways that protective measures might be bypassed. As such, teamwork between providers is the key; just because the other guy's platform is doesn't mean yours can't also be sunk, especially in this interconnected world of botnets.

    If this vulnerability wasn't part of the fixes in last patch Tuesday Google - OR anyone - should keep their mouths shut until the provider has had a chance to patch it, and patch it right. There's nothing wor

    • by Sun ( 104778 )

      They should keep their mouth shut or else what? The bad guys will start exploiting it?

      Read the summary. The bad guys are already exploiting it.

      Shachar

  • "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

    How in the hell does anyone find this shit to start with? Where does one begin when trying to find bugs and vulnerabilities? Do these folks spend day in and day out sitting on a shitbucket, eating Cheetos and Monster and have absolutely no freakin' life???? SMH....

    Oh well, keeps me busy in my line of work...

    • by Greyfox ( 87712 )
      Oh, that's easy. When the companies audit their code to get their security ratings for government contracts, they report their findings to the NSA. Then, the Chinese and Russian hackers hack the NSA and download the reports. Then, when the Russian and Chinese hackers defect to Europe, they bring those reports and hand them over to the GHCQ. Along with, I'm going to say, plutonium. Hi guys! Anywhoo, then the GHCQ outsources writing the code to exploit the weaknesses detailed in the reports to India or Pakist
    • My guess: they probably have the source code to Windows.
    • First it starts with having an understanding of what's going on. Then it continues with realizing that an assumption isn't necessarily true, and finishes with finding a means to force that assumption to be invalid.

      One of my favorite exploits is a privilege-escalation issue on very old Linux systems. In short, you run a program that crashes and drops raw memory into cron's job folder, and when cron looks at the dump, it sees something that looks like a job spec, so cron happily runs whatever was in that memo

      • Then it continues with realizing that an assumption isn't necessarily true, and finishes with finding a means to force that assumption to be invalid.

        Back in the mid 80s, I did some work at JPL with the late Dan Alderson [wikipedia.org]. Generally speaking, an if/else if sequence ends without another if because all possible cases have been listed. Dan, however, would use a final if, specifying what should be the only possible situation, with an else aborting the program with the comment "1 = 2" to indicate an unexpected

  • Is the policy (Score:5, Insightful)

    by Anonymous Coward on Monday October 31, 2016 @02:04PM (#53186193)

    Vulns. already being exploited in the wild are published 7 days after reporting it to the vendor. This is nothing new and is Google's policy on this (dated 2013).
    See: https://security.googleblog.com/2013/05/disclosure-timeline-for-vulnerabilities.html

    Sleazy attempt to paint Google in a bad way. This flaw is already being exploited, the bad guys already know about it!

  • by Anonymous Coward

    The VentureBeat article has been updated with a response from Microsoft:

    "We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," a Microsoft spokesperson told VentureBeat. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

    What the hell are they smoking? Apple, the various Linux distributions, and the BSDs all are committed to "investigating reported security issues and proactively updating impacted devices as soon as possible." They all routinely release immediate updates for critical exploits. I think even Cisco's IOS has a better track record than Windows in time-to-fix for critical vulnerabilities.

    • by Etcetera ( 14711 ) on Monday October 31, 2016 @04:08PM (#53187049) Homepage

      The VentureBeat article has been updated with a response from Microsoft:

      "We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," a Microsoft spokesperson told VentureBeat. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

      What the hell are they smoking? Apple, the various Linux distributions, and the BSDs all are committed to "investigating reported security issues and proactively updating impacted devices as soon as possible." They all routinely release immediate updates for critical exploits. I think even Cisco's IOS has a better track record than Windows in time-to-fix for critical vulnerabilities.

      I might be wrong, but it seems like that's a crack at the security issues within Google's Android ecosystem...

      MS isn't the one that let it get to a point where a bazillion hacked devices without updates are in the field a mere year or two after hardware was released.
      XP had support for 10 years.

    • What the hell are they smoking? Apple, the various Linux distributions, and the BSDs all are committed to "investigating reported security issues and proactively updating impacted devices as soon as possible."

      True. Very true. However, strictly speaking, only Apple and RHEL have customers.

  • by Jonathan P. Bennett ( 2872425 ) on Monday October 31, 2016 @04:23PM (#53187175)

    Once actively exploited, the proper response is to publicly announce the exploit. This is standard and acceptable practice. Someone is grinding an anti-google axe on this non-story.

  • FTA: "A source close to the company also shared that the exploit Google describes requires the Adobe Flash vulnerability. Since Flash has been patched, the Windows vulnerability is mitigated."

  • by Sun ( 104778 ) on Tuesday November 01, 2016 @01:46AM (#53190117) Homepage

    To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild.

    How does that make matters worse? Exploit being used in the wild is the standard reason to expedite public disclosure. If the bad guys already know about the bug, there is no sense in keeping the legitimate users in the dark.

    Shachar

  • this security issue is found, reported, confirmed to be exploited in the wild.
    yet MS will release a patch next week...

    no comments on this? i mean, that local exploit on linux (dirty cow) was patched in an instant and every major distro had the patch available within a day.

news: gotcha

Working...