back to article DAMN YOU! Microsoft blasts Google over zero-day blabgasm

Microsoft has slammed Google for disclosing a security vulnerability in Windows a mere two days before Redmond planned to fix the bug. Google revealed the flaw on 11 January, 90 days after reporting it to Microsoft; the ad giant said the bug can elevate a user's privileges to administrator-level, thanks to some inelegant …

LDS
Silver badge

Re: What's Google afraid of?

Does your memmory allow you to read and remember more than one sentence? There is far less variety in phones hardware than PC. All of them are built more or less around the same ARM processors, and chipsets for mobile and wifi comm.

Sure, a lot of model with different shells, and little more. A phone firmware is specific to a given phone more for marketing reasons that technical ones. Guess most of the code is the same across a wide range of models but a few tweaks to avoid you can "upgrade" a phone just uploading a different one. Even the PC was a "closed" system until compatible "firmware" aka "BIOS" was created - and most BIOSes can be easily tweaked to work across a wide range of hardware.

There is far less hardware Android has to support compared to Windows or Linux itself, which runs on many more different devices, processors and architectures, and a much wider range of peripherals.

The fact is Google doesn't care about Android as on OS, it does care only it is cheap enough to be installed on as many phones as possible and funnel data to the Google black hole. If something bad happens, who cares? It's users data, not Google ones. Google makes money "stealing" and funneling data, not keeping OS updated and safe (unlike MS, which makes money selling software....)

And Google can blame the handset maker... but this policy means there are a lot of vulnerable Android devices around. It's not a technical problem, it's just a financial and marketing decision. Google don't want to spend much money in keeping Android secure.

Using Windows, usually it's the hardware evolution itself that makes older hardware unusable than Windows itself. My last PC has only PCIe slots, thereby I had to get rid of all the PIC cards. Windows would have supported them without issues. But I'm still using other devices several years old.

If there is something Windows does well, is legacy support. Sure, you have to choose some good hardware and not crappy cheap one with bad drivers available only from its producer that will vanish in a few months without ever submitting drivers to MS for WHQL certification....

1
3
Silver badge

Re: What's Google afraid of?

>>"I ran win8 long enough on my machine to get to a setting on the "charms" bar to make a change so I could install Linux. To get to that point, I had to accept the EULA, even though I never intended to use win8.See the problem there?"

Actually, no. If you want to wipe Windows off and install GNU/Linux, why do you need to enter Windows and change settings to do that? You can do anything you need from UEFI.

1
0

If Microsoft is telling the truth and Google decided to stick to it's 90 days even though a fix was in place and ready to release on the next patch day then Google was at least somewhat in the wrong, although I'd raise issue with the idea that you should sit on a patch for a zero day exploit for weeks just so a designated day can arrive rather than releasing when it's ready because people got so fed up with the number of patches your software needed

5
0
LDS
Silver badge

It's not the number of patches, it's patch distribution needs to be managed as well. It was sysadmins to request a paced patch rollout so they can manage it and keep tests and reboots at minimum. Home system could receive a patch a day without issues, other system requires tests and time to be taken off-line , shutdown and rebooted.

Windows Update and WSUS can deliver patch continuosly without issues, and Windows can patch itself and reboot automatically when needed. Just, in most situations, you can't really work that way.

MS does release off-cycle patches when really needed, but that means more efforts by system maintenance teams to test and apply them.

0
2
Anonymous Coward

You're talking out of your arse, mate. Come back when you've actually worked on Windows.

1
6
LDS
Silver badge

fors...@google.com could be a good researcher...

But he can't write "correspondence" correctly.

0
1
Anonymous Coward

Got to agree with Google on this one

A 3 months deadline for fixing critical security bugs is plenty of time IF you take security seriously

9
10
Anonymous Coward

Re: IF you take security seriously

See, there is certain maximum complexity that security bugs have, there is no way for them to be any more complex that this limit and that's how we know 90 days is ALWAYS enough. IF you take security seriously. Which I'm implying MS don't. Because they've left this patch till their regular patch Tuesday instead of doing a special Google Friday release. Which they should do because GOOGLE!

2
0
LDS
Silver badge

Re: Got to agree with Google on this one

IF and ONLY IF that's the only thing you have to take care of, sure - but do you believe people working on Windows maintenance are there just to wait for Google submitting a vuln? Or maybe they are working on other scheduled tasks as well?

Would you like someone interrupting your work and shifting priorities continuosly, just because one of your customers yells louder than others so you must always prioritizes its requests or it continuously threats you?

1
1
Silver badge
Black Helicopters

occam

The simplest explanation is that the NSA had intercepted a shipment of Win8 devices, inserted the malware but had run out of sticky tape to re-seal them. Hence the delay, it's obvious innit :)

2
1

Take security seriously

I can understand Microsoft wanting to wait for a convenient date on which a batch of fixes can be released as a single set of updates. No doubt this reduces the cost of production, management and testing of the patches ... and for minor bugs and shortcomings such an approach will be acceptable to most users.

Security issues are different, and deserve to be treated differently. The patches should be produced and released as quickly as possible, and should be independent of (i.e. not held up by) the scheduling of run-of-the-mill bugfixes. Yes, it costs more to do it that way ... but allowing security fixes to go unfixed for longer than is necessary is unforgivable.

90 days sounds an awfully long time to wait for a security fix ... and we should remember that if Google can discover the bug, so can other people. There was no guarantee that the bug would remain unexploited until Google published details. The correct time to release the patch was "ASAP" not "in 90 days".

5
2
Silver badge

Re: Take security seriously

Question is, what if 90 days isn't enough for ASAP? Suppose the big is intertwined such that fixing it is like untying a Gordian knot?

1
0

Hackers are heros

If Google wasn't telling me about these holes in Windows I know Microsoft wouldn't be. Heck Microsoft wouldn't even have been fixing the holes. I think 30 days is to long to wait for disclosure of the flaws. I could see holding off on the exploits for 45-60 days after discovery.

4
5
Anonymous Coward

That's a bit low ...

... even by Google standards.

2
5

If this were a vulnerability that allowed people to activate Windows without paying Microsoft:

a) There would no complaining that Google gave them only 90 days notice because there would be a patch ready to go within a week.

b) Nobody at Microsoft would be saying, "Well yes, the patch is ready but we really should wait until 'patch tuesday' to deploy it."

On the other hand, if this were a vulnerability whose disclosure would cost Chrome market share, I'll bet'cha Google could have found it within themselves to wait a couple of days longer.

4
0
Terminator

We already know

There was a DRM break, but not activation a few years ago. Three days. Out of Cycle.

4
0
Meh

Rules are rules

If you say you are going to do something, then do it. There seem to be a lot of downvotes on here from people who disagree with that principle.

Were all the downvoters complaining about Google's policy 91 days ago too? That would have been a more appropriate time to raise your concerns.

4
4
Gold badge

Re: Rules are rules

Probably a lot of the down-voters were complaining about this policy, when Google pulled the same stupid, arrogant, counter-productive stunt last year.

If you say you are going to do something, then do it. There seem to be a lot of downvotes on here from people who disagree with that principle.

OK. I'm going to strangle a cute little puppy every hour, unless someone brings me beer. OK. I've said it now, I've got to stick to it. Does that magically make it moral?

MS have a monthly patch cycle. Which makes their life easier, but also their customers' lives easier. Which is the reason they did it, rather than just releasing updates as soon as they were done. They've been doing it this way for years now.

MS told Google when the fix would get deployed. It doesn't look like a serious enough bug to break their patch cycle, so for Google to release a couple of days before that patch is irresponsible, unreasonable, and a (minor) risk to the security of users.

It doesn't make me think worse of MS. They have improved their security massively in the last 10 years, though it's far from perfect - and all software has bugs. And they certainly earned their shocking reputation in the period before that.

It does make me think worse of Google though. Their arrogance and lack of restraint reminds me of Microsoft of a few years ago. Also their completely piss-poor attitude to Android security means they should be dealing with their own glass house, before chucking stones at other peoples'. They deliberately set that system up to be a security nightmare. Which was just about understandable when they were trying to grow marketshare, but they've had the dominant hand in their vendor relationships for years now, and while they've acted to defend/gain control of features and data from the vendors by shoving more and more of the gubbins into Google Play Services - they've done fuck-all to address the gaping security vulnerability they've created by leaving patching to the vendors (who they fully know won't do it). At least MS make a decent attempt to test against the more common of their vendors drivers and customers' software - and set their system up to patch everybody.

8
3
Gold badge
Happy

Re: Rules are rules

I await the voting with interest...

Apple fans got accused of being mindless downvoters ages ago, but I've never had that problem when making fair criticisms of them.

Being rude about Microsoft has been a sport for ages. If you count shooting fish in a barrel as sporting... In fact I used to get a lot of downvotes just from being nice about Windows Phone 7, back when I had one. My iPhone and my previous 'Droid were much better mobile computers, but the Lumia 710 was the best smartphone I've had at being a really good phone.

The funny thing is that the Google fanbois can still be relied upon to leap to the defence of their favourite company. Google do an awful lot right, so I guess there's a lot to like, but they also do an awful lot wrong - so there's plenty to criticise too. In my opinion they'll be a much better company when they've been taken down a peg or two. It certainly improved Microsoft.

7
2
Anonymous Coward

Re: Rules are rules

It's a shame "discussions" here have got to "CompanyX is better than CompanyY at everything".

As soon as you mock Microsoft, for example, someone throws dirt at Google - and another gives a jab at Apple. You're all so pathetic! These companies have you all wrapped around their little finger.

At least we all agree on one thing: Oracle are the shittiest!

0
0
Gold badge
Happy

Re: Rules are rules

I'm not sure that even Oracle don't have the fanbois. Probably sad, wizened creatures - all looking rather like Gollum. They know they had their precious somewhere, but somehow seem to have mislaid it. None of them have yet noticed the coincidence that their precious disappeared just after the Oracle salesman came to visit.

But I'm told they exist, from someone who's observed "my database is better than yours" bunfights online.

2
0

Best interests?

From said article: MSFT: "Specifically, we asked Google to work with us to protect customers by withholding details...".

So just like a 'free gift', I guess we are going to soon see a prOXYMORON server from Redmond soon where the interests of users can be better 'determined' by a NAT (Nefarious Attribution Table) component. Users' security interests can then be determined by another, more responsible middle-man. The proxymoron server would provide an IIS (Interests Intervention Server) connection on the user's behalf, blocking access to any malicious HTTP (Honest Totally Transparent Perspective) page that might be out there waiting to pollute your little Orwellian existence. Th entire Browsing experience would be seamless to the user.

Or they could just say they have a problem and admit it, together with an idea of when they can be arsed to fix it.

4
5
Silver badge

Re: Best interests?

>> Or they could just say they have a problem and admit it, together with an idea of when they can be arsed to fix it. <<

Umm, that's exactly what happened. The problem was Google didn't want to wait the few days between their "deadline" and patch Tuesday. Next time you pull a quote from an article maybe you should read it too?

3
2
FAIL

When reading this and the comments

All i can think is WTF......

I have a security risk on my software/OS ?

OK is there a fix ? great thanks....

What the fuck do you mean I have to wait for it till you can be bothered to give it to me. I want to be able to download and install it now.

Windows Update allows me to decide what to install when and Sysadmins have the same rights for all their kit so whats the problem ?

MS you are big enough to be able to manage this as having all your updates / fixes posted the day you complete them. There is no reason I can see for needing to wait up to a month for a security fix.

So WTF is the reason for making me wait ?

5
2
Linux

Re: When reading this and the comments

There is no reason I can see for needing to wait up to a month for a security fix.

Me neither!

So I did something about it.

2
2
LDS
Silver badge

Re: When reading this and the comments

Because updating your single bedroom PC used to download porn from torrents is a bit different than updating a large number of critical systems where downtime needs to be minimized (because you may have contractual SLAs, or lose a lot of money is something goes wrong), and thereby patching must be carefully planned and executed properly (ever patched a cluster while shifting many workloads across nodes?) on many different systems in the proper order - often running complex applications which may have their migration/shutdown/restart procedures as well. Sure, you can (and should) automate most of them, still it's not something you like to perform too often - and may also mean you have to perform it outside standard office hours - maybe during the night or weekends... how many nights and weekends are you ready to spend installing patches?

That's why sysadmins working on those system complained about patches delivered continuously. That's why MS moved to a monthly release. Often hotfixes which don't require a security disclosure are made available before they are released as full patches through Windows Update. That can't be done with security patches, because once a vulnerability is know, it becomes easily exploitable - thereby you have a very short window to implement it unless you have other ways to mitigate its risk.

Is this so hard to understand? Could some people see beyond their nose and their little, little world?

2
3
Anonymous Coward

question for the lawyers

if, in this instance, MS had asked Google to hold off because of the upcoming fix and they blabbed anyway and a user gets impacted as a result of the disclosure before they're able to apply a fix... are Google open to being held responsible for any damages?

3
0

Re: question for the lawyers

.... are Google open to being held responsible for any damages?

According to Microsoft's own EULA, MS cannot be held responsible for any damages inflicted by their software...more than the license cost. Why would Google be held responsible for MS bugs?

2
0
Anonymous Coward

If you actually look at the bug report...

(and it appears most here haven't)

> Microsoft confirmed that they are on target to provide fixes for these issues in February 2015. They asked if this would cause a problem with the 90 day deadline.

< Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended. Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015.

> Microsoft confirmed that they anticipate to provide fixes for these issues in January 2015.

So at first MS wanted an extra month(!), Google said no which forced MS to move quicker. This is the effect that strongly adhering to your deadline provides.

If MS where so concerned, then why where they first prepared to delay the release to 4 months? Also, why couldn't they have released their patch a few days earlier - instead of expecting everyone to adhere to their policies?

4
1

I have a hard time believing Microsoft's story that "we told Google in advance we needed exactly 92 days to solve this". Nopony knows that kind of detail in advance. This looks a lot like an attempt by MS to weaken the standard, which is a typical modus operandi for them.

Ninety days is extremely generous.

6
5
Anonymous Coward

Yes. I think this is more a battle of egos more than anything else.

"We are Microsoft! How dare you give us a deadline! We'll have it ready in 4 months"

"No, we are Google! How dare you disrespect our deadline! You still have 90 days"

"ok, but it will be 2 days late - because we are Microsoft!"

If you've ever had to deal with anyone at Microsoft, you'll notice they are very arrogant.

5
5
Anonymous Coward

Who is accountable to the compromised customers.

No one, that's right, 90 days even over the holidays (hackers love Christmas, all those servers and no one monitoring or too drunk to care).

When MS or Google or anyone in IT starts being actually accountable for the crap they dump out on people then we could argue on semantics until then this is the best way forward. At any rate one of the main reasons why the argument of "don't want to rush the fixes they may break things" is because it is not financially motivated. If vendors actually had to pay compromised customers damages then hey it would be financially motivated. BTW I'm sure this privilege escalation existed for much longer then 90 days. It was only disclosed to MS officially over 90 days ago. Interesting fact about WinXP, it was released with 10000 known bugs when it was launched in Aug 2001 and that was with 45 million lines of code, Windows 8 is from what I can find between 30 and 80 million lines of code how many bugs was known at launch time, just saying.

Yes I know that bad admins can break things, true but maybe we should have admins worth their salt right. You know the ones that most people hate, the ones that won't compromise on any bad practice even if the CEO or board of director members (and all management below) say otherwise. That would mean, not auto-save passwords, two factor everything, min 20 char passphrases w/up-low-num-special , no BYOD/IoT, no non-centrally managed devices, hardened everything, no facebook or any personal surfing of any sort... You know that guy, the one that gets fired for taking his job seriously.

Ah well I guess we will always kill the messenger every time right?

3
0
Anonymous Coward

Re: Who is accountable to the compromised customers.

yep, it's a balance between usability and security, with the admin as the pivot. at one end of the scale you have a secure system, and the other end you have a usable one.

Windows has yet to find itself a place anywhere on that scale...

0
1
Anonymous Coward

Re: Who is accountable to the compromised customers.

Because Windows is in the uncomfortable position of basically having an impossible demand: trying to provide highly-secure software that's still usable to a total idiot. Kind of like trying to build the ultimate front door for the mentally retarded...

I'm sure there are people who would love to know how to solve for BOTH ends of the scale at once.

1
0

Those commenters supporting Microsoft on this issue have no proof (what-so-ever) that Microsoft did actually plan a fix for said bug on January 13th when stated, or that Microsoft did ask Google to delay information release.

Microsoft has a long and well documented history of lying and deceit about these type matters, and until the company can provide verified proof of good intentions in regard it's communications with Google or any oter strong competitor, I and most other intelligent and reasonable consumers (not Microsoft dupes and goof balls) should not make quick and probably false judgement against those entities that Microsoft virulently hates and considers "a cancer" for no logical or sane reasoning.

6
3

How about you all start thinking off this in the real world and put your MS v Google spates on the back burner. A lot of people in the comments section appear to have too much time on their hands and not enough experience of the real world.

This is about code but is also about clients. I notice a lot of comments about the software patching time (development and testing internal MS) and that is interesting to read. However have anyone thought of the clients and about their testing and patch deployment?

Well for those who don't then try reading the official standard 'http://msdn.microsoft.com/en-us/library/cc750077.aspx' from MS.

Then in the real world think of terms such as 'change freezes' (common over major holidays), patch testing before entering production (you do do due diligence on your patching?), and also patch cycles. If your not aware of what those terms means then please look them up. In real times that means machines, unless an emergency change can be pushed through, (you do do change management correct?) may be exposed anything from 30 days to for ever; depending on the company and their patch schedule.

To put this into context, who does Google help in this instance, nobody; and that is what is wrong. Especially as for all of us, our clients should be our number one priority, in this case Google has failed big time.

And for all the software developers please before you criticize put a disclaimer in that you have never written code that later needed revising. Everyone makes mistakes, its how they are responded to that is important.

3
3
Silver badge

Google got you the patch a month early

MS wanted to delay to mid-February.

Google pushed them to fix it now.

In fact, Google pushed them into fixing it at all.

Now, perhaps MS will put more effort into detecting and fixing these earlier.

Perhaps MS will also put more effort into finding and disclosing security problems in Google's products - and giving Google a fixed 90 days to fix them.

In both these scenarios the customer wins.

3
2
Silver badge
FAIL

Got to agree that Google was out of line on this one.

If MS scheduled a release of a fix in a period that was slightly longer than 90 days and asked for a delay in releasing the zero-day until then, then I think that is reasonable. Especially given the impact of the Christmas holiday on development and distribution productivity.

2
1
Bronze badge

Fire with fire

I'm sure that MS can find some equally exploitable code In one of Google's applications, maybe even Android ?

Just to be bastards about it they should implement a 60 day policy for fixes after reported. Draw the line at providing proof of concept code but demonstrate the flaws.

Would be good if Google responded with a 30 day ultimatum :p

WE WIN... ?

1
1
Stop

So WAIT!

Are are you all suggesting it's OK for MS to demand that Google extend their Zero day policy by two days for the sake of keeping MS's patch Tuesday in line, when "supposedly" Microsoft HAS A FIX, and can't just release it? At least they have control over that process right?

Look, this is nothing new in the security community, some people want to disclose everything and some nothing, but guess what, we still are paid by companies trying to make money and quite frankly, a little forced competition is good.

This wasn't really a Google PR stunt, not by a long shot. This is actually MS taking a well defined policy of there competitor and trying to make themselves look like saints.

We know two things:

1) MS managed to complete a patch for this in 90 days (so you can't say the time frame is unreasonable)

2) MS patching policy didn't line up with Google's release policy.

MS can control it's release schedule if it wants, Google can control is Zero Day policy if it wants, stop blaming each other when they both have a plenty of control for there users.

3
2

Good.

in a perfect world this would spur an exploit cold war of sorts... with microsoft and google blowing through their respective cash hordes. pouring over each others software... each trying to defame the other (not that M$ could lose much fame over the quality of its code). it would be glorious.

billions pumped back into the economy and we all get better software... that's a win-win in my book.

but we all know no one can be bothered anymore... i used exactly one capital letter in this entire post, for example. so they'll cry about it, maybe sue someone and move on.

0
2

Google are right to do this

Mid december MS released a patch which trashed ie9 we are still awaiting the fix. So hats off to google it might be a commerical swipe but its got to be done.

2
1
Silver badge

Lots of Google apologists still think they "do no evil" I guess

Asking for a two day extension to allow releasing the patch on your regularly scheduled patch Tuesday isn't too extreme. What if they found the fix was pretty involved and would take another month or two?

When this first surfaced and people suggested Google was trying to make Microsoft look bad I dismissed it. Based on the evidence of this and the Aviator browser I have to rethink that. I think Google is using their security team as a weapon to make others look bad.

I guess they don't care because if someone finds a bug in Google code it is either internal code where they can fix it on their own schedule and don't have to do the complicated regression testing that is required when there is a public API exposed, and if it is Android it doesn't matter because only a minority of devices that have the bug will ever receive an update that fixes it anyway.

2
3

Re: Lots of Google apologists still think they "do no evil" I guess

No one is really being an apologist. I stated it before, Microsoft have control over there patching schedule, Google over their Zero day release schedule. These two are Major competitors, so they don't have any need to support one another.

If this is such a big deal, why was MS releasing Patch notes a WEEK in advances for upcoming security updates? I'm sure half the people blaming Google for this release, were in the last article discussing how MS took away notification systems for non-paying users, and how that made them vulnerable.

Yes, by proxy, Google got in a Jab, MS are trying to make it out to be Google fault, but in the end this is why we have competition in the market place. Security is no exception.

1
0
Silver badge
Headmaster

“What’s right for Google is not always right for customersthe Product. We urge Google to make protection of customersthe Product our collective primary goal,” he adds.

There...FTFY

2
0
Anonymous Coward

I am going to have to side with Google on this one. Microsoft knew about, fixed it, and put off sending out the update. Google needs to stick to their 90 day rule otherwise every software vendor will ask for extensions.

2
1
Silver badge
Devil

Google

Do no evil *

* conditions apply

1
1
Anonymous Coward

Am I the only one

that thinks all MS security fails should be disclosed as soon as they are found?

2
1

sharpsone@hotmail.com

Google is/are a bunch of pricks! The trust end-users place in the security of their data stored on a local system or cloud is sacred. We want to use our computers/devices and we want the data to be secure from prying eyes unless we decide to share it openly and willingly. Google crossed a line, corporations shouldn't sell one another out in hopes of stealing market share. Unfortunately this is a dirty tactic by Google and MS will likely retaliate at some point. I dont want the place holder of my data fighting with another entity for my dollars. Especially if they are willing to cut each others throats to make a few dollars. Google you suck! You will Never Ever earn a penny from the hard earned money I make. I will stick with Redmond, tried, true and clearly looking out for the best interest of consumers.

1
2

Re: sharpsone@hotmail.com

I'm sorry is this a satirical post? If it is, hat tipped, if not you sir are a buffoon - I like the word buffoon and to be honest I could have used it to reply to a large number of comments on this topic. Both MS and Google couldn't give a flying fuck what any of you think - get over it.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018