back to article Google reveals bug Microsoft says is mere gnat

Google has reported a local file flaw affecting Windows 7 and 8.1 32 and 64 -bit systems in the third vulnerability dropped since a spat with Microsoft erupted last week. The vulnerability that allowed a malicious Server Message Block version 2 server to force a client to open arbitrary local files was marked high severity by …

  1. ratfox Silver badge
    Windows

    I'm reminded of zero-tolerance policies

    And the silly decisions they lead to, e.g suspending school children for having a dangerous plastic spoon in their bag.

    My bet is that Google will drop this plan sooner or later; and the sooner it is, the least they will cover themselves with ridicule.

    1. P. Lee Silver badge

      Re: I'm reminded of zero-tolerance policies

      But this is quite the opposite. MS said it didn't matter at all.

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm reminded of zero-tolerance policies

        "But this is quite the opposite. MS said it didn't matter at all."

        They didn't say that. They said that what it is exploiting is not meant to be a security boundary, and therefore doesn't rate being treated as a vulnerability.

        That doesn't mean that it isn't a bug that won't eventually be fixed.

        1. Nigel 11

          Re: I'm reminded of zero-tolerance policies

          Microsoft acted as if it didn't matter at all. And now they're saying it's not important because it's too obscure. Haven't they learned anything from Intel's experience (a long time ago) with the FDIV bug? Or for that matter, various auto companies' experiences of what happens when they ignore "bugs" in cars on grounds such as they'd be too expensive to fix?

          "Almost completely secure" = Insecure.

        2. beavershoes

          Re: I'm reminded of zero-tolerance policies

          Microsoft will not fix anything which they say don't matter. If my kid pointed out to me that our dog killed a snake and I said that it doesn't matter. That means that I am not going to punish the dog. When I said it does not matter, I and Microsoft mean that nothing needs to be done about it because it does not matter. Common sense use to be more common.

          1. h4rm0ny

            Re: I'm reminded of zero-tolerance policies

            All well and good except you are having to make up your own wording on Microsoft's behalf here. Point me to where they said "it doesn't matter". What they said is that it is not a security bulletin. When a security bulletin is issued there are actions that follow from that which are not without cost. Thus you issue them when appropriate. It is this trivialization of cost that leads to absurd government and council health and safety arguments and all such things - the idea that if something matters it must have equal priority with everything else.

            This is Google playing a PR game just as when they publicized vulnerabilities days before the actual fix was available (and they knew this). It makes Google look far worse than Microsoft, imo. I do not like them using my security as a PR stick to beat their competitors with.

  2. Khaptain Silver badge
    Devil

    Pissing game or business tactics ?

    Did Bill Gates piss on Eric's yacht by mistake or is this an elaborate business strategy designed to discredit MS. Please do not let me believe that this is a ploy to encourage Chrome adoption.

    That exploit certainely does not appear to be ScriptKiddie material, at least not for the moment.

    1. Planty Bronze badge

      Re: Pissing game or business tactics ?

      Microsoft have credibility left? That went out the window with their pathetic Scroogled campaign..

      Microsoft should be fixing these issues, not crying about google.

      You can bet they have tried to retaliate by looking at chrome os code, but not found anything..

  3. Keef

    Time to redeploy those spare staff not working on Modern UI?

    Perhaps MS will go after Google to look for and disclose exploits in their code.

    But there are no security flaws in any Google code, right?

    1. I ain't Spartacus Gold badge
      Devil

      Re: Time to redeploy those spare staff not working on Modern UI?

      I was thinking that MS should deploy a patch within the 90 days that deliberately has some sort of bug in it. They can then blame Google as it's obviously their fault for forcing MS to rush the fix through testing to avoid Google arsily realeasing on exactly 90-days.

      Top marks if they can manufacture some kind of bug that only breaks Google services. Or even better only breaks some tool that Google use internally (for however many Google staff don't use Apple or Linux).

      Alternatively the bug could just display "Google smell of poo"...

      1. Adrian Midgley 1

        Isn't that already standard?

        better MS fix it, or if it is really of no consequence stop complaining it isn't secret.

  4. Aslan

    Totally exploitable on college campuses

    This bug is totally exploitable on college campuses. Scenario 1) They block many ways to download things so you go looking for Shared folders. Why download one file when you can download the whole folder or whole file tree and sort through it later. Put the HTML Exploit in a folder with other files someone wants and boom, exploited.

    Scenario 2) In a office a personal computer is used to host work files that everyone needs. It gets infected. The infection adds a malicious HTML file to a folder everyone uses. People download the folder because they want to have access to all the documentation when the network goes down. Exploit.

    If we're playing with arbitrary files, how about making it a batch file? There's no end of fun that could be had then.

    Microsoft needs to get serious about security. What's the chances the US governments next Stuxnet is actively using this to spread on an airgapped network at this very moment?

    1. Donn Bly
      FAIL

      Re: Totally exploitable on college campuses

      You have totally misunderstood the nature of the bug. Putting an HTML or batch file in the folder would not trigger it. The server housing the share would have to be modified to send a specially-crafted response so that when a request to a specific file or folder on the share is made that the requesting workstation looks at a local file instead. The server never gains access to the files to which it redirects, only the workstation.

      So, lets say that you either compromise an existing server, or set up a honeypot. On that server you create a share called "downloadme" and put a file called "passwords.txt" in it.

      Now, when the unsuspecting user tries to notepad \\honeypot\downloadme\passwords.txt your compromised server can instead point them to a file on their C: partition, such as c:\boot.ini

      The interesting thing would be if the user tried to delete \\honeypot\downloadme\passwords.txt and would instead delete their own boot.ini -- but tricking a user into deleting a file wouldn't be very easy.

      The idea behind the HTML exploit using XMLHttpRequest is that the javascript on the HTML file could make a request to the mount point and get a file off of the C: drive -- however, as the code runs on the workstation and not the server the exploit could just as easily access the file directly without having to rely on the bug.

      The same exploit running on a non-compromised server pointing directly to the local file would accomplish the same thing, and would actually be easier to implement. As such, labeling this as a "security bug" is stretching things a bit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Totally exploitable on college campuses

        "The interesting thing would be if the user tried to delete \\honeypot\downloadme\passwords.txt and would instead delete their own boot.ini -- but tricking a user into deleting a file wouldn't be very easy."

        That file is marked as System, so can't be accidentally deleted without knowledge of how to anyway.

      2. LDS Silver badge

        Re: Totally exploitable on college campuses

        Maybe if the "client" runs a web server which fetch files from an SMB server you can trick it into delivering you some of its local files it would not normally do - say a config file. But you need to control the SMB server the http server fetches files from, and change it into a compromised one, or re-route SMB calls to another one you control.

        It's a vulnerability, but not so easy to exploit, note that in the disclosure itself he needed to use a debugger to change the contents, or use Samba (when open source code is more dangerous than closed one, LOL!) because hacking directly the standard SMB server process in Windows is far more difficult.

  5. Def Silver badge

    Again Google?

    I'm starting to see Google as that annoying kid at school who just won't shut up.

    Like this one.

  6. bill 27

    Well I feel a lot better.

    It's comforting to know that MicroSoft will not only decide what a bug/security problem is. But will fix it, if they decide it's a problem. Probably in the dead of the night after they've whined enough and I turned automatic updating on. Guess that means that all I have to do is turn the critter on, go do all the stuff I use it for, like online banking, and turn it off. All with 100% certainly that nothing bad will happen...after all MicroSoft is watching over me.

    1. Anonymous Coward
      Anonymous Coward

      Re: Well I feel a lot better.

      ..after all MicroSoft is wretching over me.

      FTFY

  7. Dan Paul

    Criticism from

    your competitor is actually a high form of compliment.

    Screw Google in this case.

  8. Mark Exclamation

    Does Google have a department looking for flaws in MS products on a full-time basis? Seems a strange idea. If they don't, how on earth do they keep uncovering so many?

  9. tempemeaty

    Good cop, bad cop?

    Who is on the boards of all these big corporations?

    Is this Google attack on Microsoft just a set up for the purpose of making us feel empathy towards Microsoft in order to soften the blow-back from computers users/population/us when Microsoft begins the ramp up to introducing Windows 10 as well as OS as a service?

    Question Everything...

    1. Anonymous Coward
      Anonymous Coward

      Re: Good cop, bad cop?

      I'm questioning how Google can get to reverse engineer Microsoft code without the DoJ coming down hard on Google employees for doing so...

      Guess you can do what the hell you like in big corporate America if you're either super wealthy, or happen to be a megacorp...

      1. h4rm0ny

        Re: Good cop, bad cop?

        >>"I'm questioning how Google can get to reverse engineer Microsoft code without the DoJ coming down hard on Google employees for doing so..."

        It's legitimate security research to examine code and see if you can find flaws in it. That's how many flaws are found. Now if Google were doing that for purposes of copying their code for their own products then in certain circumstances that would be illegal (but not all). However, that wont be happening. The code bases of their products are very different and outside some very specific cases, examining someone else's code wont benefit you. It's mainly done for purposes of cracking software or finding vulnerabilities.

        We don't need to invoke conspiracy theories for this, tbh. This is basically Google running a PR exercise to set themselves up as the IT police and make their competitor look bad. Google have no interest in helping their competitors produce a better product and it plainly isn't about protecting their own users because (a) it's not like their users are going to stop using the Internet because of these flaws and (b) publicizing unpatched vulnerabilities increases active exploitation. If it doesn't appear to be PR, that's because it's good PR.

  10. Adrian Midgley 1

    Organising the world's information

    seems a clear mission statement.

  11. Henry Wertz 1 Gold badge

    Full disclosure FTW

    "My bet is that Google will drop this plan sooner or later; and the sooner it is, the least they will cover themselves with ridicule."

    Ridicule for what? 90 days is PLENTY of time for a vendor to at least say "Hey, we are working on it." Certain vendors *cough* Microsoft *cough* may PREFER to just have people sit on vulnerabilities forever so they can just pretend they don't exist and not fix them (and yes, Microsoft, this IS a security vulnerability!) but it is really better for the public to know there are holes their vendor is not bothering to patch, than to only find out when their systems are pwned (the blackhats WILL already know about these vulns after all.) Full disclosure FTW.

  12. Bladeforce

    Still find it funny..

    ..sitting back here watching all the gullibles stuck in Microsofts proprietary madness after all these years. Defending them to the hilt. They dont give a sh1t about you and definitely not about your privacy

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019