Google discloses actively exploited Windows vulnerability just days after reporting it

ronjor · Oct 31, 2016

Emil Protalinski October 31, 2016 11:10 AM

A 0-day vulnerability is a publicly disclosed security flaw that wasn’t known before. In other words, the company that makes the software has not yet issued a patch for it. Indeed, Microsoft has not released a fix nor issued an advisory for this flaw.
Click to expand...

Minimalist · Oct 31, 2016

What happened to 90 days they usually give vendor to patch their software?

TheWindBringeth · Oct 31, 2016

After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released
Click to expand...

From the link above:

Our standing recommendation is that companies should fix critical vulnerabilities within 60 days -- or, if a fix is not possible, they should notify the public about the risk and offer workarounds. We encourage researchers to publish their findings if reported issues will take longer to patch. Based on our experience, however, we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities under active exploitation.
Click to expand...

Minimalist · Oct 31, 2016

Thnx for links @TheWindBringeth. Although I wouldn't expect MS to patch and test win32k.sys in one week. Luckily Flash was updated so exploit doesn't work any more. We can only hope that MS will release patch before new ways to exploit vulnerability are found.

TheWindBringeth · Oct 31, 2016

I take you clicked through and saw this, but it might be good to surface:

Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.
Click to expand...

Minimalist · Nov 1, 2016

Yes I saw this. Although in this case they could give MS more time, since Flash was patched and advicing users to update Flash would be enough to mitigate ITW exploits ( at least I read it that way).
I also don't know how users could protect themselfs against attack that targets kernel component - what steps can users take to protect against this specific vulnerability?

ronjor · Nov 1, 2016

Our commitment to our customer’s security

msft-mmpcNovember 1, 2016
This guest blog post is by Terry Myerson / Executive Vice President, Windows and Devices Group

We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.
Click to expand...

Krusty · Nov 1, 2016

Microsoft attacks Google's Windows hack alert

Google's revelation of a security flaw in the Windows operating system has caused anger at Microsoft.
Google published details of the yet-to-be-fixed bug on Monday after giving Microsoft a week to react.
Google said the issue was "particularly serious because we know it is being actively exploited".
But Microsoft said the alert could do more harm than good at this point because it needs more time to develop a patch.
"We believe in co-ordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," a Microsoft spokesperson told the VentureBeat news site.
Click to expand...

ronjor · Nov 1, 2016

They should. Irresponsible of Google.

WildByDesign · Nov 1, 2016

Microsoft says Russia-linked hackers exploiting Windows flaw
Link: http://www.reuters.com/article/us-microsoft-cyber-russia-idUSKBN12W4ZK

Microsoft Corp (MSFT.O) said on Tuesday that a hacking group previously linked to the Russian government and U.S. political hacks was behind recent cyber attacks that exploited a newly discovered Windows security flaw.

The software maker said in an advisory on its website there had been a small number of attacks using "spear phishing" emails from a hacking group known Strontium, which is more widely known as "Fancy Bear," or APT 28. Microsoft did not identify any victims.

Microsoft's disclosure of the new attacks and the link to Russia came after Washington accused Moscow of launching an unprecedented hacking campaign aimed at disrupting and discrediting the upcoming U.S. election.
Click to expand...

JRViejo · Nov 3, 2016

Microsoft on Tuesday said it would patch a Windows vulnerability next week that Google publicly revealed just 10 days after notifying Microsoft.
Click to expand...

Microsoft to patch Windows bug that Google revealed by Gregg Keizer.

ronjor · Nov 8, 2016

Microsoft Patches Windows Zero-Day Exploited by Russian Hackers

By Eduard Kovacs on November 08, 2016

One of the zero-days has been patched with MS16-135, a bulletin rated important. MS16-135 fixes two information disclosure and three privilege escalation flaws, one of which is a Windows kernel bug exploited in attacks by a Russia-linked cyber espionage group to elevate privileges and escape the browser sandbox.
Click to expand...

Minimalist · Feb 18, 2017

Google’s Project Zero security researchers drop another bomb on Microsoft

It seems Microsoft is not only having to battle hackers but also Google to keep Windows secure.

The company’s Project Zero security research wing has once again released a zero-day vulnerability into the wild.

The bug, in Microsoft’s GDI library, is currently unpatched with a proof of concept available.
Click to expand...

https://mspoweruser.com/googles-project-zero-security-researchers-drop-another-bomb-microsoft/

boredog · Feb 18, 2017

Minimalist said: ↑

https://mspoweruser.com/googles-project-zero-security-researchers-drop-another-bomb-microsoft/
Click to expand...

"It affects Windows Vista Service Pack 2 all the way up to Windows 10 but fortunately requires physical access to exploit." that is probably why MS took so long .

Log in or Sign up

Google discloses actively exploited Windows vulnerability just days after reporting it

ronjor Global Moderator

Minimalist Registered Member

TheWindBringeth Registered Member

Minimalist Registered Member

TheWindBringeth Registered Member

Minimalist Registered Member

ronjor Global Moderator

Krusty Registered Member

ronjor Global Moderator

WildByDesign Registered Member

JRViejo Super Moderator

ronjor Global Moderator

Minimalist Registered Member

boredog Registered Member

Log in or Sign up

Google discloses actively exploited Windows vulnerability just days after reporting it

ronjor Global Moderator

Minimalist Registered Member

TheWindBringeth Registered Member

Minimalist Registered Member

TheWindBringeth Registered Member

Minimalist Registered Member

ronjor Global Moderator

Krusty Registered Member

ronjor Global Moderator

WildByDesign Registered Member

JRViejo Super Moderator

ronjor Global Moderator

Minimalist Registered Member

boredog Registered Member

Useful Searches