Google Discloses Details of an Unpatched Microsoft Vulnerability

Google's Project Zero is serious about releasing the details of security vulnerabilities 90 days after they alert the vendors, even if they're unpatched. It just exposed a nasty vulnerability in Microsoft's browsers.

This is the second unpatched Microsoft vulnerability it exposed last week.

I'm a big fan of responsible disclosure. The threat to publish vulnerabilities is what puts pressure on vendors to patch their systems. But I wonder what competitive pressure is on the Google team to find embarrassing vulnerabilities in competitors' products.

Posted on March 9, 2017 at 6:28 AM • 38 Comments

Comments

Michael PMarch 9, 2017 6:53 AM

Having a disclosure policy is not worth much if a vulnerable product's creator can thwart disclosure to the public by arbitrarily bumbling the process of creating and releasing fixes. Google stretched their disclosure timeline for at least one Microsoft bug last year, and Microsoft (arguably) grossly abused that tolerance. This may be largely a signal that Google is not going to let it happen again.

Meanwhile, black hats are probing to find the same bugs, and are not going to delay at all when it comes to exploiting the bugs.

KarlMarch 9, 2017 7:15 AM

I believe Google's motivation is that security vulnerabilities dissuade people from trusting technology, so they exert a lot of pressure to get rid of as many of them as possible. If you're asking people to keep their secrets in the cloud, the whole ecosystem has to be trustworthy.

Project Zero's 90 day timeline is well known, and they have publicly disclosed vulnerabilities when other parts of Google miss this deadline.

I suspect Microsoft is in this mess because they decided to bundle ALL updates together. Want the latest security patches? Then you also get a pop-up notification saying Edge is more secure when you start Chrome. Disclosure 1) demonstrates that this is not true, and 2) adds pressure to go back to unbundled security patches.

MarcosMarch 9, 2017 7:25 AM

If competitive pressure leads to companies finding the worst bug of their competitors and responsibly disclose them, than great!

Can we convince Microsoft to spend some resources finding and disclosing Linux bugs too?

Desmond BrennanMarch 9, 2017 7:34 AM

I don't think Microsoft take security seriously.

Also Satya Nadella's decision to continue the LinkedIn acquisition after
(1) Only disclosing the extent of the 2012 breach in 2016: the 2012 breach was the motherlode, as it gave place of work, as well as password (which are often reused)
(2) Mishandling the 2016 fallout process
(3) Allowing their platform to be abused for very nasty Russian Intelligence operations

Google do, and frankly, given Microsoft's nonsense with the "Browser Wars" , and the damage that did to security... Microsoft merit targeting

Sok PuppetteMarch 9, 2017 8:00 AM

The phrase "responsible disclosure" is obnoxious propaganda.

Real responsible disclosure is doing whatever helps the most people in a given case. That might mean giving a vendor a certain amount of time, which might vary from case to case. It might mean instant publication; in fact, instant publication is probably the right choice most of the time. I could imagine it meaning some third option in some odd case.

At some point, a bunch of people decided to steal the phrase and use it to mean following a specific script that's comfortable for people who develop software and for IT departements. It was a deliberate attempt to imply that immediate public disclosure was automatically irresponsible.

Don't drink the Kool-Aid (by the way, it was actually Flavr-Aid).

keinerMarch 9, 2017 8:05 AM

@Sok Pup

What is a "certain amount of time"? 90 days? (ooopps...) or maybe 3 years? 10 years?

Make a suggestion!

Dr. I. Needtob AtheMarch 9, 2017 8:11 AM

This statement is puzzling:

"But I wonder what competitive pressure is on the Google team to find embarrassing vulnerabilities in competitors' products."

As Marcos implies above, we should all hope the competitive pressure is as high as possible, since one would expect the result to benefit us all. Friendly cooperation among competitors is hardly something consumers should want.

Sok PuppetteMarch 9, 2017 8:18 AM

What is a "certain amount of time"? 90 days? (ooopps...) or maybe 3 years? 10 years?

My point is that the right "certain amount of time" is going to depend on the individual situation. Mostly on who's using the software and the dynamics of how patches would hit the field.

In many and probably most cases, the right "certain amount of time" is none at all. Publish it the minute you've got a reasonable characterization of it.

In the remaining cases, 90 days is on the very long end, but I could see more than 90 days being reasonable.

K.S.March 9, 2017 8:26 AM

In this case, competitive pressure will result in a better long term security. I hope MS turns around and exposes data leakage and de-anonymizing of searches techniques in Google searches.

David KowisMarch 9, 2017 8:39 AM

I think they disclosed the bug in Microsoft browsers because most of google's business is done in the browser. A security flaw in the browser could expose Google Account Credentials and result in pain for Google.

I don't think they were out (in this case) to explicitly punish competitors products.

AndrewMarch 9, 2017 8:53 AM

I will tell you a secret about vulnerabilities related to the last documents disclosure.
They were not just walking around smoking, waiting for someone to discover them, Hollywood style.

Nope. They were put there on purpose by under cover engineers, as bugs. Not necessary the ones working on that specific project and sometimes with company agreement. Now, as those are patched, new ones are projected.

There are still people who think that intelligence officers hunt vulnerabilities on black market for something they can get much cheaper.

I think it's like this because for two days all my devices crash like crazy

My InfoMarch 9, 2017 9:01 AM

@Bruce Schneier

... I wonder what competitive pressure is on the Google team to find embarrassing vulnerabilities in competitors' products.

None. It gives the appearance of a competitive free market for what is in reality a brutal Mob cartel.

GOOGL MSFT AAPL FB T VZ ORCL CSCO INTC

WhiskersInMenloMarch 9, 2017 9:02 AM

I recall an engineering process where the clock stopped when the change was in the source tree. It is however not fixed until corrected binary are in the hands (machines) of customers.

Since Google depends on browsers 90 days is a lot.

Tea leaves also tell me that Firefox, Opera and Chrome are fine.
Given the available alternatives people are less at risk.

Of interest Win10 updates are big slow hard to deliver lumps. The notion of what a system is is getting in the way. Packaging, testing, delivery processes for a big chunk lump should not but do consume much of a 90 day window.

So two things need fixing.

Robert PlamondonMarch 9, 2017 10:03 AM

To test the "competitive pressure" vs. the "target-rich environment" theories, one can start by comparing the ratio of non-Google-reported announcements of security bugs in IE vs. other browsers over the same period. Inferring motives from a single data point is best left to people who flunked calculus.

Clive RobinsonMarch 9, 2017 10:56 AM

@ Bruce,

But I wonder what competitive pressure is on the Google team to find embarrassing vulnerabilities in competitors' products.

Well first off there is the legal requirement for "Shareholder value". This sets certain business requirments to minimise avoidable expenditure. Thus I think it likely that there would be business preasure to investigate for security reasons the software they use directly, the software a majority of their users use and likewise associated software used for caching traffic etc.

It would in effect be "liability limitation" not perhaps for legal liability but for reputational liability that could kill them stone dead long before a civil case for loss etc even got to court.

With regards the issues with Microsoft software, you could take the view that Google was acting on behalf of all Microsofts users, as well as offsetting potential legal liability. If Microsoft got hit with a class action and it became clear that Google knew of it but did not make "best efforts" then they could be ajoined into the class action and having a large piece of the settlement extracted from them.

What a number of commenters need to realise is that when it comes to liability in a civil court case you are damed if you don't investigate / report / take action and just as damed if you do not. Further if you do find something and keep it quiet there are all sorts of cartel and conspiracy arguments that sovereign nations and federations can throw at both parties to gain a conviction and subsequent fines in the millions of Dollars a day region on top of other fines in the hundreds of millions of dollars.

It's why it surprises me that Microsoft was so tardy in their response to Googles disclosure to them. There may be good reasons but they've not been brought forth from what I've sofar read.

My InfoMarch 9, 2017 11:40 AM

@Robert Plamondon

To test the "competitive pressure" vs. the "target-rich environment" theories, one can start by comparing the ratio of non-Google-reported announcements of security bugs in IE vs. other browsers over the same period. Inferring motives from a single data point is best left to people who flunked calculus.

I'm not just talking about a single data point. The companies that I mentioned are in possession of a mutually-assured-destruction portfolio of patents on broad, vague, dubious in law and in right but doubtlessly enforceable descriptions and claims of abstract devices and inventions realized in software. Companies without a sufficient troll patent portfolio are unable to join the cartel. And that's just the way the giants like it.

Your link goes to a poultry farm. Farming in general is also an industry with razor-thin profit margins and lobbyists clawing Congress with their fingernails for every possible protectionist advantage for insiders and barrier to entry for outsiders. I'm just as glad Trump revoked TPA: Don't punish your fellow U.S. citizens with parochial protectionism when your biggest wholesale customers are buying foreign "fair-trade" chickens for pennies on the dollar of what you can afford to raise them for on the Democrats' policy of maintaining a strong U.S. dollar and yielding to foreign trade partners' currency manipulation.

The tech giants that I mentioned also operate on razor-thin margins, providing without an explicit cost what are seen as basic utilities to everyday internet users: functions for search, e-mail, general communication and socializing. And at the same time they do make money, a lot of money, and many of the things that they do to make money are not entirely ethical or apparent to the consumers from whom they are profiting.

Who?March 9, 2017 11:42 AM

This is really funny.

The same company that made its flagship Nexus tablet stop receiving updates two weeks before fixing the most serious vulnerability ever discovered on Android (stagefright) on the rest of its products is publicly exposing vulnerabilities on products of its direct competitors.

It is a shame for Microsoft for not fixing a serious vulnerability (maybe some three-letter Microsoft customer asked the company to leave this vulnerability open to be used later), but it is a shame for Google too as this company does not really care about the security of its own devices and weakens the world openly documenting the vulnerabilities they find on the products of their competitors.

(and, no, I do not use either Microsoft, Apple or Google products.)

When did we move from the security theater to the security masquerade?

Who?March 9, 2017 12:00 PM

@ Marcos

Can we convince Microsoft to spend some resources finding and disclosing Linux bugs too?

Let us start with the Lenovo ThinkPad Stack. This device is amongst other things a NAS server (using Samba/CIFS). Ok, now the funny part: this device is sharing its 1G HDD with any computer on the Internet with anonymous root access. No password required at all. No way to protect any file stored on this device not only against being read but also against unauthorized modification/erase either. The ThinkPad Stack firewall default rules do not help either.

I contacted the developers of this device one year ago. They promised looking into this issue and releasing a fix. The answer was releasing a new "Stack app" that silently (i.e. "in an undocumented way") disabled the ability of customers to improve their own firewall rules by removing the ability to enable the Stack advanced configuration front-end, closing this way the only chance they had to block the Samba/CIFS service listening on the egress interface.

Perhaps data stored on non-enterprise gear is not valuable to Lenovo.

Clive RobinsonMarch 9, 2017 12:34 PM

@ ALL,

The second unpatched vulnarability Bruce links to is actually an unforgivable bug in this day and age.

Many years ago prior to Google Chrome even becoming known outside of Google I was lambasting browser code writers for the lack of security because of shared process space and the ability to have multiple panes open to different servers, thus the ability for information to be accessed due to lack of propper memory protection. @Nick P and I had a conversation about how you might utilize this deficiency.

So the $64K question, why a decade or so later is the "same old same old" happening?..

NystagmusEMarch 9, 2017 12:56 PM

Microsoft has an extremely long and contiguous history of ignoring user preferences, mistreating their own workers and encouraging them to compete with each other rather than cooperate, data-mining their own customers, and pushing forward bloated and insecure products and features which are typically not only unneeded but also counterproductive.

Market dominance is not an indicator of technological superiority. It's a sign of ignorance and submission on the part of the purchasers and end-users.

The democratization of malware is not technological progress.

"Internet, you need to go on a fasting diet. :-) "

Dirk PraetMarch 9, 2017 1:16 PM

@ Sok Puppette

In many and probably most cases, the right "certain amount of time" is none at all. Publish it the minute you've got a reasonable characterization of it.

You're oversimplifying things. Large corporations like Microsoft for good reasons have elaborate processes in place which do not make it possible to create and distribute patches overnight. Timely resource availability will be an issue with pretty much everyone. In essence, releasing vulnerabilities the moment they're discovered only benefits those able to exploit them, and definitely not the common consumer. That said, 90 days should be sufficient for anyone, after which full disclosure is totally warranted on suspicion of ulterior motives.

JPMarch 9, 2017 1:58 PM

Marcos got that right. I don't really care what Google's motivations are, as long as the end result is what is best for the consumers.

If Microsoft don't want the PR backlash they should simply fix their flaws before they're exposed. Not just that, they're free to "counter" Google by finding and disclosing flaws in Chrome or other Google products, which could then be patched as well. In this sense, the Market's pressure is pushing companies to do what is better for the customer in the long run.

AnuraMarch 9, 2017 2:36 PM

@JP

Marcos got that right. I don't really care what Google's motivations are, as long as the end result is what is best for the consumers.

Google's motives are going to tell you a lot about what that end result it going to be. Given my experience with Android, it's clear that Google is not serious at all about security of our devices. So is this about actually making us secure, or is this just a cheap way to look like we are doing something in order to avoid regulations that cut into profits?

The thing about software/hardware is that they are vital to our infrastructure, and will only get more vital in the future. There are going to be major problems in the future unless we take serious action today to ensure that we have strong procedures that are followed by every dev team that ensures *ware is secure and reliable.

KNMarch 9, 2017 2:38 PM

"But I wonder what competitive pressure is on the Google team to find embarrassing vulnerabilities in competitors' products."

There's only one thing which should make Google work as hard to find vulnerabilities in it's own code as in 3rd party products, which is other companies making their own zero day teams.

If other companies aren't checking Google's code, then their only incentive to find their own bugs is as a good Samaritan. Fear of brand embarrassment is always a better motivator than altruism.

Nobody SpecialMarch 9, 2017 4:11 PM

Lots of good commentary here on the Google v. MS war.

The missing element is mention of our government. That's because for at least two decades it has been asleep at the wheel allowing exploits to go on and on and on un-repaired, allowing competitors to exploit the mere awareness of exploits and likely allowing itself the arrogant power to secretly inject exploits into major systems as part of the "security' apparatus.

If the wheels of a particular car brand fell off when certain odd circumstances were present, you can be rest assured a great uproar would ensue and the government would force the manufacturer to fix the problem ASAP or face vast penalties and fines. Not so with software used by most everyone, however.

Regardless, my main concern is these corporations are becoming the government by filling the power vacuum created by our incompetent elected leaders. Meanwhile officials practice malicious governance simply to keep themelves in power and the donation dollars flowing. Thus, amoral profiteer corporations become the government, by default.

Currently Google and FB are working on systems to fight "fake news", (based on their definition), Google is coming up with AI to locate and defeat "trolls", FB is simply sucking up personal data of every kind to market to for the highest price.


And yes, they aren't the only companies with their particular internet racket going ala' cosa nostra....

It's everywhere and getting worse.

Where's Eliot Ness when you need him?

Ross SniderMarch 9, 2017 4:42 PM

Overall projects like this make us all secure:

1. They discover, disclose and patch issues in deployed software.
2. The push the boundaries for performing security evaluations of software and train professionals in the field.
3. They hold software distributors accountable to public record on the quality of their products.
4. They raise the costs to producers of vulnerable and poorly maintained software.
5. They encourage public conversation and community knowledge about security.

DroneMarch 9, 2017 8:23 PM

Oh the hypocrisy! There are hundreds of millions of vulnerable devices in the wild running Google's Android operating system who have never received, nor never will ever receive, even a single security update. And yet Google is trying to be the security gatekeeper when it comes to their competitor's products? What gall! Shame on you Google. What ever happened to "Do No Evil"?

Nick PMarch 9, 2017 9:27 PM

"But I wonder what competitive pressure is on the Google team to find embarrassing vulnerabilities in competitors' products."

They're trying to look more secure than the competition. They've been differentiating on that since the beginning when they were an OP knockoff. I blasted the Googlers on HN for pretending they could do much more. I used Microsoft Research as an example of doing things right in high-assurance security, including a better browser. They didn't like that but their best don't compare to Microsoft's best in security right now. They're not even close in terms of published results.

My calling them out was here under a pile of Googler whining. I also recall telling a Chrome developer about static analysis tools for C++ that could catch the issues hackers were finding in their product. Another guy was pushing the SaferC++ scheme. Despite all their money, they didn't show any interest in using them at the time. Pity.

Note: As Drone points out, their Android operating system is doing so bad in terms of malware that people like Matt Green and Thomas Ptacek are telling journalists to use iPhones instead. Google clearly needs to be working on their own security more than their competitions. ;)

Michael MoserMarch 9, 2017 10:17 PM

Google also has a project of fuzz testing open source libraries (lots of openssl bugs are found this way). This has the benefit of preventing data breaches and prevents legal liabilities for Google , I think. Black box testing of IE would also have the benefit of improving test tools (fuzz testing wouldn't work without access to source code?)

Michael MoserMarch 9, 2017 10:24 PM

I think they have a strong focus on security since Snowden, the NSA was listening in on traffic in the clear between the data centers, they had a shock that criminals could have done that too.. This could have killed them for food. (I don't work for them)

ab praeceptisMarch 9, 2017 11:10 PM

Nick P.

Well done. google contributions to security are quite modest and they prefer to inspect others while they themselves could certainly need improvement.

I'm certainly not microsoft fan but being grown up men and not fan boys we should see the reality and the fact that microsoft is clearly leading.

There are, of course, laudable exceptions but grosso modo there is nobody even close to microsoft in that field.

That said, one should also see the other side of reality. I just happened to fall over a current visual studio installation. It's between 3 and 8 GB. Read that again! The average visual studio installation is about 5 or 7 Gigabytes! Incredible, just incredible.
We shouldn't ignore the error potential in that *massive bloat*.

The other itch I have is that microsoft stuff is almost always poisoned in one way or another. Typically there is a nice "open source" or at least "free" layer on top but somewhere deeper the crap-trap is waiting, be that some vital part is non-free or be it that it needs .net or be it it only runs on windows.

Dan HMarch 10, 2017 5:59 AM

Google's Chrome is frequently a guest on the US CERT high vulnerability list.

Sok PuppetteMarch 10, 2017 10:21 AM

You're oversimplifying things.

Them's fighting words. :->

In fact, YOU are oversimplifying things.

I know all the things you say and more, from many years of intimate experience on both sides of these disclosures.

Large corporations like Microsoft for good reasons have elaborate processes in place which do not make it possible to create and distribute patches overnight.

... for example, here you assume that a patch from the vendor is the only way to respond to a vulnerability. That's rarely true. You can often work around something by using it differently, putting some kind of filter in front of it, using different software for a while, outright switching to something else, or whatever.

Of course, how feasible that is depends a lot on what the software is, who's using it, and how they're using it... which is one reason you should evaluate each situation individually.

Now, of course, the vendor almost never thinks of those as valid responses, but they are in fact valid responses for users in many cases.

[...] In essence, releasing vulnerabilities the moment they're discovered only benefits those able to exploit them,

... and here you assume that they're not already known and exploited. The fact is that if you find something, there's usually a good chance that you're not the first to find it. It may in fact already be being exploited all the time in the wild.

Good, careful attackers (not botnet kiddies) can often do that for a long time before anybody notices it. So "we haven't seen that in the wild" does NOT imply "it's not happening in the wild". And even if somebody has noticed it happening, they may not have made it public.

Another, more subtle assumption you make is that the vendor itself isn't going to leak to the bad guys before the patch comes out. That's not always even close to being a good assumption.

I've personally had cases where I thought I was keeping vulnerabilities secret "while they were fixed", and then found out that tons of people already knew about them and were exploiting them. In fact, that tended to happen more often than not when I actually bothered to investigate.

and definitely not the common consumer.

Here you're assuming that "consumers" are always the main issue, as well as assuming that they're completely helpless.

If I, as a "common consumer", learn that game X is vulnerable, I at least have the option of not playing game X until it's fixed. That may be harder for me to do with my phone OS. So, again, you have to evaluate every situation separately.

In the case at hand, the "common consumer" can definitely switch to Chrome or whatever for a few weeks for most purposes. The only thing really stopping them from doing that is the lack of robust systems for warning them that they need to.

There are also cases where the impact on the "common consumer" is small even if the vulnerability applies to them, whereas the impact on somebody else could be large.

That said, 90 days should be sufficient for anyone[...]

Yes it should, and so should 30 days. But having worked inside some of those large organizations you're talking about, I can tell you that it can be really tough to get them to accept that. They don't move fast.

Actually, though, large vendors move at warp speed compared to corporate IT departments, which frequently fail to roll out vendor fixes for many months. For that matter, "common consumers" often do the same thing, so if you're really worried about them, it may often not matter at all whether a vulnerability is announced before a patch is available. Vulnerabilities are fixed by patch installation, not by patch availability. So the whole drama about disclosure before or after availability misses a certain amount of the point.

John JiMarch 10, 2017 12:22 PM

Microsoft -- for decades -- has a poor track record with patches. If left to its own devices, Windows would be a lot worse of that is currently is. And currently that's not very good.

Nickie HalflingerMarch 10, 2017 12:31 PM

@Drone: Google does have a monthly patch cycle and some device manufacturers puch those through to their devices (Blackberry is doing this as vowe.net is documenting). I have an unlocked Motorola Pure which was supposed to get timely patches but they lied. In 2 years, I've gotten three updates.

When I had a phone purchased from Verizon, it was even worse. First aGoogle Updates Android. Then the manufacture has to validate the build for the device from compliance of their bloatware. Then the carrier has to test against their layer of crapware. Too many fingers in the pie.

As far as the end devices are concerned, it's not much different than other IoT devices - there's no money in patching.

NicolaMarch 11, 2017 4:31 PM

Google is mostly comprised of cutting-corners idiots. Hope somebody releases a handful of zero days for Android. When all hell will break loose, we could then talk about "security".

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.