It's a race condition that allows an ACG bypass. Under ACG, only privileged processes in the browser process ensemble can create new executable pages. But the mechanism by which privileged processes "give" executable pages to less-privileged processes enables the lesser processes to populate them with code of their choosing. It's medium severity because it's just a bypass of a (relatively new) security control. For it to be useful, you already need to have an RCE-able bug.
The headline is a bit misleading, and the article keeps you on the hook for a couple grafs before explaining.
You don't get "indefinitely, until the patch is released" from Google. You get 90 days. It's on you, the vendor that shipped the buggy software, to figure out how to ship a patch within 3 months. If you can't, you can ask for a grace period, which Google isn't obliged to give you (but did give here). I believe, but am not sure, that Google will give longer grace periods for very severe vulnerabilities, at their discretion.
This is how it has to be. Big vendors --- Google almost surely included! --- will backburner patches for months and months if they aren't given hard deadlines. Deadlines serve the users --- not just of the vulnerable software, but of all the other users that might depend on the people who use that software in some indirect way.
Either way, it doesn't look like anything was done to spite Microsoft. But a "business continued as usual" headline wouldn't attract as many clicks, I get that.
Project Zero remains one of the few true gems at Google. They do good work. They probably don't call out their own employer as much as they should (understandable, considering), but they do darn good work, and have made a significant impact in making the Internet more secure. Everything from competitors' operating systems to browser extensions has gotten their attention, almost seemingly at random.
I'd actually be super curious to know how they pick what they look into. Just a "hey, I wonder about this" while going about their day, or if they have some sort of agenda laid out for when to look at what software.
They probably call out their employer internally, know who to call directly when they find something, and so on. For stuff that isn't their own, the rules are probably very different.
At least that is how I would run something like this.
We just got YouTube TV recently and also something that is pretty impressive by Google and saves me a ton of money as my cable provider was awful charging for every TV monthly.
Another example of something I find really interesting is Spanner.
Those who put resources into looking for security vulnerabilities find a lot. Of those groups, most have better things to do with those vulnerabilities than report them publicly. Who else is Google even competing against here?
There are lots of other vulnerability research teams. Google happens to have one of the best; they've recruited a decent slice of the best-known vulnerability researchers and then done a pretty excellent job of bringing up new people.
>Deadlines serve the users --- not just of the vulnerable software, but of all the other users that might depend on the people who use that software in some indirect way.
What if a user/users would rather a company spend their resources into adding a feature they care about, than fixing a bug that doesn't impact them? (Not that I disagree with Google's position here..., just a contrarian view)
That's not a contrarian view. It is a widely-held view. Plenty of IT administrators would rather not think about security, which is largely an externality to their job.
If they're inconvenienced by the 90 day deadline, they have Microsoft to blame for it, not Google.
Unless they plan to never fix it, they are going to eventually spend resources. Deadlines just force the issue of when those resources are spent. They are still spent either way.
And if they don't have any intention of ever fixing it, it basically doesn't matter when it is disclosed. So in that case, having a deadline is no worse.
Yes, sometimes you can be more efficient if you have your choice of when to do something, but that's usually a relatively minor effect.
Whether google should disclose after 90 days or not is up for debate maybe, but i for one applaud the effort. Many many years, exploits have gone undetected/unpatched. If googles approach is to force people fix them, so be it.
Microsoft has no right to be angry - they should be thankful. This is peoples data, their business at risk. After being in the business for so long time, and with the resources they have, they can afford to put a small army of swes to fix security bugs.
Unlike a small company, the bugs in widely used software, by definition, affects a large set of people.
> If googles approach is to force people fix them, so be it.
That's not actually what responsible disclosure is for. Responsible disclosure is a process that [correctly] assumes that a malicious third party has also discovered the bug and is currently exploiting it or selling it, but acknowledges the assumption. If you disclosed bugs immediately, the could be novel and you could have let the cat out of the bag. If you never disclose bugs, they could already be in the wild and doing damage.
Forcing Microsoft to fix it is just a beneficial side-effect.
On the topic of Google finding issues in others' software:
I am wondering how do the engineers at Google that work on finding software issues or vulnerabilities approach that kind of work? Is there a way to heuristically find security vulnerabilities and software issues?
Edit: Especially when those vulnerabilities need so much work to be revealed, like the meltdown/spectre issues we heard about recently
It took Google five months to get KRACK patched on the Pixel 2, despite third party ROM authors doing it in two days. Suffice to say, many vendors miss deadlines for this stuff on occasion. There are probably a number of reasons for this, including difficulty of repair, the fact that third party software may depend on the broken functionality, etc.
Microsoft and Google both patch security updates every single month that fall well within the common 90 day disclosure window. And then every so often, they fail to.
depends how embedded the issue is. If the fix for it is going to break or expose other things, it could be that more time is needed.
I don't mind that 90 days is a soft deadline, at which point as long as they're showing determinable progress on the issue, all is well until it is patched. But disclosing the bug before a fix is in place exposes users to possible actors that wouldn't know of said issue previously (ie like WannaCry being based on leaked NSA offensive tools. Leaking effectively being an involuntary disclosure).
Here's the bug:
https://bugs.chromium.org/p/project-zero/issues/detail?id=14...
It's a race condition that allows an ACG bypass. Under ACG, only privileged processes in the browser process ensemble can create new executable pages. But the mechanism by which privileged processes "give" executable pages to less-privileged processes enables the lesser processes to populate them with code of their choosing. It's medium severity because it's just a bypass of a (relatively new) security control. For it to be useful, you already need to have an RCE-able bug.
The headline is a bit misleading, and the article keeps you on the hook for a couple grafs before explaining.
You don't get "indefinitely, until the patch is released" from Google. You get 90 days. It's on you, the vendor that shipped the buggy software, to figure out how to ship a patch within 3 months. If you can't, you can ask for a grace period, which Google isn't obliged to give you (but did give here). I believe, but am not sure, that Google will give longer grace periods for very severe vulnerabilities, at their discretion.
This is how it has to be. Big vendors --- Google almost surely included! --- will backburner patches for months and months if they aren't given hard deadlines. Deadlines serve the users --- not just of the vulnerable software, but of all the other users that might depend on the people who use that software in some indirect way.
Either way, it doesn't look like anything was done to spite Microsoft. But a "business continued as usual" headline wouldn't attract as many clicks, I get that.
Yes Google allows longer for bigger issues. Meltdown and Spectre two great examples.
What surprises me is that so many of the really big ones seem to be found by Google.
Spectre and Meltdown by multiple poeple. But Shellshock, Broadpwn, Heartbleed, and Cloudbleed if memory serves all found by Google.
Off the top of my head can not think of a major one the last couple of years found by anyone but Google. Anyone else?
Project Zero remains one of the few true gems at Google. They do good work. They probably don't call out their own employer as much as they should (understandable, considering), but they do darn good work, and have made a significant impact in making the Internet more secure. Everything from competitors' operating systems to browser extensions has gotten their attention, almost seemingly at random.
I'd actually be super curious to know how they pick what they look into. Just a "hey, I wonder about this" while going about their day, or if they have some sort of agenda laid out for when to look at what software.
They probably call out their employer internally, know who to call directly when they find something, and so on. For stuff that isn't their own, the rules are probably very different.
At least that is how I would run something like this.
If I recall correctly a bug in chrome was disclosed before Google could fix it by the project zero team as the 3 month deadline had passed.
Would say Google has a couple gems. DeepMind comes to mind. Also Google Brain has done some pretty interesting things.
Probably my favorite of late is from Jeff Dean
https://arxiv.org/abs/1712.01208
We just got YouTube TV recently and also something that is pretty impressive by Google and saves me a ton of money as my cable provider was awful charging for every TV monthly.
Another example of something I find really interesting is Spanner.
https://research.google.com/archive/spanner.html
Those who put resources into looking for security vulnerabilities find a lot. Of those groups, most have better things to do with those vulnerabilities than report them publicly. Who else is Google even competing against here?
There are lots of other vulnerability research teams. Google happens to have one of the best; they've recruited a decent slice of the best-known vulnerability researchers and then done a pretty excellent job of bringing up new people.
Shellshock, Broadpwn were not originally reported by people working at Google, Heartbleed was also independently found by others.
Curious if Google disclosing unpatched bugs in Chrome on the same 90 day policy.
It is.
>Deadlines serve the users --- not just of the vulnerable software, but of all the other users that might depend on the people who use that software in some indirect way.
What if a user/users would rather a company spend their resources into adding a feature they care about, than fixing a bug that doesn't impact them? (Not that I disagree with Google's position here..., just a contrarian view)
That's not a contrarian view. It is a widely-held view. Plenty of IT administrators would rather not think about security, which is largely an externality to their job.
If they're inconvenienced by the 90 day deadline, they have Microsoft to blame for it, not Google.
Unless they plan to never fix it, they are going to eventually spend resources. Deadlines just force the issue of when those resources are spent. They are still spent either way.
And if they don't have any intention of ever fixing it, it basically doesn't matter when it is disclosed. So in that case, having a deadline is no worse.
Yes, sometimes you can be more efficient if you have your choice of when to do something, but that's usually a relatively minor effect.
Whether google should disclose after 90 days or not is up for debate maybe, but i for one applaud the effort. Many many years, exploits have gone undetected/unpatched. If googles approach is to force people fix them, so be it.
Microsoft has no right to be angry - they should be thankful. This is peoples data, their business at risk. After being in the business for so long time, and with the resources they have, they can afford to put a small army of swes to fix security bugs.
Unlike a small company, the bugs in widely used software, by definition, affects a large set of people.
Disclaimer: google employee.
> If googles approach is to force people fix them, so be it.
That's not actually what responsible disclosure is for. Responsible disclosure is a process that [correctly] assumes that a malicious third party has also discovered the bug and is currently exploiting it or selling it, but acknowledges the assumption. If you disclosed bugs immediately, the could be novel and you could have let the cat out of the bag. If you never disclose bugs, they could already be in the wild and doing damage.
Forcing Microsoft to fix it is just a beneficial side-effect.
That’s called coordinated disclosure. There can be no such thing as “responsible” disclosure, and Microsoft has disavowed that term.
On the topic of Google finding issues in others' software:
I am wondering how do the engineers at Google that work on finding software issues or vulnerabilities approach that kind of work? Is there a way to heuristically find security vulnerabilities and software issues?
Edit: Especially when those vulnerabilities need so much work to be revealed, like the meltdown/spectre issues we heard about recently
Read a lot of security papers, test commonly known vulnerabilities and techniques, etc.
Here's the backstory on Meltdown specifically: https://www.bloomberg.com/news/articles/2018-01-17/how-a-22-...
Or, the equivalent title: "Google gives Microsoft the standard 90 day window that it gives everyone"
Except Intel's CPU bugs, and perhaps others that I don't know about.
90 days + 14 days grace time.
Why isn't that enough?
It took Google five months to get KRACK patched on the Pixel 2, despite third party ROM authors doing it in two days. Suffice to say, many vendors miss deadlines for this stuff on occasion. There are probably a number of reasons for this, including difficulty of repair, the fact that third party software may depend on the broken functionality, etc.
Microsoft and Google both patch security updates every single month that fall well within the common 90 day disclosure window. And then every so often, they fail to.
depends how embedded the issue is. If the fix for it is going to break or expose other things, it could be that more time is needed.
I don't mind that 90 days is a soft deadline, at which point as long as they're showing determinable progress on the issue, all is well until it is patched. But disclosing the bug before a fix is in place exposes users to possible actors that wouldn't know of said issue previously (ie like WannaCry being based on leaked NSA offensive tools. Leaking effectively being an involuntary disclosure).
"The public disclosure will likely anger Microsoft, once again." What has Microsoft done to retaliate in, if any, previous disclosures?