Ramblings of an old Doc
Google reveals Windows, Edge and IE vulnerability...
Published on February 25, 2017 By DrJBHL In Personal Computing

 

Before dealing with how this sucks and doesn't, download another browser (Vivaldi, Chrome, Brave...etc.) and use it until the Edge/IE vulnerability is fixed. And...last week Google revealed a Windows vulnerability, as well.

You can read about the Edge/IE vulnerability here, if you're of a mind to do so: https://bugs.chromium.org/p/project-zero/issues/detail?id=1011

 

"It is Google's policy to disclose any vulnerability after 90 days if the notified company did not publish a publicly available patch for the issue."...well there's a plus and a minus to that.

First, reality: Is there any malware out there exploiting that security problem? If not, Google just might be doing the black hats' work for them. If there is malware - well, in the case of the Windows problem, there isn't a whole helluva lot a user can do, is there? So why notify? MS knows, you told them. Now all you're doing, again, is notifying the black hats. In the browser's case...yes, by all means, notify, because people can choose alternatives.

Sorry...sometimes Google lacks any semblance of common sense, for "one upsmanship". And that just sucks.

 

Source:

http://www.ghacks.net/2017/02/25/google-discloses-edge-and-ie-vulnerability/?_m=3n%2e0038%2e1975%2ehj0ao01hy5%2e221o




Comments
on Feb 25, 2017


Sorry...sometimes Google lacks any semblance of common sense, for "one upsmanship". And that just sucks.


Yeah, that holier than thou attitude of Google's stinks: "Look! We're doing your job for you because the public has a right to know."

Frankly, I reckon the public has a right to know what goes on behind closed doors at Google... what it stores on its masses of data banks and servers about anyone and everyone... about what they've done, where they've been and why.  Thing is, Google is probably the most secretive company on the planet, with employees required to sign non-disclosure and privacy agreements that surpass even covert gov't departments, so if a whole load of shit is going on inside Google, nothing is coming out of there unless Google wants us to know... which isn't likely.

on Feb 25, 2017

90 Days?  As long as it was submitted properly that is more than generous.  A good explanation of the practice is given here:

https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html

They, for various reasons, don't always follow this though, as seen in the recent https://en.wikipedia.org/wiki/Cloudbleed issue.

on Feb 25, 2017

Rhadagast

As long as it was submitted properly that is more than generous.

Generous for whom? MS? Maybe...but if they don't fix it, just who's is vulnerable?

They're notifying the hackers, among others when they go public with vulnerabilities.

Them going public helps you and me just how? 

on Feb 25, 2017

DrJBHL


They're notifying the hackers, among others when they go public with vulnerabilities.

Them going public helps you and me just how? 

 

100% Agreed.   It is today's culture of (as you already put it) 'oneupmanship' rearing it's ugly head here again.  Nothing more, or less.

on Feb 26, 2017

It has always been a "Keep up with the Joneses" type thing. Sad part is if one person does something worthwhile there will be those who oppose it because they didn't think of it first.

I call that cheating because they did it before I did. 

on Feb 28, 2017

DrJBHL


Quoting Rhadagast,

As long as it was submitted properly that is more than generous.


Generous for whom? MS? Maybe...but if they don't fix it, just who's is vulnerable?

They're notifying the hackers, among others when they go public with vulnerabilities.

Them going public helps you and me just how? 

Unfortunately the reality is, if a "White hat" has found it, it's very likely a "Black hat" has already or will soon find it as well, which is a big reason why a time limit on the notification is important, to force action, and allow the public to take precautions.

Or to quote the article I linked: "Deadlines also acknowledge an uncomfortable fact that is alluded to by some of the above policies: the offensive security community invests considerably more into vulnerability research than the defensive community. Therefore, when we find a vulnerability in a high profile target, it is often already known by advanced and stealthy actors."

Do you disagree?

on Mar 01, 2017

well... you could argue the blackhats who knew about it and keeping quiet are more likely to be state affiliated and selective against their targets. compared to kits built using disclosure info being available to everyone and dog who whacks everyone and dog. obviously it's not a hard and fast rule...

on Mar 01, 2017

Rhadagast

Do you disagree?

WHo are you addressing your question to? the_Monk? Me?

If it's to me, I would have to answer that I have no way of knowing, and neither does Google, until malware exploiting that specific breach starts appearing. I've not read of it yet, have you? So, maybe their logic is flawed? 

As flawed as making vulnerabilities public to people who can't fix them, and are potentially harmed by (not theoretically but ACTUALLY harmed - us) and to those who can exploit them (the blackhats).

on Mar 01, 2017

DrJBHL


Quoting Rhadagast,

Do you disagree?



WHo are you addressing your question to? the_Monk? Me?

If it's to me, I would have to answer that I have no way of knowing, and neither does Google, until malware exploiting that specific breach starts appearing. I've not read of it yet, have you? So, maybe their logic is flawed? 

As flawed as making vulnerabilities public to people who can't fix them, and are potentially harmed by (not theoretically but ACTUALLY harmed - us) and to those who can exploit them (the blackhats).

 

Yeah I quoted your text so was directing the question your way, I've never encountered someone strongly opposed to the concept of responsible disclosure so was interested in that point of view.  I think we'll have to agree to disagree.  I  do think that your and alaknebs' point regarding exposing it to the world makes it much easier for amateurs to exploit it is valid, but in my opinion that does not outweigh the benefit of eventually disclosing the exploit to the general public so that we can take measures to safeguard ourselves. 

on Mar 02, 2017

unless there's no measure that you can take.. aside from pulling the plug. i don't think anyone is opposed to disclosure. the tricky thing is the amount of time a company is given to fix an issue. how do you know if a company is dragging its feet or having difficulties?

on Mar 03, 2017

Rhadagast

I've never encountered someone strongly opposed to the concept of responsible disclosure so was interested in that point of view.

That depends entirely on ones definition of responsible disclosure which is exactly the point here.  I and others in this thread view google's actions as less than 'responsible' and more self-serving in nature than anything else really.

 

Rhadagast

but in my opinion that does not outweigh the benefit of eventually disclosing the exploit to the general public so that we can take measures to safeguard ourselves.

Assuming the average joe even knows what 'take measures to safeguard ourselves' means; here we once again have a case of locking the barn door AFTER the horse has escaped mentality being peddled as justification for 'responsible disclosure' (which as previously stated is most often not responsible at all). 

The better 'responsible action' would be, GOOGLE and any other self-serving entity with the power to spread information to spread more knowledge on topics I have beaten to death in many a thread here (ie. LEAST PRIVILEGE etc. etc.) and how the average user can use that information for safer computing.  That would actually help prevent 'exploits' such as this even begin taking hold.  Unfortunately those with the power to disseminate information quickly are more focused on 'ambulance chasing' than actually helping anyone for it to make a difference anyway. 

on Mar 03, 2017

I've been using Seamonkey (Mozilla / Netscape Communicator fork) for about a year now without incident. IE / Edge should only be used to go download a real browser. I am personally boycotting Google for their invasive tracking.

Meta
Views
» 8639
Comments
» 12
Sponsored Links