News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Blog Archives

  • Google comes clean on that “emergency” security patch – and shows how it was used to trigger a Windows 7 0day

    Posted on March 8th, 2019 at 07:03 woody Comment on the AskWoody Lounge

    Now I understand.

    Google releases patches for its Chrome browser all the time. As @b explained about 36 hours ago, Google sent out a special alert to get Chrome updated specifically to head off a 0day attack.

    I didn’t get too excited about it because Chrome automatically updates itself quite reliably, and because the threat didn’t seem to be all that great.

    A few hours ago, Clement Lecigne of the Google Threat Analysis Group added some key details:

    On Wednesday, February 27th, we reported two 0-day vulnerabilities — previously publicly-unknown vulnerabilities — one affecting Google Chrome and another in Microsoft Windows that were being exploited together.

    To remediate the Chrome vulnerability (CVE-2019-5786), Google released an update for all Chrome platforms on March 1; this update was pushed through Chrome auto-update. We encourage users to verify that Chrome auto-update has already updated Chrome to 72.0.3626.121 or later.

    The second vulnerability was in Microsoft Windows. It is a local privilege escalation in the Windows win32k.sys kernel driver that can be used as a security sandbox escape. The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndexwhen NtUserMNDragOver() system call is called under specific circumstances.

    We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems.

    Pursuant to Google’s vulnerability disclosure policy, when we discovered the vulnerability we reported it to Microsoft. Today, also in compliance with our policy, we are publicly disclosing its existence, because it is a serious vulnerability in Windows that we know was being actively exploited in targeted attacks. The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes. Microsoft have told us they are working on a fix.

    As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows, and to apply Windows patches from Microsoft when they become available. We will update this post when they are available.

    Google’s vulnerability disclosure policy says, to a first approximation, that it gives software manufacturers 90 days to fix a security hole, and if no fix appears, they disclose the details.

    It’ll be interesting to see how Microsoft reacts.

    UPDATE: Catalin Cimpanu has a thorough timeline on ZDNet.

  • Google shuts down Google+ network

    Posted on October 8th, 2018 at 12:43 woody Comment on the AskWoody Lounge

    Google’s just now confirming that an API bug might’ve exposed private profile data for 500,000 Google+ users. Their response is to shut down Google+.

    I didn’t realize Google+ has 500,000 users.

    Catalin Cimpanu has the details on ZDNet.

    UPDATE: Big revelations coming from the Wall Street Journal. Is it possible that Sundar Pichai didn’t testify in front of the US Congressional Committee because he was afraid of being tripped up by the then-secret breach?

  • Microsoft security’s unseemly jab at Google

    Posted on October 19th, 2017 at 08:29 woody Comment on the AskWoody Lounge

    In yesterday’s Windows Security blog post Browser security beyond sandboxing, Microsoft’s Jordan Rabet (part of the “Microsoft Offensive Security Research team” – no, I didn’t make that up) took aim at Google. There’s a whole lot of technical discussion about the superiority of Edge in that article. There’s also a deep dig at Google.

    Catalin Cimpanu at Bleepingcomputer boils it down:

    The problem that Rabet pointed out was that the fix for the bug they reported was pushed to the V8 GitHub repository, allowing attackers to potentially reverse engineer the patch and discover the source of the vulnerability.

    It didn’t help that it took Google three more days to push the fix to the Chromium project and the Chrome browser, time in which an attacker could have exploited the flaw.

    Taking into account that this happened in mid-September, Microsoft had no reason to detail a bug in a Chrome version that’s not even current. Chrome 62 is the latest Chrome version.

    Paul Thurrott has a great article, turning Microsoft’s old words against itself.

    What Microsoft should have done is take the high ground. Do the right thing for your shared customers and just shut up about it. But it didn’t.

    It’s time for both sides to grow up and work together. Take potshots at each other, sure. But not over security.

    If you’re interested in browser security, I suggest you read it.

  • The scale of tech winners

    Posted on October 14th, 2017 at 16:01 woody Comment on the AskWoody Lounge

    Fascinating piece from Ben Evans:

    Microsoft was working on smartphones and mobile devices 20 years ago, and now it’s killed Windows Mobile, acknowledged that the PC is going the way of the mainframe and, like IBM, has to make its way in a market shaped by other companies. There probably won’t be a technology that has 10x greater scale than smartphones, as mobile was 10x bigger than PCs and PCs were bigger than mainframes, simply because 5bn people will have smartphones and that’s all the (adult) people.

    Check it out.

     

  • EU Anti-Trust investigation hits Google with biggest fine yet

    Posted on June 27th, 2017 at 15:30 Kirsty Comment on the AskWoody Lounge

    Google has been fined $2.7 Billion US, in its European Union anti-trust ruling, after a 7 year probe.

    From Financial Times:

    “Google’s strategy for its comparison shopping service wasn’t just about attracting customers by making its product better than those of its rivals. Instead, Google abused its market dominance as a search engine by promoting its own comparison shopping service in its search results and demoting those of competitors. What Google has done is illegal under EU antitrust rules”, said EU’s competition commissioner, Margrethe Vestager.

    Google is understood to be considering appealing the ruling. Other reports say that even if the fine is paid, it is unlikely to cripple Google/Alphabet financially, but Alphabet’s share price has dropped since the ruling was announced.

    You can read the European Commission press release here

  • Google discloses actively exploited Win vulnerability

    Posted on November 2nd, 2016 at 05:43 woody Comment on the AskWoody Lounge

    Many of you have asked for my opinion about the “Google endangers us all as an act of hubris” articles making their way around the web. Emil Protalinski at Venture Beat has a good synopsis.

    (One technical note: Emil says “Windows 10 Anniversary Update users are not affected by the vulnerability being exploited in the wild.” In fact, it looks like only those using Edge in version 1607, the Anniversary Update- or Chrome – are immune.)

    Long and short of it: I don’t think we know the pertinent details, and doubt that we ever will. I’ve been in this industry too long to start pointing fingers based on a heated exchange between Microsoft and Google. No doubt both have reason to beef. Who’s right? I dunno. I doubt that anyone does.

    I have just one observation to offer. Terry Myerson, in his damning post Our commitment to our customer’s security, ends the lengthy explanation with this note:

    Special thanks to Neel Mehta and Billy Leonard of Google’s Threat Analysis Group for their assistance in investigating these issues.

    By all accounts, Mehta and Leonard are the ones who discovered the security hole.

    It just strikes me as odd.

    Looks like we’re going to get the fix on Nov. 8, as part of the regular Patch Tuesday.

    UPDATE: Confirming, based on the comments, that if you have Flash patched, you’re fine. The current infection vectors require Flash – although Windows itself needs to be patched, to cover an underlying problem. If that sounds obtuse, it is, but patching Flash (or not using Flash!) takes you out of harm’s way. For now.

  • Can Google and Apple take over the PC market?

    Posted on May 3rd, 2016 at 07:45 woody Comment on the AskWoody Lounge

    Very important post by Paul Thurrott:

    Can Google and Apple take over the PC market?

    And some significant insight from Steve Sinofsky:

    This misses one point

    If you want to see the (bleak) future of Windows, I think they’ve nailed it. Google and Apple are going to roll over the PC market by building their mobile OS’s “up.” Microsoft’s lost by trying to shrink its dinosaur “down.”

    The transition’s going to take a while, but I’m convinced that my son’s going to grow up in a world where “Windows” elicits the same old-fuddy-duddy response as “IBM,” “BlackBerry,” “AltaVista,” and (dare I say it) “Yahoo!”

    BTW: Don’t get me wrong. Windows is going to be around for a long, long time. Microsoft may put the marketing name “Windows” on some other product. But Windows as we know it isn’t going to be at the forefront of worthwhile technological advances – indeed, hasn’t been for some time.

  • Windows 10 search and Bing

    Posted on January 21st, 2016 at 15:13 woody Comment on the AskWoody Lounge

    Fascinating mail from AA:

    I am a reluctant Windows 10 user (at work).

    Bing searchWhen I use the Windows 10 search box at work, the default view when I click the box is to see a bunch of tiles about what is “popular now”.  To me this a distraction, so I typed the following string into the search panel:    “dont show bing news in search panel windows 10”.

    When my browser pops up (Chrome, with Google search set as its default search tool, but ignored in this case), I get a very Bing-centric set of responses, but no answers.

     

     

    If I open my browser on my own, and perform the same search directly, I get a very different (and more useful) response.

    Google Search

    This is not a gripe about how disable Bing – I know how to do that now.    But it’s disappointing to know that Bing’s answers are seemingly adulterated.  Sigh.

    As always, thanks for being a voice of sanity in the land of Windows.