Newsletter Archives

  • Google Project Zero: 90-day disclosure is working, with 97.5% of reported vulns being fixed within 90 days

    Posted on August 2, 2019 at 10:12 CDT by Comment in the Forums

    The details are a little more complicated, but not much. Google’s Project Zero has turned up 1,434 security vulnerabilities in the past four and a half years:

    Of these, 1224 were fixed within 90 days, and a further 174 issues were fixed within the 14-day grace period [granted when it looks like the manufacturer is going to release a patch shortly]. That leaves 36 vulnerabilities that were disclosed without a patch being available to users, or in other words 97.5% of our issues are fixed under deadline.

    Realize that Google has a vested interest in saying that their disclosure policy is good for all of us — debatable, but I strongly agree — and they come to the conclusion:

    If most bugs are fixed in a reasonable timeframe (i.e. less than 90 days), then we are only enforcing the deadline on a very small number of unfixed cases. And if disclosing a handful of unfixed vulnerabilities doesn’t substantially help attackers in the short-term, but does lead to the demonstrated long term benefits of shortened patch timelines and more frequent patching cycles, then it would follow that a deadline based disclosure policy is good for user security overall.

    Interesting report. Thank to Catalin Cimpanu, who has additional observations on ZDNet.

    Windows Patches/Security , ,

  • Project Zero: Watch out for Web Proxy Auto-Discovery

    Posted on December 18, 2017 at 12:05 CST by Comment in the Forums

    What is WPAD? Easy question, long answer. Google’s Project Zero just posted a scary evaluation:

    (With WPAD) every Windows machine will ask the local network: “Hey, where can I find a Javascript file to execute?”… WPAD allows the computer to query the local network to determine the server from which to load the PAC file… The browser connects to a pre-configured server, downloads the PAC file, and executes a particular Javascript function to determine proper proxy configuration.

    And… you guessed it… the PAC file can contain all sorts of compromising programs.

    Windows is certainly not the only piece of software that implements WPAD. Other operating systems and applications do as well. For example Google Chrome also has a WPAD implementation, but in Chrome’s case, evaluating the JavaScript code from the PAC file happens inside a sandbox. And other operating systems that support WPAD don’t enable it by default. This is why Windows is currently the most interesting target for this sort of attack.

    The Project Zero people proceed to discuss many different nightmare scenarios. Oh boy.

    Windows Patches/Security ,

  • Another Windows 0day appears – gdi32.dll heap boundary error

    Posted on February 17, 2017 at 11:13 CST by Comment in the Forums

    As 0day bugs go, this isn’t an earth-shattering development. But it’s still enough to cause concern.

    Mateusz Jurczyk at Google Project Zero discovered a memory disclosure vulnerability and notified Microsoft on Nov. 17. Project Zero has an automatic 90-day disclosure deadline: If the vendor (in this case Microsoft) doesn’t fix the hole that’s discovered, it will be automatically disclosed 90 days later.

    Sure enough, 90 days passed and, on Feb. 14, the timer rang and the full disclosure popped out, including exploit code.

    This isn’t a huge bug. The bad guy has to get access to your computer before it can be exploited. Once logged on to your machine, the interloper can open a bad EMF file and use it to sneak a peek at system memory that isn’t theirs.

    It seems that security bulletin MS16-074 didn’t fix the problem entirely.

    Yuhong Bao (whom I’ve mentioned before, many times) sent a provocative message to the Project Zero folks. He said:

    I wonder if this was supposed to be part of the cancelled February Patch Tuesday.

    Something to ponder over the upcoming three-day US holiday.

    Windows Patches/Security , , , ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • How to use the Forums
  • All Forums

    • Recent Topics

    September 2023
    S M T W T F S
     12
    3456789
    10111213141516
    17181920212223
    24252627282930

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.