Newsletter Archives

  • Google Project Zero: 90-day disclosure is working, with 97.5% of reported vulns being fixed within 90 days

    The details are a little more complicated, but not much. Google’s Project Zero has turned up 1,434 security vulnerabilities in the past four and a half years:

    Of these, 1224 were fixed within 90 days, and a further 174 issues were fixed within the 14-day grace period [granted when it looks like the manufacturer is going to release a patch shortly]. That leaves 36 vulnerabilities that were disclosed without a patch being available to users, or in other words 97.5% of our issues are fixed under deadline.

    Realize that Google has a vested interest in saying that their disclosure policy is good for all of us — debatable, but I strongly agree — and they come to the conclusion:

    If most bugs are fixed in a reasonable timeframe (i.e. less than 90 days), then we are only enforcing the deadline on a very small number of unfixed cases. And if disclosing a handful of unfixed vulnerabilities doesn’t substantially help attackers in the short-term, but does lead to the demonstrated long term benefits of shortened patch timelines and more frequent patching cycles, then it would follow that a deadline based disclosure policy is good for user security overall.

    Interesting report. Thank to Catalin Cimpanu, who has additional observations on ZDNet.

  • Project Zero: Watch out for Web Proxy Auto-Discovery

    What is WPAD? Easy question, long answer. Google’s Project Zero just posted a scary evaluation:

    (With WPAD) every Windows machine will ask the local network: “Hey, where can I find a Javascript file to execute?”… WPAD allows the computer to query the local network to determine the server from which to load the PAC file… The browser connects to a pre-configured server, downloads the PAC file, and executes a particular Javascript function to determine proper proxy configuration.

    And… you guessed it… the PAC file can contain all sorts of compromising programs.

    Windows is certainly not the only piece of software that implements WPAD. Other operating systems and applications do as well. For example Google Chrome also has a WPAD implementation, but in Chrome’s case, evaluating the JavaScript code from the PAC file happens inside a sandbox. And other operating systems that support WPAD don’t enable it by default. This is why Windows is currently the most interesting target for this sort of attack.

    The Project Zero people proceed to discuss many different nightmare scenarios. Oh boy.

  • Another Windows 0day appears – gdi32.dll heap boundary error

    As 0day bugs go, this isn’t an earth-shattering development. But it’s still enough to cause concern.

    Mateusz Jurczyk at Google Project Zero discovered a memory disclosure vulnerability and notified Microsoft on Nov. 17. Project Zero has an automatic 90-day disclosure deadline: If the vendor (in this case Microsoft) doesn’t fix the hole that’s discovered, it will be automatically disclosed 90 days later.

    Sure enough, 90 days passed and, on Feb. 14, the timer rang and the full disclosure popped out, including exploit code.

    This isn’t a huge bug. The bad guy has to get access to your computer before it can be exploited. Once logged on to your machine, the interloper can open a bad EMF file and use it to sneak a peek at system memory that isn’t theirs.

    It seems that security bulletin MS16-074 didn’t fix the problem entirely.

    Yuhong Bao (whom I’ve mentioned before, many times) sent a provocative message to the Project Zero folks. He said:

    I wonder if this was supposed to be part of the cancelled February Patch Tuesday.

    Something to ponder over the upcoming three-day US holiday.