Google exposes Windows 11 security flaw after Microsoft fails to patch it

Posted by UsamaJawad96 4 hours ago

Counter22Comment12OpenOriginal

Comments

Comment by q3k 45 minutes ago

Here's the actual issue with technical details instead of useless blogspam: https://project-zero.issues.chromium.org/issues/437291456

Comment by twelvechess 2 hours ago

It seems lately every piece of software is getting more and more vulnerabilities, failures, crashes. Microsoft products are exceptionally high in the list.

Comment by hsbauauvhabzb 1 hour ago

More people are looking. Microsoft products have been large attack surface, poorly coded and heavily researched for a very long time.

Comment by nwellnhof 2 hours ago

It should be noted that Google Project Zero doesn't care whether a software product is maintained by multi-trillion corporations or a single volunteer. Imposing an "industry-standard" 90-day deadline on a unpaid solo developer without offering any help or compensation whatsoever is not sustainable. It forced me to step down as maintainer of libxslt: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127

Comment by naian 26 minutes ago

What is not sustainable is that someone decides to sit on a security bug for any reason. If someone doesn't want to or can't fix a security bug it should be made public so someone else can step in or, at least, so users (be it end users or software projects that use a library) can look for mitigation or alternatives.

Comment by philipallstar 2 hours ago

The linked conversation looked pretty civil - looks as though you decided to step down, which is entirely reasonable, but I don't see anything forcing you or imposing anything on you.

Comment by ThunderSizzle 44 minutes ago

Civil, but unreasonable. An unpaid maintainer of a free library isn't a vendor, and shouldn't be treated in any such way. A vendor is paid.

Comment by transpute 2 hours ago

What do you think of https://bughunters.google.com/open-source-security/patch-rew...?

Comment by nly 2 hours ago

I don't understand why they wouldn't give a pre-release patch to the bug reporter (especially if it's someone like Google) for them to analyse before doing a final release.

If they were actively working with Project Zero instead of being seemingly silent, this wouldn't happen

This is where FOSS is still winning and will always win. Fixed happen in the open and bad fixes can be called out

Comment by hsbauauvhabzb 54 minutes ago

I’m not sure why you think it’s the researchers responsibility to verify patches. It would be nice, especially if they’re knowledgeable in the code, but Microsoft have the resources to put someone else in that position too.

Comment by nly 51 minutes ago

The researchers in this case literally checked the patch after release. It costs nothing to send them a pre-release and ask the question

Comment by 4 hours ago

Comment by hsbauauvhabzb 1 hour ago

What’s the expectation for responsible disclosure when it comes to ineffective patches? Does that normally reset the counter to 90 days, or only if the patch was reasonable and in good faith?