Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Security Expert Finds, Publicly Discloses Windows Kernel Bug

Soulskill posted about a year ago | from the second-verse-same-as-the-first dept.

Windows 404

hypnosec writes "Security expert Tavis Ormandy has discovered a vulnerability in the Windows kernel which, when exploited, would allow an ordinary user to obtain administrative privileges of the system. Google's security pro posted the details of the vulnerability back in May through the Full Disclosure mailing list rather than reporting it to Microsoft first. He has now gone ahead and published a working exploit. This is not the first instance where Ormandy has opted for full disclosure without first informing the vendor of the affected software."

cancel ×

404 comments

Sorry! There are no comments related to the filter you selected.

Seriously, (0)

Black Parrot (19622) | about a year ago | (#43908497)

Is it news every time someone finds a security vulnerability?

Re:Seriously, (0)

Anonymous Coward | about a year ago | (#43908523)

News? TFS is flamebait.

Re:Seriously, (4, Funny)

tgd (2822) | about a year ago | (#43908765)

News? TFS is flamebait.

This Fucking Site?

Re:Seriously, (5, Informative)

ArcherB (796902) | about a year ago | (#43908893)

News? TFS is flamebait.

This Fucking Site?

The Friendly Summary.

Re:Seriously, (1)

PhxBlue (562201) | about a year ago | (#43908525)

It is for nerds, I guess?

But not to give them a chance to correct it first? (0, Flamebait)

Bruce66423 (1678196) | about a year ago | (#43908533)

That's bad. That's destructive and dangerous. He needs to be sacked for this, given the potential for this to be abused in the wild - otherwise we know that Google really is on the side of the criminals...

Re:But not to give them a chance to correct it fir (1)

Anonymous Coward | about a year ago | (#43908561)

But... but... "Do no evIl" !

Re:But not to give them a chance to correct it fir (5, Insightful)

poetmatt (793785) | about a year ago | (#43908595)

Yeah, ok. troll better please.

it's been 4 weeks. Clearly we should go after those who disclose vulnerabilities instead of those responsible for fixing them. /sarcasm

Re:But not to give them a chance to correct it fir (5, Insightful)

Anonymous Coward | about a year ago | (#43908609)

That's bad. That's destructive and dangerous

No more dangerous than publishing the blueprints for a gun or the instructions to 3d print one. Someone could use that information to perpetrate a crime. Why do you throw freedom of speech out the window when it comes to software bugs?

The general tolerance of latent vulnerabilities and the expectation that whitehats should give companies time to patch them at least expense is what's truly destructive and dangerous.

Re:But not to give them a chance to correct it fir (3, Insightful)

Anonymous Coward | about a year ago | (#43908761)

Why do you throw freedom of speech out the window when it comes to software bugs?

Get on your soapbox much? Nobody is infringing on Freedom of Speech since there is no law against this. There are issues of being reasonable and responsible though that have nothing to do with the law. Nor is anywhere here suggesting that he shouldn't publish, just that he should inform Microsoft directly, instead of assuming that everyone on the planet should read that mailing list, and give them some reasonable time to fix it before publishing.

Re:But not to give them a chance to correct it fir (0)

Anonymous Coward | about a year ago | (#43908793)

Responsible disclosure is an oxymoron.

Re:But not to give them a chance to correct it fir (-1, Flamebait)

Dishevel (1105119) | about a year ago | (#43908925)

just that he should inform Microsoft directly, instead of assuming that everyone on the planet should read that mailing list, and give them some reasonable time to fix it before publishing.

Umm. Many do.
Microsoft never gets off its ass and fixes stuff before it goes public.
So. Fuck it. Publish. Make em work.

Re:But not to give them a chance to correct it fir (3, Insightful)

Anonymous Coward | about a year ago | (#43908885)

That's bad. That's destructive and dangerous

No more dangerous than publishing the blueprints for a gun or the instructions to 3d print one.

This is closer to posting a list of homes where firearms are registered. Exposing the vulnerabilities without letting the homeowners without guns know that they're about to be greenlighted for burglary.

The general tolerance of latent vulnerabilities and the expectation that whitehats should give companies time to patch them at least expense is what's truly destructive and dangerous.

Now everyone has to scramble as script kiddies within their organizations implement this (internal attackers are still most dangerous). A balance must be struck. He's not looking to keep people secure; he's looking to make MS Windows operating systems a battlefield.

Re:But not to give them a chance to correct it fir (1)

The MAZZTer (911996) | about a year ago | (#43908945)

A more apt analogy would be someone taking classified military information and making it public (which IS a serious crime and is NOT covered under freedom of speech).

Re:But not to give them a chance to correct it fir (1)

The MAZZTer (911996) | about a year ago | (#43908963)

And by classified information, I mean like information about military systems, their configurations, hardware used, so on and so forth (as opposed to say, names of spies or whatnot. Not the right analogy).

Re:But not to give them a chance to correct it fir (2, Informative)

MikeBabcock (65886) | about a year ago | (#43908613)

History tells us that telling Microsoft privately puts it on their radar for three to five years out. Disclosing publicly actually gets a patch to users.

Re:But not to give them a chance to correct it fir (1, Insightful)

nanoflower (1077145) | about a year ago | (#43908695)

Doesn't matter what history shows. The best procedure is to give the company notice of the bug and give them a chance to fix it. Not years, certainly but a few months seems very reasonable. The only reason not to do would be if you knew someone was already taking advantage of the vulnerability in the wild.

Re:But not to give them a chance to correct it fir (0)

Anonymous Coward | about a year ago | (#43908831)

With sites like scroogle slamming google for the same things M$ is doing and the even more attrocious things they want to do (See patent on kinect to pull demographics from your living room), Microsoft gets whatever they deserve.

Re:But not to give them a chance to correct it fir (0)

Anonymous Coward | about a year ago | (#43908933)

So negative advertising should beget exploits that hurt users? What should Microsoft's response have been to the Mac vs. PC ads then?

Re:But not to give them a chance to correct it fir (0)

Anonymous Coward | about a year ago | (#43908841)

Months? Hell no. 3 or 4 weeks, maybe, and that's pushing it.

responsibly (1)

Anonymous Coward | about a year ago | (#43908763)

History tells us that telling Microsoft privately puts it on their radar for three to five years out. Disclosing publicly actually gets a patch to users.

Disclosing responsibly gets a patch to users as well. Given them a little while (one calendar quarter max), and then publish.

I don't think anyone is saying he should sit on it forever, but you don't know what other exploitable things they're working on, and now everyone is completely vulnerable because there is no patch.

Re:But not to give them a chance to correct it fir (0, Offtopic)

K. S. Kyosuke (729550) | about a year ago | (#43908799)

History tells us that telling Microsoft privately puts it on their radar for three to five years out. Disclosing publicly actually gets a patch to users.

No, what actually gets a patch to users is when you find a vulnerability, use it to hack into Microsoft servers, download their repository, fix the bug, rebuild the kernel, generate the patch, steal Microsoft signing certificates, sign the patch, upload it to Windows Update servers, and pray that all users download it before someone notices you.

Re:But not to give them a chance to correct it fir (1)

Dishevel (1105119) | about a year ago | (#43908949)

Fuck it. have them patch to Linux Mint 15.

Re: Fired for it? (1, Interesting)

Frobnicator (565869) | about a year ago | (#43908681)

Looks like from TFA he posted both the flaw and the working exploit as himself, not as an employee. So that is at least something.

He should have known about proper disclosure practices: File a defect report, permit the company to fix the exploit, and then release the exploit to the wild at the same time the fix is released, or release it if the company fails to take action. Instead of following the protocol he put the information about the exploit both on his personal blog and on the disclosure newsgroup, with the comment that he doesn't have time to deal with it. (But apparently he does have time to blog about it.)

Was it wrong? Absolutely. There is a protocol to follow that generally protects the public and still discloses the vulnerability if it is not fixed immediately.

Should he be fired from his job as a security programmer? Maybe. He should at least get a chat with his boss and HR to explain his side.

Re: Fired for it? (1)

Nerdfest (867930) | about a year ago | (#43908803)

The same thing happened last time if I remember correctly. It's a tricky situation ... his employer shouldn't be able to control his hobbies, but he shouldn't be making them look like dicks either. Does he advertise himself as a Google employee, or is this the usual anti-Google FUD campaigners throwing this information in where it's not warranted?

Sacked? (1)

Anonymous Coward | about a year ago | (#43908741)

If it were us little people without political connections to bail our asses out, we'd be in jail!

Jesus Mother Fucking Christ!.

I just want to put on a sandwich board with "They are going to Fuck us!" and just mumble "Bullshit! Bullshit! Bullshit! Bullshit! Bullshit!Bullshit! "

Re:But not to give them a chance to correct it fir (0)

Anonymous Coward | about a year ago | (#43908757)

Look at the timline... But with Microsoft, there's really no "enough time" to correct a problem that THEY don't see as a problem.

Re:But not to give them a chance to correct it fir (0)

Anonymous Coward | about a year ago | (#43908767)

Google's policy is to back researchers disclosing the vulnerability if the vendor does not fix it was 60 days, or 7 days if there is an active exploit in the wild

Re:But not to give them a chance to correct it fir (2)

Yaur (1069446) | about a year ago | (#43908937)

Its a privileged escalation vulnerability... your machine has to already be compromised for this to be abused in the wild.

Re:Seriously, (0)

Anonymous Coward | about a year ago | (#43908537)

Especially one in Windows?

Re:Seriously, (1, Insightful)

pseudorand (603231) | about a year ago | (#43908563)

It's news that a Google employee is being a dick, since they do have a "do no evil" policy. I hate M$ as much as the next /. reader, but we do have to support windows. We don't put our non-technical friends and family on Linux (still waiting for the year of the Linux desktop). Cut us sysadmins some slack already. @$$.

Re:Seriously, (1)

Anonymous Coward | about a year ago | (#43908599)

We don't put our non-technical friends and family on Linux

Speak for yourself. My non-technical wife asked me to install Kubuntu when Vista came out.

Re: Seriously, (2)

jaminJay (1198469) | about a year ago | (#43908705)

Agree. The level of computer support I provide family members does not vary between Linux, Mac, Windows, Android, iOS, etc. This is a tired trope that needs to die.

Re:Seriously, (0)

LVSlushdat (854194) | about a year ago | (#43908713)

Yeah Speak for yourself... most of my non-techy friends I've put on Linux and they're happy as a clam...

Re:Seriously, (1, Interesting)

Anonymous Coward | about a year ago | (#43908723)

...but we do have to support windows. We don't put our non-technical friends and family on Linux...

No. No, we do not have to support windows. Windows is not designed for us. It is designed by MS, for MS, and to maximize profits for MS. Bug fixes (might/might not get fixed) are done by MS, for MS, and to maximize profits for MS. Changes to the OS are done by MS, for MS.... well, you get the picture.

Yes, we do put non-technical friends and family on Linux. I have switched about 17 friends and family over and don't find it any more work supporting them than when they were on windows. In fact, it is easier. Try it, it works.

Re:Seriously, (1, Redundant)

LordLimecat (1103839) | about a year ago | (#43908821)

He reported the bug back in May.

If I recall, the proper thing to do when there is neither a timeline nor a patch in a reasonable timeframe is to post the PoC to force the vendor to respond.

Re:Seriously, (1)

loufoque (1400831) | about a year ago | (#43908971)

Why do you care what OS your family uses? Why do you need to "support" it?
Every computer is their owner's responsibility.

Seriously! (1)

Anonymous Coward | about a year ago | (#43908625)

Is it news every time someone finds a security vulnerability?

When someone publishes a working exploit that provides privilege escalation for the world's most widely used operating system, it definitely is news.

I know this is Slashdot, but did you look at the vulnerability or exploit. It is an unpatched kernel exploit that will now wreak havoc on Windows users, the vast majority of the world by a long shot, as malware writers incorporate it into their malware. Now, previously secure(relatively) systems that had UAC enabled will be just as vulnerable to drive-by installs as 2000 and XP were.

Re:Seriously, (1)

Anonymous Coward | about a year ago | (#43908725)

Its news when the guy who finds it is being a total asshole. (not only to MS but to all people who use their system).

Re:Seriously, (0)

Anonymous Coward | about a year ago | (#43908837)

by Black Parrot ( 19622 )

Is it news every time someone finds a security vulnerability?

Dude, your user id is low enough that you must by now realize that this site has been doing this for well over a decade. If you don't like hearing about security vulnerabilities, then get off my damn lawn and go somewhere else...

/ct

Who cares. (2, Insightful)

gr8_phk (621180) | about a year ago | (#43908539)

Seriously. I think it was a comic strip (possibly xkcd) that pointed out that an exploit that had user level privileges could impersonate someone on web sites, do money transfers at their banks, etc... While a system level exploit would all it to install drivers. Whohooo!

Oblig (0)

SrLnclt (870345) | about a year ago | (#43908603)

I believe this would be the one [xkcd.com] .

Re:Who cares. (5, Insightful)

khasim (1285) | about a year ago | (#43908667)

That is correct for home users.

But for corporate users, a system level exploit allows things like installing sniffers and key loggers so that more passwords can be collected. Including the admin/root passwords.

Which can be used against the computers in the Accounting department to transfer money from the corporate accounts to "money mules".

Re:Who cares. (1)

Richy_T (111409) | about a year ago | (#43908773)

Let's not forget multi-user systems too. If you're really paranoid, you can keep one account for the important stuff and one for general day-to-day crap.

Re:Who cares. (3, Informative)

AmiMoJo (196126) | about a year ago | (#43908737)

No, user level programs can't generally do that. Since Vista user privileges don't give access to other app's data or any system files. There is no easy way to steal credentials out of a browser or read email or anything like that.

That is why viruses often try to trick the user into granting them admin level permissions via a UAC warning prompt. In this case a way has been found to take those permissions without a prompt, giving the user a false sense of security and not alerting them to potentially dangerous behaviour.

As for drivers even a kernel level exploit usually won't be able to install them these days. Drivers need to be signed before Windows will allow them to be installed. On Windows 7 you can installed unsigned code after the user gives permission, but Windows 8 flat out refuses to install unsigned binaries as drivers.

Re:Who cares. (2)

GoogleShill (2732413) | about a year ago | (#43908921)

That is why viruses often try to trick the user into granting them admin level permissions via a UAC warning prompt. In this case a way has been found to take those permissions without a prompt, giving the user a false sense of security and not alerting them to potentially dangerous behaviour.

You described a trojan. Viruses exploit a vulnerability to install themselves and spread.

As for drivers even a kernel level exploit usually won't be able to install them these days. Drivers need to be signed before Windows will allow them to be installed. On Windows 7 you can installed unsigned code after the user gives permission, but Windows 8 flat out refuses to install unsigned binaries as drivers.

I haven't written shellcode for Windows since XP (I work on the defensive side of security now), but I do suspect you are not correct here. If you can get your shellcode to execute in kernel space, it can do anything. You could read a driver file from the network, copy it into kernel space and execute it, completely bypassing the signature check. You could also disable the signed-driver requirement so that a rootkit is loaded on every boot.

Here's another way to look at it: This exploit effectively bypasses the driver loading mechanism, loading code into kernel space. That code could be a keylogger, or a USB camera driver.

Re:Who cares. (2)

oGMo (379) | about a year ago | (#43908749)

The comic (as previously posted) was amusing and also wrong; a user-level exploit might be able to get you those things, if credentials aren't encrypted. Browser exploit can probably scrape your pages or similar, which is of course bad. However, a system-level exploit can do all this and more:

  • All of the above, plus for every user on a multi-user system
  • Read your keystrokes, and thus get passwords without decryption
  • Read directly from memory, therefore also bypassing the need for decryption, and accessing even more sensitive information unaided (GPG/SSH/SSL/etc unencrypted, etc)

Such exploits may be less bad for you, but would be considerably worse for any of the large services you rely on, potentially exposing the entire userbase.

This may be somewhat theoretical, but only because most people generally have enough sense to patch system-level exploits quickly. Most apparently not including Microsoft.

Re:Who cares. (2)

EvanED (569694) | about a year ago | (#43909001)

Read your keystrokes, and thus get passwords without decryption

I'm not sure, but this may already be possible (for the current user) now, without root.

Even if it's not in general, you could still do something like install a browser extension for the user that does it while they're in the browser. (At least for Firefox; not sure if Chrome extensions are powerful enough to do that.)

Read directly from memory, therefore also bypassing the need for decryption, and accessing even more sensitive information unaided (GPG/SSH/SSL/etc unencrypted, etc)

On most Linux systems, this is also possible without root. (I did recently discover that you can't use GDB under the default configuration on Ubuntu as non-root users can't ptrace by default, so on that system it'd likely be protected.)

I don't want to discount the threat of a priviledge escalation bug, but if I had to say the relative threats for a single-user system, I'd guess that probably 90% of the danger of a vulnerability doesn't need root.

Re:Who cares. (2)

Apathist (741707) | about a year ago | (#43908801)

It's sweet and all that you think paraphrasing xkcd shows that you have some kind of deeper insight, but you're clearly missing the point. A kernel mode exploit can do all the things that a user mode exploit can do, as well as install nasty malware like keyloggers, or worse... which in turn (likely) allows everything that physical access to the machine would have granted anyway.

So who cares? Me, and everyone even remotely versed in security.

Re:Who cares. (1)

LordLimecat (1103839) | about a year ago | (#43908833)

Generally user-land viruses will be immediately picked up by antivirus, while a kernel-level exploit can install undetectable keylogger drivers.

huge conflict of interest (5, Insightful)

Bugler412 (2610815) | about a year ago | (#43908547)

if he was an independent researcher doing this it might be one thing, but in this case he's not revealing the vulnerability based on full disclosure principals, he's doing it to give his employer's largest competitor a black eye. Motives matter

Re:huge conflict of interest (5, Insightful)

Nimey (114278) | about a year ago | (#43908585)

You don't know his motivations, you're making an assumption.

Re:huge conflict of interest (5, Insightful)

Barlo_Mung_42 (411228) | about a year ago | (#43908875)

I'm curious if he also publically discloses any Android/Chrome related vulnerabilities he finds without first talking to his employer.

Re:huge conflict of interest (4, Interesting)

Hatta (162192) | about a year ago | (#43908635)

Why does it matter? Full disclosure is the only responsible choice. That doesn't change no matter who your employer is.

Re:huge conflict of interest (1, Insightful)

Adult film producer (866485) | about a year ago | (#43908791)

Full disclosure to the public is responsible behavior? Hardly.

Re:huge conflict of interest (2, Insightful)

Hatta (162192) | about a year ago | (#43908993)

Absolutely. Immediate disclosure to the public means that they can immediately take measures to reduce their risk. If you tell me that there's a bug in a package I use, I can stop using the package. If you tell the vendor that there's a bug in a package I use, I can't do anything to protect myself.

Re:huge conflict of interest (2)

Nerdfest (867930) | about a year ago | (#43908845)

I also don't see him posting that he is doing this as a Google employee or really, that he is related to them in any way. It's an interesting fact, but not necessarily relevant.

Re:huge conflict of interest (0)

Anonymous Coward | about a year ago | (#43908851)

I will believe that when I see him publically disclosing google vulnerabilities before google has had a chance to look at them. He is obviously has a huge conflict of interest in his motives and actions which is what makes him a douche.

Re:huge conflict of interest (1)

istartedi (132515) | about a year ago | (#43908951)

IMHO, full disclosure after a reasonable period of private disclosure is the responsible choice. Such a policy should be applied uniformly to all vendors regardless of relationship; although I suppose you could argue that if there's a partnership then it's quasi-internal. You might even be bound to nondisclosure by the partnership agreement.

Anyway, I digress. By keeping it private for a fixed time and then disclosing, you give the subject time to fix it before an exploit gets produced and you give them a motivation to fix it in a timely manner. That seems like the best compromise to me.

Re:huge conflict of interest (1)

Hatta (162192) | about a year ago | (#43908983)

IMHO, full disclosure after a reasonable period of private disclosure is the responsible choice.

Why give an attacker a window of time in which he can use his exploit freely? Inform the public immediately, and they can stop using the software, or decide if it's worth the risk.

you give the subject time to fix it before an exploit gets produced

Why do you assume an exploit does not already exist? If you can find it, an attacker can find it too. The prudent assumption is that any bug that can be exploited is being exploited.

Re:huge conflict of interest (0)

Anonymous Coward | about a year ago | (#43908665)

Microsoft lost all credability in that matter when they introduced the patchday. Like bugs are waiting for approval from the great Balmer himself. They've prooven again and again that they prefer to discuss if a bug is exploitable rather than fucking fixing them. No mercy. The real bad guys also don't have any.

Re:huge conflict of interest (1)

anthony_greer (2623521) | about a year ago | (#43908781)

MS does out of cycle updates for critical issues like this...Please be informed before shooting off your mouth...

Re:huge conflict of interest (0)

Anonymous Coward | about a year ago | (#43908891)

Yeah, they SOMETIMES do, if something like THIS happens - never ever if it goes THEIR way, have you ever read their "responsible disclusure" rules?? It boils down to "report to us and then shut the fuck up, we can take up to 90 day to RESPONSE", let alow actually fixing it. I've been down that road with them before, they won't listen to reason...

Re:huge conflict of interest (1)

Anonymous Coward | about a year ago | (#43908857)

his employer's largest competitor

Google isn't a software company.
They don't sell operating systems, or office productivity software.

Target Microsoft (5, Interesting)

mrbluejello (189775) | about a year ago | (#43908549)

If it hadn't been Microsoft, Google may have been a bit more responsible about this, but since it makes their competitor look bad, time to forget about "do no evil".

Re:Target Microsoft (5, Funny)

chuckinator (2409512) | about a year ago | (#43908573)

"Do no evil" means "don't get caught doing something that will put handcuffs on our executives." Get your definitions straight.

Re:Target Microsoft (0)

Anonymous Coward | about a year ago | (#43908647)

I think you are partly right, now that Google has grown big. However, I think the *real* meaning is in the premise of the motto:

"Everybody else is evil."

Re: Target Microsoft (1)

jaminJay (1198469) | about a year ago | (#43908753)

According to the Jargon File, it implies that you won't design software that no-one wants to use. Instead, you design software that everyone wants to use and then Spring Clean it away!

Re:Target Microsoft (1)

Anonymous Coward | about a year ago | (#43908869)

There is nothing in the universe that will "put handcuffs on ... executives", at least not executives in the U.S. They are above the law, after all, they pay to have them written, published, and passed.

Re:Target Microsoft (1)

Hatta (162192) | about a year ago | (#43908659)

You cannot be more responsible than full disclosure. The responsible thing to do when you find a bug is to inform those who are at risk from the bug. Any delay leaves those people at risk unnecessarily, and is irresponsible.

Re:Target Microsoft (0)

Anonymous Coward | about a year ago | (#43908815)

The responsible thing to do when you ffrind a bug is to inform those who are capable of fixing it.

Re:Target Microsoft (1)

Hatta (162192) | about a year ago | (#43908929)

No, the responsible thing to do is to inform those who are at risk because of the bug. They are the party that needs to know first, because they will suffer the harm.

Re:Target Microsoft (0)

Anonymous Coward | about a year ago | (#43908835)

Yeah. This is actually the salient point: locally running executable code on Windows has root access. Do not run untrusted code on Windows (full stop). This doesn't put anyone at additional risk; the bad guys probably already knew about this crap.

Re:Target Microsoft (2)

Sponge Bath (413667) | about a year ago | (#43908853)

...forget about "do no evil".

Google is still better than AT&T, whose motto is "Now I am become Death, the destroyer of worlds." Executive bonus recovery fee tagged to your wireless bill: $0.96

only way to get it fixed (2, Insightful)

danbuter (2019760) | about a year ago | (#43908555)

I'm betting this is the only way to get MS to fix the problem in a timely fashion. If it's in the wild, they HAVE to fix it, and fast. Guys had to do this with Apple, as well, because they never fixed any bugs unless absolutely forced to.

Re:only way to get it fixed (2)

Howitzer86 (964585) | about a year ago | (#43908577)

Microsoft is actually pretty good about timely patches.

Re:only way to get it fixed (1, Insightful)

techno-vampire (666512) | about a year ago | (#43908657)

Yes, if you call releasing all patches at the same time, once a month, "timely." Personally, I'd like to get patches as soon as they're ready, especially security patches. That's one of the many reasons why I use Linux, not Windows.

Re:only way to get it fixed (0)

Anonymous Coward | about a year ago | (#43908783)

Yeah, a software company that serves billions of PCs run by millions of individuals and organizations should release patches in a haphazard as completed way, and not try and organize releases to make people/admin lives easier. This would be optimal.

Re:only way to get it fixed (0)

techno-vampire (666512) | about a year ago | (#43908867)

I use Fedora Linux. Every morning I have my desktop check for updates. Some days there are a large number of them, some days just a few, some days none. Most people who use Fedora probably don't check more than once a week, but the point is that updates and patches are placed in the repositories as soon as they're ready, instead of being held back until the next Patch Tuesday. I don't know about you, but I'd rather not have to wait the best part of a month for a security patch that came out just too late for the monthly update.

Re:only way to get it fixed (0)

Anonymous Coward | about a year ago | (#43908923)

Do you want security patches before they test that there aren't similar holes in nearby parts of the code?

Full disclosure and open/closed source (5, Interesting)

intermodal (534361) | about a year ago | (#43908575)

The irony of the difference between closed source and open source is that while Ormandy has posted an exploit to this Windows bug, in the open-source world he potentially could have posted a fix too, considering he's the one who seems to understand the bug itself the best...

Re:Full disclosure and open/closed source (-1)

Anonymous Coward | about a year ago | (#43908811)

Not sure wtf you're talking about here, bro. How can one operating in the open-source community be expected to produce a fix for a closed-source bug? He did what he did in order to present the bug to the community that he felt would serve theoverall problem best. Maybe he should have sent MS a report, and then submit to the rest of us, not sure, and your moral compass will have to do in your situation.

Also as others have pointed out, having admin rights has very little to do with exploiting the user's data, which is what it's all about these days.

Re:Full disclosure and open/closed source (0)

Anonymous Coward | about a year ago | (#43908827)

not sure you read the post, bro.

Re:Full disclosure and open/closed source (1)

Anonymous Coward | about a year ago | (#43908905)

and still would not have made a difference. Potentially posting a fix to open source software does not imply end users having patched binaries on their machine the next day. The only difference between open and closed source is to potentially see the fix being applied.

Making an exploit public without notifying the owner reeks of fishing for publicity. The unsung heroes are the ones serving the public best - report to the owner, have them fix it and feel fuzzy inside.

'administrative privileges' at home (0)

Anonymous Coward | about a year ago | (#43908581)

You could assume that Administrators using windows in business don't let their users run with administrative privileges but outside of those environments what home user doesn't run with administrative privileges?

I have to admit I haven't used windows in a while, so maybe I'm wrong and computers with windows 7/8 do not come from BIG_BOX_STORE with a user users already setup with administrative privileges.

Re:'administrative privileges' at home (0)

Anonymous Coward | about a year ago | (#43908637)

They have a false "Administrator" account that is really just a user-level account with a few extra privileges. It takes some extra digging (and/or guides) to get real administrative rights.

Re:'administrative privileges' at home (1)

t0y (700664) | about a year ago | (#43908693)

You mean a popup whenever you need it?

Just Desserts (2, Insightful)

Anonymous Coward | about a year ago | (#43908689)

Been a long time coming, but we finally don't have Microsoft pushing us around any longer.

Some of us with long memories see absolutely no issue with disclosing MS bugs on public forums.

It's like payback (0)

Anonymous Coward | about a year ago | (#43908699)

For UAC.

Re:It's like payback (0)

Anonymous Coward | about a year ago | (#43908927)

I love that people shit on Windows for not taking security seriously, and then when it finally decides to try to be a secure multiuser system with privilege separation, people try to call it out for that.

I want to tell Tavis Ormandy... (-1)

Anonymous Coward | about a year ago | (#43908711)

That he is a moron, a really really stupid person. No explanation required, we all know he is.

Re:I want to tell Tavis Ormandy... (1)

Agent ME (1411269) | about a year ago | (#43908955)

This just in: Windows is even hackable by really really stupid morons!

aiding and abetting 8 computer fraud and abuse act (5, Interesting)

anthony_greer (2623521) | about a year ago | (#43908721)

Can google and/or this guy be prosecuted for this because releasing the working demo is basically aiding and abetting a criminal

Re:aiding and abetting 8 computer fraud and abuse (1)

anthony_greer (2623521) | about a year ago | (#43908735)

subject should be 1896 fraud and abuce act - didnt proofread the subject - Do'H

Re:aiding and abetting 8 computer fraud and abuse (0)

Anonymous Coward | about a year ago | (#43908823)

Can google and/or this guy be prosecuted for this because releasing the working demo is basically aiding and abetting a criminal

How are you today, Mr. Ballmer.

Re:aiding and abetting 8 computer fraud and abuse (1)

jeffclay (1077679) | about a year ago | (#43908847)

He's no more aiding and abetting a hacker than a billy-club company is aiding a cop that beats you senseless.

If MS had done this to Google or Apple... (2)

anthony_greer (2623521) | about a year ago | (#43908865)

I guarantee every talking head on TV would be calling for the DoJ to look into it...

This is all about PR and image, Google and apple are sexy, MS is big and boring, but arguably more critical to daily life (you have no idea how many devices and backend systems you use everyday are on Windows)

Carriage return (1)

gatfirls (1315141) | about a year ago | (#43908977)

What is the exploit that makes the carriage return in posts on /. work?

Stay tuned for next week (0)

Anonymous Coward | about a year ago | (#43908987)

Whole host of Android vulnerabilities found by Microsoft researchers, published online immediately.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>