Google Project Zero discloses high severity elevation of privilege flaw in Windo...
source link: https://www.neowin.net/news/google-project-zero-discloses-high-severity-elevation-of-privilege-flaw-in-windows
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
"Stone has stated that while she doesn't think that an incomplete fix deserves a 90-day deadline, this has still been followed as the default since Google's current policies do not cover this use-case. The Project Zero team plans to revisit its policies again next year, but has publicly disclosed the vulnerability with proof-of-concept code."
Why shouldn't it apply? Microsoft targetting november for a fix, now they say january, that's 2 months of slippage, something very wrong if your plan is out by 2 months and the excuse of 'covid' doesn't apply, people have been working from home since before june so those timeframes should already have been inclusive
"Stone has stated that while she doesn't think that an incomplete fix deserves a 90-day deadline, this has still been followed as the default since Google's current policies do not cover this use-case. The Project Zero team plans to revisit its policies again next year, but has publicly disclosed the vulnerability with proof-of-concept code."
Why shouldn't it apply? Microsoft targetting november for a fix, now they say january, that's 2 months of slippage, something very wrong if your plan is out by 2 months and the excuse of 'covid' doesn't apply, people have been working from home since before june so those timeframes should already have been inclusive
In case you didn't see any news, MIcrosoft has been a bit busy fighting ransomware, malware, and high value target hacking.
The interesting thing about Google Project spanking this bee's nest, everyone in the world is on high alert, along with US and EU security and military dot i and crossing Ts.
If what this group at Google does leads to additional attacks, they could all end up in prison or whisked away to a secret 'interrogation' facility - let alone the ramification to Google itself and not just this team.
They are stupid enough to 'think' they are doing good, based on an idiotic philosophy, but to be this STUPID to release exploit information at this time in US history is inviting problems they can't fathom. .
"Stone has stated that while she doesn't think that an incomplete fix deserves a 90-day deadline, this has still been followed as the default since Google's current policies do not cover this use-case. The Project Zero team plans to revisit its policies again next year, but has publicly disclosed the vulnerability with proof-of-concept code."
Why shouldn't it apply? Microsoft targetting november for a fix, now they say january, that's 2 months of slippage, something very wrong if your plan is out by 2 months and the excuse of 'covid' doesn't apply, people have been working from home since before june so those timeframes should already have been inclusive
In case you didn't see any news, MIcrosoft has been a bit busy fighting ransomware, malware, and high value target hacking.
The interesting thing about Google Project spanking this bee's nest, everyone in the world is on high alert, along with US and EU security and military dot i and crossing Ts.
If what this group at Google does leads to additional attacks, they could all end up in prison or whisked away to a secret 'interrogation' facility - let alone the ramification to Google itself and not just this team.They are stupid enough to 'think' they are doing good, based on an idiotic philosophy, but to be this STUPID to release exploit information at this time in US history is inviting problems they can't fathom. .
Your post is an inochorant post of nonsense. Yes, they can face face jail if they are in germany, but Ian Bears et al. are not in germany so no, your post is a fallacy
Your whole post is a load of garbage about US history which has no relevance what-so-ever. I am party to the BlueZ mailing list where yes, they raise issues about their own OS thank you very much
"Stone has stated that while she doesn't think that an incomplete fix deserves a 90-day deadline, this has still been followed as the default since Google's current policies do not cover this use-case. The Project Zero team plans to revisit its policies again next year, but has publicly disclosed the vulnerability with proof-of-concept code."
Why shouldn't it apply? Microsoft targetting november for a fix, now they say january, that's 2 months of slippage, something very wrong if your plan is out by 2 months and the excuse of 'covid' doesn't apply, people have been working from home since before june so those timeframes should already have been inclusive
Apologies and quick correction: Stone said she doesn't think a "new" 90-day deadline should be applied, which means that she agrees with you (kind of). Added the word to the article, apologies once again!
"Stone has stated that while she doesn't think that an incomplete fix deserves a 90-day deadline, this has still been followed as the default since Google's current policies do not cover this use-case. The Project Zero team plans to revisit its policies again next year, but has publicly disclosed the vulnerability with proof-of-concept code."
Why shouldn't it apply? Microsoft targetting november for a fix, now they say january, that's 2 months of slippage, something very wrong if your plan is out by 2 months and the excuse of 'covid' doesn't apply, people have been working from home since before june so those timeframes should already have been inclusive
In case you didn't see any news, MIcrosoft has been a bit busy fighting ransomware, malware, and high value target hacking.
The interesting thing about Google Project spanking this bee's nest, everyone in the world is on high alert, along with US and EU security and military dot i and crossing Ts.
If what this group at Google does leads to additional attacks, they could all end up in prison or whisked away to a secret 'interrogation' facility - let alone the ramification to Google itself and not just this team.They are stupid enough to 'think' they are doing good, based on an idiotic philosophy, but to be this STUPID to release exploit information at this time in US history is inviting problems they can't fathom. .
Your post is an inochorant post of nonsense. Yes, they can face face jail if they are in germany, but Ian Bears et al. are not in germany so no, your post is a fallacy
Your whole post is a load of garbage about US history which has no relevance what-so-ever. I am party to the BlueZ mailing list where yes, they raise issues about their own OS thank you very much
We all know Mobius Enigma is a secret Microsoft employee. LOL
"Stone has stated that while she doesn't think that an incomplete fix deserves a 90-day deadline, this has still been followed as the default since Google's current policies do not cover this use-case. The Project Zero team plans to revisit its policies again next year, but has publicly disclosed the vulnerability with proof-of-concept code."
Why shouldn't it apply? Microsoft targetting november for a fix, now they say january, that's 2 months of slippage, something very wrong if your plan is out by 2 months and the excuse of 'covid' doesn't apply, people have been working from home since before june so those timeframes should already have been inclusive
In case you didn't see any news, MIcrosoft has been a bit busy fighting ransomware, malware, and high value target hacking.
The interesting thing about Google Project spanking this bee's nest, everyone in the world is on high alert, along with US and EU security and military dot i and crossing Ts.
If what this group at Google does leads to additional attacks, they could all end up in prison or whisked away to a secret 'interrogation' facility - let alone the ramification to Google itself and not just this team.They are stupid enough to 'think' they are doing good, based on an idiotic philosophy, but to be this STUPID to release exploit information at this time in US history is inviting problems they can't fathom. .
Your post is an inochorant post of nonsense. Yes, they can face face jail if they are in germany, but Ian Bears et al. are not in germany so no, your post is a fallacy
Your whole post is a load of garbage about US history which has no relevance what-so-ever. I am party to the BlueZ mailing list where yes, they raise issues about their own OS thank you very much
Their post doesn't seem like garbage... your attitude on the other hand...
"Stone has stated that while she doesn't think that an incomplete fix deserves a 90-day deadline, this has still been followed as the default since Google's current policies do not cover this use-case. The Project Zero team plans to revisit its policies again next year, but has publicly disclosed the vulnerability with proof-of-concept code."
Why shouldn't it apply? Microsoft targetting november for a fix, now they say january, that's 2 months of slippage, something very wrong if your plan is out by 2 months and the excuse of 'covid' doesn't apply, people have been working from home since before june so those timeframes should already have been inclusive
In case you didn't see any news, MIcrosoft has been a bit busy fighting ransomware, malware, and high value target hacking.
The interesting thing about Google Project spanking this bee's nest, everyone in the world is on high alert, along with US and EU security and military dot i and crossing Ts.
If what this group at Google does leads to additional attacks, they could all end up in prison or whisked away to a secret 'interrogation' facility - let alone the ramification to Google itself and not just this team.They are stupid enough to 'think' they are doing good, based on an idiotic philosophy, but to be this STUPID to release exploit information at this time in US history is inviting problems they can't fathom. .
Your post is an inochorant post of nonsense. Yes, they can face face jail if they are in germany, but Ian Bears et al. are not in germany so no, your post is a fallacy
Your whole post is a load of garbage about US history which has no relevance what-so-ever. I am party to the BlueZ mailing list where yes, they raise issues about their own OS thank you very much
We all know Mobius Enigma is a secret Microsoft employee. LOL
Nah, a real MS employee wouldn't be so blatantly obviously spewing BS...
"Stone has stated that while she doesn't think that an incomplete fix deserves a 90-day deadline, this has still been followed as the default since Google's current policies do not cover this use-case. The Project Zero team plans to revisit its policies again next year, but has publicly disclosed the vulnerability with proof-of-concept code."
Why shouldn't it apply? Microsoft targetting november for a fix, now they say january, that's 2 months of slippage, something very wrong if your plan is out by 2 months and the excuse of 'covid' doesn't apply, people have been working from home since before june so those timeframes should already have been inclusive
In case you didn't see any news, MIcrosoft has been a bit busy fighting ransomware, malware, and high value target hacking.
The interesting thing about Google Project spanking this bee's nest, everyone in the world is on high alert, along with US and EU security and military dot i and crossing Ts.
If what this group at Google does leads to additional attacks, they could all end up in prison or whisked away to a secret 'interrogation' facility - let alone the ramification to Google itself and not just this team.They are stupid enough to 'think' they are doing good, based on an idiotic philosophy, but to be this STUPID to release exploit information at this time in US history is inviting problems they can't fathom. .
Your post is an inochorant post of nonsense. Yes, they can face face jail if they are in germany, but Ian Bears et al. are not in germany so no, your post is a fallacy
Your whole post is a load of garbage about US history which has no relevance what-so-ever. I am party to the BlueZ mailing list where yes, they raise issues about their own OS thank you very much
We all know Mobius Enigma is a secret Microsoft employee. LOL
You would be surprised how wrong you are. :)
"Stone has stated that while she doesn't think that an incomplete fix deserves a 90-day deadline, this has still been followed as the default since Google's current policies do not cover this use-case. The Project Zero team plans to revisit its policies again next year, but has publicly disclosed the vulnerability with proof-of-concept code."
Why shouldn't it apply? Microsoft targetting november for a fix, now they say january, that's 2 months of slippage, something very wrong if your plan is out by 2 months and the excuse of 'covid' doesn't apply, people have been working from home since before june so those timeframes should already have been inclusive
In case you didn't see any news, MIcrosoft has been a bit busy fighting ransomware, malware, and high value target hacking.
The interesting thing about Google Project spanking this bee's nest, everyone in the world is on high alert, along with US and EU security and military dot i and crossing Ts.
If what this group at Google does leads to additional attacks, they could all end up in prison or whisked away to a secret 'interrogation' facility - let alone the ramification to Google itself and not just this team.They are stupid enough to 'think' they are doing good, based on an idiotic philosophy, but to be this STUPID to release exploit information at this time in US history is inviting problems they can't fathom. .
Your post is an inochorant post of nonsense. Yes, they can face face jail if they are in germany, but Ian Bears et al. are not in germany so no, your post is a fallacy
Your whole post is a load of garbage about US history which has no relevance what-so-ever. I am party to the BlueZ mailing list where yes, they raise issues about their own OS thank you very much
We all know Mobius Enigma is a secret Microsoft employee. LOL
Nah, a real MS employee wouldn't be so blatantly obviously spewing BS...
Well, BS? Not always. 
However, you are correct; it would be a massive legal nightmare for a Microsoft employee or partner employee to say what I say and have said over the years. Nothing beats financial and professional independence.
"Stone has stated that while she doesn't think that an incomplete fix deserves a 90-day deadline, this has still been followed as the default since Google's current policies do not cover this use-case. The Project Zero team plans to revisit its policies again next year, but has publicly disclosed the vulnerability with proof-of-concept code."
Why shouldn't it apply? Microsoft targetting november for a fix, now they say january, that's 2 months of slippage, something very wrong if your plan is out by 2 months and the excuse of 'covid' doesn't apply, people have been working from home since before june so those timeframes should already have been inclusive
In case you didn't see any news, MIcrosoft has been a bit busy fighting ransomware, malware, and high value target hacking.
The interesting thing about Google Project spanking this bee's nest, everyone in the world is on high alert, along with US and EU security and military dot i and crossing Ts.
If what this group at Google does leads to additional attacks, they could all end up in prison or whisked away to a secret 'interrogation' facility - let alone the ramification to Google itself and not just this team.They are stupid enough to 'think' they are doing good, based on an idiotic philosophy, but to be this STUPID to release exploit information at this time in US history is inviting problems they can't fathom. .
Your post is an inochorant post of nonsense. Yes, they can face face jail if they are in germany, but Ian Bears et al. are not in germany so no, your post is a fallacy
Your whole post is a load of garbage about US history which has no relevance what-so-ever. I am party to the BlueZ mailing list where yes, they raise issues about their own OS thank you very much
Well, it was an off the top of my head reaction, you know, like you find in forum areas on sites.
However, even in reflection, I don't disagree with anything I said, and it is a bit weird that you think there are legal criminal jurisdiction that would prevent the NSA or CIA from taking action against anyone.
Ever hear of a place called Iraq? Or should I list 20-30 places in the past 30 years that barely made the news.
I'm sure the goofs in Zero think they are untouchable as well, but I know for a fact, there are containment plans for 'white hat' groups like zero.
It is just silly to screw with 'crazy' countries, especially at a time when they are being yanked in several directions and highly sensitive to anything that could harm security or create economic fallback. Heck, if their 'bug report' happened to be used in a wide scale attack and caused a NASDAQ drop, Google would terminate the project in the blink of an eye.
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
Nothing about your comment is really correct... Google isn't able to force Microsoft to do anything. LOL Google does find and disclose Android vulnerabilities while offering fixes on a monthly basis for any Android OEM to use.
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
IMHO, Android is quite safe unless you are rooted. The main problem is when the end-user installs executables that they should not install. So, the main problem is caused by layer-8 (the user), then companies like Apple tries to restrict the users and their applications but it is a fool errand.
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
Nothing about your comment is really correct... Google isn't able to force Microsoft to do anything. LOL Google does find and disclose Android vulnerabilities while offering fixes on a monthly basis for any Android OEM to use.
They don't disclose android vulnerability until they fix them. Here, they do this and exposing millions of users for potential risk. Especially when companies are ready to comply with the fix, here in this case, MS clearly stated that they found more issues with the vulnerability and will need more time to fix, still google made the vulnerability public.
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
Nothing about your comment is really correct... Google isn't able to force Microsoft to do anything. LOL Google does find and disclose Android vulnerabilities while offering fixes on a monthly basis for any Android OEM to use.
They don't disclose android vulnerability until they fix them. Here, they do this and exposing millions of users for potential risk. Especially when companies are ready to comply with the fix, here in this case, MS clearly stated that they found more issues with the vulnerability and will need more time to fix, still google made the vulnerability public.
While I'm not sure about this, couldn't it be that they do what they do with all the other companies: tell them about the flaw and give them 90 days to fix it before it gets disclosed publicly? It's just that Android teams work to fix the flaw within that 90 day period?
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
Nothing about your comment is really correct... Google isn't able to force Microsoft to do anything. LOL Google does find and disclose Android vulnerabilities while offering fixes on a monthly basis for any Android OEM to use.
They don't disclose android vulnerability until they fix them. Here, they do this and exposing millions of users for potential risk. Especially when companies are ready to comply with the fix, here in this case, MS clearly stated that they found more issues with the vulnerability and will need more time to fix, still google made the vulnerability public.
That is not correct...LOL. Google DISCLOSES vulnerabilities that have not been FIXED in 90 days and the same rules apply to Android. All kinds of vulnerabilities are not fixed by Android vendors that Google has disclosed. The reason for not being able to fix said vulnerability is not relevant. The public needs to be INFORMED of vulnerabilities in a timely matter because one has to assume the "bad guys" are also aware of the vulnerability and are actively exploiting it (which is happening in this case as stated in the article). Google follows a standard disclosure policy accepted by the overwhelming majority of cybersecurity experts.
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
Nothing about your comment is really correct... Google isn't able to force Microsoft to do anything. LOL Google does find and disclose Android vulnerabilities while offering fixes on a monthly basis for any Android OEM to use.
They don't disclose android vulnerability until they fix them. Here, they do this and exposing millions of users for potential risk. Especially when companies are ready to comply with the fix, here in this case, MS clearly stated that they found more issues with the vulnerability and will need more time to fix, still google made the vulnerability public.
That is not correct...LOL. Google DISCLOSES vulnerabilities that have not been FIXED in 90 days and the same rules apply to Android. All kinds of vulnerabilities are not fixed by Android vendors that Google has disclosed. The reason for not being able to fix said vulnerability is not relevant. The public needs to be INFORMED of vulnerabilities in a timely matter because one has to assume the "bad guys" are also aware of the vulnerability and are actively exploiting it (which is happening in this case as stated in the article). Google follows a standard disclosure policy accepted by the overwhelming majority of cybersecurity experts.
Informing public? What would public do? The majority of users of OSes are laymen, not some tech expert. Announcing vulnerability publicly would obviously attract the attention of bad guys, laymen don't even know about such public disclosure, bad guys would surely misuse the loopholes after knowing them. Well, they just need to give the os makers the time to patch the vulnerability and after then they should make it public, finding vulnerability is not the problem, problem is announcing them before the maker could patch them. They should seriously consider changing their policies regarding this, especially in this case where MS was fixing other problems related to the vulnerability.
Edit: Android's history is very bad when it comes to such things. It's better they fix their own backyard 1st instead of pointing out to the rest. They have resources to do both things but they don't do.
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
Nothing about your comment is really correct... Google isn't able to force Microsoft to do anything. LOL Google does find and disclose Android vulnerabilities while offering fixes on a monthly basis for any Android OEM to use.
They don't disclose android vulnerability until they fix them. Here, they do this and exposing millions of users for potential risk. Especially when companies are ready to comply with the fix, here in this case, MS clearly stated that they found more issues with the vulnerability and will need more time to fix, still google made the vulnerability public.
That is not correct...LOL. Google DISCLOSES vulnerabilities that have not been FIXED in 90 days and the same rules apply to Android. All kinds of vulnerabilities are not fixed by Android vendors that Google has disclosed. The reason for not being able to fix said vulnerability is not relevant. The public needs to be INFORMED of vulnerabilities in a timely matter because one has to assume the "bad guys" are also aware of the vulnerability and are actively exploiting it (which is happening in this case as stated in the article). Google follows a standard disclosure policy accepted by the overwhelming majority of cybersecurity experts.
Informing public? What would public do? The majority of users of OSes are laymen, not some tech expert. Announcing vulnerability publicly would obviously attract the attention of bad guys, laymen don't even know about such public disclosure, bad guys would surely misuse the loopholes after knowing them. Well, they just need to give the os makers the time to patch the vulnerability and after then they should make it public, finding vulnerability is not the problem, problem is announcing them before the maker could patch them. They should seriously consider changing their policies regarding this, especially in this case where MS was fixing other problems related to the vulnerability.
Edit: Android's history is very bad when it comes to such things. It's better they fix their own backyard 1st instead of pointing out to the rest. They have resources to do both things but they don't do.
Most of the public? Nothing but there is certainly a segment of it that can use that information aka any company that cares about it's IT security.
What don't you understand about that this vulnerability has already been exploited? Time's up! The only issue is that Microsoft has not properly patched it yet.
Google releases Android security updates monthly for their phones and makes the fixes available for any OEM to patch their phones. Google can't fix other vendor's phones. Sorry...
I can do this forever but we are done here... You obviously do not like Google so you will just continue to choose willful ignorance on this.
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
IMHO, Android is quite safe unless you are rooted. The main problem is when the end-user installs executables that they should not install. So, the main problem is caused by layer-8 (the user), then companies like Apple tries to restrict the users and their applications but it is a fool errand.
That's like saying, "Your device is safe as long as you don't turn it on!"
Among the million problems with Android is that rooting an instance is too easy -- that's literally the basis for most security flaws/faults, anyway, including this one ("rooting" == "elevation of privilege flaw").
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
Nothing about your comment is really correct... Google isn't able to force Microsoft to do anything. LOL Google does find and disclose Android vulnerabilities while offering fixes on a monthly basis for any Android OEM to use.
They don't disclose android vulnerability until they fix them. Here, they do this and exposing millions of users for potential risk. Especially when companies are ready to comply with the fix, here in this case, MS clearly stated that they found more issues with the vulnerability and will need more time to fix, still google made the vulnerability public.
You know what I'm getting tired of hearing this ######ing one sided ######. This is complete nonsense, as said, I'm on PUBLIC OPEN SOURCE mailing lists where vulnerabilities THAT ARE USED IN GOOGLE SOFTWARE ARE DISCLOSED, BY THEMSELVES, way before fixes are implemented or distributed. Stop posting complete and utter FUD on subjects you know absolutely nothing about, it's getting very tiring and old
Literally, front page, first news post is about a vulnerability in android https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
Nothing about your comment is really correct... Google isn't able to force Microsoft to do anything. LOL Google does find and disclose Android vulnerabilities while offering fixes on a monthly basis for any Android OEM to use.
They don't disclose android vulnerability until they fix them. Here, they do this and exposing millions of users for potential risk. Especially when companies are ready to comply with the fix, here in this case, MS clearly stated that they found more issues with the vulnerability and will need more time to fix, still google made the vulnerability public.
That is not correct...LOL. Google DISCLOSES vulnerabilities that have not been FIXED in 90 days and the same rules apply to Android. All kinds of vulnerabilities are not fixed by Android vendors that Google has disclosed. The reason for not being able to fix said vulnerability is not relevant. The public needs to be INFORMED of vulnerabilities in a timely matter because one has to assume the "bad guys" are also aware of the vulnerability and are actively exploiting it (which is happening in this case as stated in the article). Google follows a standard disclosure policy accepted by the overwhelming majority of cybersecurity experts.
Informing public? What would public do? The majority of users of OSes are laymen, not some tech expert. Announcing vulnerability publicly would obviously attract the attention of bad guys, laymen don't even know about such public disclosure, bad guys would surely misuse the loopholes after knowing them. Well, they just need to give the os makers the time to patch the vulnerability and after then they should make it public, finding vulnerability is not the problem, problem is announcing them before the maker could patch them. They should seriously consider changing their policies regarding this, especially in this case where MS was fixing other problems related to the vulnerability.
Edit: Android's history is very bad when it comes to such things. It's better they fix their own backyard 1st instead of pointing out to the rest. They have resources to do both things but they don't do.
Most of the public? Nothing but there is certainly a segment of it that can use that information aka any company that cares about it's IT security.
What don't you understand about that this vulnerability has already been exploited? Time's up! The only issue is that Microsoft has not properly patched it yet.
Google releases Android security updates monthly for their phones and makes the fixes available for any OEM to patch their phones. Google can't fix other vendor's phones. Sorry...
I can do this forever but we are done here... You obviously do not like Google so you will just continue to choose willful ignorance on this.
I don't like Google? Lol, that's what you think. Well, okay.
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
Nothing about your comment is really correct... Google isn't able to force Microsoft to do anything. LOL Google does find and disclose Android vulnerabilities while offering fixes on a monthly basis for any Android OEM to use.
They don't disclose android vulnerability until they fix them. Here, they do this and exposing millions of users for potential risk. Especially when companies are ready to comply with the fix, here in this case, MS clearly stated that they found more issues with the vulnerability and will need more time to fix, still google made the vulnerability public.
You know what I'm getting tired of hearing this ######ing one sided ######. This is complete nonsense, as said, I'm on PUBLIC OPEN SOURCE mailing lists where vulnerabilities THAT ARE USED IN GOOGLE SOFTWARE ARE DISCLOSED, BY THEMSELVES, way before fixes are implemented or distributed. Stop posting complete and utter FUD on subjects you know absolutely nothing about, it's getting very tiring and old
Literally, front page, first news post is about a vulnerability in android https://googleprojectzero.blog...s-hacker-tries-android.html
More reason to call out these people, no? Report bugs but making them public in era where whole 5th generation fighter planes are made using stolen data makes me wonder why disclose such vulnerability before patching. Especially when the maker is complying, patching and trying to solve additional problems. Such stupid policy of timeframe should be changed with some sensible alternative.
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
IMHO, Android is quite safe unless you are rooted. The main problem is when the end-user installs executables that they should not install. So, the main problem is caused by layer-8 (the user), then companies like Apple tries to restrict the users and their applications but it is a fool errand.
That's like saying, "Your device is safe as long as you don't turn it on!"
Among the million problems with Android is that rooting an instance is too easy -- that's literally the basis for most security flaws/faults, anyway, including this one ("rooting" == "elevation of privilege flaw").
There are many kinds of vulnerabilities but the are summarized in:
* Remote code execution
* Presentials, where the hackers need direct access to the device or the user needs to install some malicious file.
If the users decide to root its device then he must know what he is doing. Instead, if the user decides not to root, then he is still could be victims of phishing/malware.
So, root (if it is only done by the user) is not a vulnerability but a feature. To root a device lowe the vulnerability but the vector attack is the same with or without root.
As I said, security is not built upon layers, “Security is a chain; it’s only as secure as the weakest link.” Rooting a device is just a part of the chain but not the weakest.
For example, an android user could root his device and be free of malware, while another user (using an un-root device) could be plagued with malware, or his information could be leaked because he decided to install rogue applications.
https://www.forbes.com/sites/zakdoffman/2019/10/24/new-iphone-threat-these-17-malicious-apps-may-be-on-your-devicedelete-them-now/
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
Nothing about your comment is really correct... Google isn't able to force Microsoft to do anything. LOL Google does find and disclose Android vulnerabilities while offering fixes on a monthly basis for any Android OEM to use.
They don't disclose android vulnerability until they fix them. Here, they do this and exposing millions of users for potential risk. Especially when companies are ready to comply with the fix, here in this case, MS clearly stated that they found more issues with the vulnerability and will need more time to fix, still google made the vulnerability public.
You know what I'm getting tired of hearing this ######ing one sided ######. This is complete nonsense, as said, I'm on PUBLIC OPEN SOURCE mailing lists where vulnerabilities THAT ARE USED IN GOOGLE SOFTWARE ARE DISCLOSED, BY THEMSELVES, way before fixes are implemented or distributed. Stop posting complete and utter FUD on subjects you know absolutely nothing about, it's getting very tiring and old
Literally, front page, first news post is about a vulnerability in android https://googleprojectzero.blog...-hacker-tries-android.html" rel="external nofollow">https://googleprojectzero.blog...s-hacker-tries-android.html
More reason to call out these people, no? Report bugs but making them public in era where whole 5th generation fighter planes are made using stolen data makes me wonder why disclose such vulnerability before patching. Especially when the maker is complying, patching and trying to solve additional problems. Such stupid policy of timeframe should be changed with some sensible alternative.
That is the problem of companies, they've had ample time to fund these areas of growing concern. I was in a seminar room with the head of microsoft UK's security just over 10 years ago now with university students, he gave information on how microsoft was fighting bugs and security vulnerabilities, one of the students publicly asked him about an XSS system which, the head said words to the effect of it was unbeatable, the student then said "well I have defeated it" and for the rest of this seminar the speaker thinking he was all high and mighty belittled this student and told him he was wrong... Came to the end of the seminar so the student went on a PC and showed this person, this exact flaw in this 'unbeatable' system to which the speaker only then apologised.
This is not some free OS, I know a lot of people here say "we got windows 10 for free", well, great, good for you. Businesses, however, do not get windows 10 for free, it costs a damn lot, and for a huge flaw to be not patched properly and even that not for a long time isn't what you expect for commercial software. The problem is, and I can tell you this happens at a lot of companies, if they can get away with not fixing a problem, they will try to do exactly that, when you put in a timeframe like this, that's no longer an option. You can't then pretend the issue doesn't exist, you can't asking for more time then ignore it, you need to have a plan put in place to resolve that issue. Accountability
Google finding bugs in other OSes and forced the vendors to fix but android vendors. Good guy google.
IMHO, Android is quite safe unless you are rooted. The main problem is when the end-user installs executables that they should not install. So, the main problem is caused by layer-8 (the user), then companies like Apple tries to restrict the users and their applications but it is a fool errand.
That's like saying, "Your device is safe as long as you don't turn it on!"
Among the million problems with Android is that rooting an instance is too easy -- that's literally the basis for most security flaws/faults, anyway, including this one ("rooting" == "elevation of privilege flaw").
There are many kinds of vulnerabilities but the are summarized in:
* Remote code execution
* Presentials, where the hackers need direct access to the device or the user needs to install some malicious file.
If the users decide to root its device then he must know what he is doing. Instead, if the user decides not to root, then he is still could be victims of phishing/malware.So, root (if it is only done by the user) is not a vulnerability but a feature. To root a device lowe the vulnerability but the vector attack is the same with or without root.
As I said, security is not built upon layers, “Security is a chain; it’s only as secure as the weakest link.” Rooting a device is just a part of the chain but not the weakest.
For example, an android user could root his device and be free of malware, while another user (using an un-root device) could be plagued with malware, or his information could be leaked because he decided to install rogue applications.
https://www.forbes.com/sites/z...your-devicedelete-them-now/
And there could even be a third user who hasn't rooted their phone, who hasn't installed any dodgy apps, but the phone they bought has malware at the system level, which has been seen before. Yes, it's always the weakest link
Google project zero has been doing amazing job finding vulnerabilities in every single OS out there.
I wonder what do they benefit from doing such costly job? especially if they are helping competitors such as Microsoft, Apple...etc
Google project zero has been doing amazing job finding vulnerabilities in every single OS out there.
I wonder what do they benefit from doing such costly job? especially if they are helping competitors such as Microsoft, Apple...etc
What they benefit is timing things like to happen when they do. It's not the first time they've scheduled something like this to occur on Christmas Eve IIRC.
There's no helping out competitors going on here, it's just dirty business as usual.
Google project zero has been doing amazing job finding vulnerabilities in every single OS out there.
I wonder what do they benefit from doing such costly job? especially if they are helping competitors such as Microsoft, Apple...etc
Well, Google uses a lot of the software/hardware themselves they are reporting on.
Google project zero has been doing amazing job finding vulnerabilities in every single OS out there.
I wonder what do they benefit from doing such costly job? especially if they are helping competitors such as Microsoft, Apple...etc
It's essentially a PR firm that pumps out bad news for non-Alphabet companies/competitors. This creates public perception problems for these other companies -- which, in an ego-stroking sorta way, gratifies Google to know they're inflicting harm on everybody else (power trip).
The "help" is the lipstick they're selling, but their motives are clear (hurt competition more than you help them).
Google project zero has been doing amazing job finding vulnerabilities in every single OS out there.
I wonder what do they benefit from doing such costly job? especially if they are helping competitors such as Microsoft, Apple...etc
It does help them. Google might have android, but they have apps on other OS's, and if there was some flaw discovered on another OS that compromised the security of e.g. google accounts, that would look and be very bad for the company. So yes, this does help them, even with other OS's which are competitors to their own OS.
Just a question to you all. Who pays the checks for Google Project Zero employees? Let me just say that I am old enough to not believe anymore in human holiness. Project Zero is a good idea and should inspire players to behave well but the referee should never be remotely suspected of being biased. As it stands now it is like a referee entering on the field wearing the shirt of one team.
Google's game of chicken is going to back fire on them at some point.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK