Google and double 叒 叕 exposure Windows 0day vulnerabilities, Microsoft is not happy-vulnerability warning-the black bar safety net

2016-11-05T00:00:00
ID MYHACK58:62201680905
Type myhack58
Reporter 佚名
Modified 2016-11-05T00:00:00

Description

Google recently again exposed the Windows 0day vulnerabilities, that the vulnerability can affect all current Windows operating systems, and Microsoft hasn't had time to fix. ! According to the Google team released a blog post that the vulnerability is a local mention the right vulnerability, it can allow attackers to escape the sandbox filter, to obtain administrator privileges and execute malicious code. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. In fact, 1 0 days before Google would have this vulnerability reported to Microsoft. Since it has been submitted to the Microsoft Team, Google why in just a few days after and will it be public? The vulnerability had been exploited “On Friday, that is 1 0 on 2 1 August, we report a previously unpublished two 0day vulnerabilities, respectively, to Adobe and Microsoft. Adobe on 1 0 on 2 6, updated Flash, fixes CVE-2 0 1 6-7 8 5 5 vulnerability; the update is available through Adobe Updater and Chrome automatically update to achieve.” After 7 days, the Google team discovered that the Windows System still exists in Google's reporting of high-risk vulnerabilities, and Microsoft has not released any security bulletins or patches. At the same time, the Google team found that this vulnerability is being actively exploited, Russia APT hacking group Strontium, which is Fancy Bear, n exploit this vulnerability to deploy“small-scale”attacks, this organization is also the United States democratic National Committee DNC is a black event the focus of the suspect object, this information is also get the Microsoft confirmation. Therefore, Google considers this vulnerability is particularly serious. So the Google team will be this vulnerability is disclosed, the move is in line with Google in 2 0 1 3 year to develop the product vulnerabilities disclosed information related to policy: We recommend that vendors at 6 0 days to fix high-risk vulnerabilities, if not repaired, the manufacturer should also inform the public of risk-related information, and provide workarounds. If vendors need more time to fix vulnerabilities, we encourage researchers to publish their relevant findings. However, according to our experience, we believe that for high-risk, n is the active use of the vulnerability, the vendor shall within 7 days of taking more emergency measures. 7-day time limit more urgent, for some manufacturers, if you want to update the product, the 7 days may be somewhat shorter. However, manufacturers release possible mitigation measures, such as temporary closure of a service, restrict access or contact the manufacturer for more information, 7 days is sufficient. Therefore, if after 7 days, the vendor does not provide patches or suggestions, we will support researchers disclosed details to the user to take preventive measures. The Google team believes that disclosure of vulnerabilities has two major benefits: 1. Allows the user to at least know the problem exists; 2. You can urge the developers to release patches. Google is not the first time so dry. Google engineers are particularly good at looking for Microsoft software vulnerabilities: in 2 0 1 0 years, 6 month, Google engineer found a Windows high-risk vulnerabilities, only gave Microsoft 5 days response time of 5 days, the engineer will vulnerability details posted on the Internet, including an example of the attack code; The last 1 month, the Google Project Zero in to Microsoft to submit vulnerability information to Microsoft 9 0-day period fixes, but Microsoft is not in the period of repair, so Google on exposure of the vulnerability details. Specific event FreeBuf has also been reported, please stamp here. At the time, Microsoft Senior Director Chris Betz was shouting words of Google:“we asked Google to work with us until 1 month 1 3 day we release the patch, then released the vulnerability details, in order to protect customers.” He believes that Google stubbornly perform its 9 0-day period, does not like to adhere to the principles, more like routine, and finally the injured are customers.“ Google think is right, the customer is not necessarily right. We urge Google, will protect the customer as our primary common goal.” This words, Google re-consideration of their Project Zero, to modify the disclosure rules, in the original 9 day 0 on the basis of a further grace period of 1 4 days, for details, please click here to. Microsoft: not happy ! For Google this exposure, Microsoft is certainly not happy, they blame Google deceived Internet users, confuse the facts. Microsoft first in a statement among response: “We believe that disclosure of vulnerabilities should cooperate with each other, Google the disclosed vulnerability, the customers at risk.” Official Microsoft subsequently for the attacks on 1 1 On 1 May released a security Bulletin: “Recently, Microsoft Threat Intelligence known as the Strontium of the activities of the organization, launched a small flow of spear-phishing attacks. We have already learned, the use of Windows 1 0 anniversary of the updated version of the Microsoft Edge users do not suffer the attack effect. This attack, initially by Google's threat analysis group found that the use of is Adobe Flash the two 0day vulnerabilities and Windows of the underlying kernel, for specific customer groups.” ! A Microsoft spokesperson also said that not all Windows versions are affected: “Google will this local mention the right vulnerability is described as‘high-risk’and‘particularly serious’, we do not agree. Because they describe the attack scenarios, in the last week Adobe Flash update deployment after it has been fully alleviated. In addition, our analysts believe that this attack against Windows 1 0 anniversary of the update is invalid, because previously we have been on the system for the Security aspects of strengthening.” Windows Executive Vice President Terry as Myerson indicates Google's actions“disappointing.” As Myerson believes that the Strontium hacker group using the Google reported the vulnerability to launch the spear phishing attacks is very limited, so most of the Windows users are not being targeted, Google need not be so anxious for the vulnerability disclosure. As Myerson said that Microsoft will next Tuesday, which is Patch Tuesday release, fixing this vulnerability. As Myerson also recommended that the user wait for the patch at the same time, the first system upgrade for Windows 1 0, so as not to be subject to further attacks.