Monday, May 8th 2017

Google Project Zero Finds Windows Vulnerabilty, "Worst in Recent Memory"

Google's Project Zero has found yet another critical Windows Vulnerability, this time going so far as to call it "Crazy Bad" in a lone tweet by Google security researcher Tavis Ormandy. Tavis went on to elaborate that the vulnerability "works against a default install, [you] don't need to be on the same LAN, and it's wormable."

Sounds like the stuff of nightmares from a security perspective, right? The good news is Google's policy is to give companies 90 days to patch bugs like this before revealing the exploits details. The idea is to pressure developers to fix vulnerabilities before the reveal, so users remain protected and companies are forced to act rather than adopt a "wait and see" approach. Microsoft however, does not have the best follow-up reputation, having left at least two major security bugs unpatched for the entire 90-day security-flaw reveal window as recently as this year.
One would hope they are a little more expedient on this one, or we could see some massive computer software carnage, for lack of a better term.

UPDATE: This issue has been patched by Microsoft, and has been detailed to be a Remote Execution Vulnerability in Windows Defender. Needless to say, this is an update you don't want to miss. Microsoft should be praised for it's rapid response here.

https://technet.microsoft.com/en-us/library/security/4022344

Credit for pointing this out goes to @acbluflame.Source: twitter.com (Tavis Ormandy)
Add your own comment

25 Comments on Google Project Zero Finds Windows Vulnerabilty, "Worst in Recent Memory"

#1
atomicus
I presume they do actually reveal what the problem is to the company in question, rather than say, "hey, you have a critical security flaw in your product, but we're not gonna tell ya what it is. You've got 90 days. Good luck!"
Posted on Reply
#2
alucasa
Like I've said so many times, the end is nigh.
Posted on Reply
#3
ZoneDymo
atomicus said:
I presume they do actually reveal what the problem is to the company in question, rather than say, "hey, you have a critical security flaw in your product, but we're not gonna tell ya what it is. You've got 90 days. Good luck!"
yep thats how it works, the inform the company about it and its up to the company to spend time effort and money to fix it.
obviously a company does not want to spend time effort and especially money so yeah to pressure them this flaw will be revealed to the world in 3 months.

and while I support this method because it sadly seems necessary I find it interesting that there is not bs law or at least lawsuit against the practice of making the flaw public.
we have seen many ridiculous things being apparently against the law that handily protect humanity destroying crap like lobbyist etc, so yeah, this being an exception is welcome surprise, but a surprise non the less.
Posted on Reply
#4
Darmok N Jalad
I think them publicizing it should depend on the response from the owner of the code. If this issue is "crazy bad," it might also take time to patch and test, especially if the details are not very extensive. Then there's the whole publishing a bad exploit that puts users at more risk. Even if users aware of the issue could take preventative measures, how many millions of others would be totally unaware and exposed? And how soon could the nefarious exploit it versus a counter measure being discovered and implemented? Lastly, isn't google also a company that doesn't always respond to known issues in their own code?
Posted on Reply
#6
Manu_PT
Is funny because Google Chrome itself and Android are full of vulnerabilities :)
Posted on Reply
#7
R-T-B
atomicus said:
I presume they do actually reveal what the problem is to the company in question, rather than say, "hey, you have a critical security flaw in your product, but we're not gonna tell ya what it is. You've got 90 days. Good luck!"
Yes, they do.

acbluflame said:
MS has addressed this: https://technet.microsoft.com/en-us/library/security/4022344
This does not appear to be the same issue, it's severity is far lower than this issue report. Unless I am missing something.

UPDATE: No, you are right. Thanks, I will update the opening post.

Manu_PT said:
Is funny because Google Chrome itself and Android are full of vulnerabilities :)
Really, all products are. Vulnerabilities of this grade are rare though. The last time the open source community had anything near this was the ShellShock incident.

alucasa said:
Like I've said so many times, the end is nigh.
The end is always nigh. As long as it stays "nigh" and not "now" I'm happy.
Posted on Reply
#8
eidairaman1
The Exiled Airman
Manu_PT said:
Is funny because Google Chrome itself and Android are full of vulnerabilities :)
2 words: Stage Fright
Posted on Reply
#9
Prima.Vera
Manu_PT said:
Is funny because Google Chrome itself and Android are full of vulnerabilities :)
Is so bad, that most of Financial companies are denying installation of Chrome on the company's stations.
Mine included ;)
Posted on Reply
#10
natr0n
alucasa said:
Like I've said so many times, the end is thigh.
Posted on Reply
#11
DeathtoGnomes
natr0n said:

you're wrong! the thigh is in the middle no where near the end. :kookoo::twitch:
Posted on Reply
#12
Caring1
DeathtoGnomes said:
you're wrong! the thigh is in the middle no where near the end. :kookoo::twitch:
It's where we all like to finish. ;)
Posted on Reply
#13
Manu_PT
Prima.Vera said:
Is so bad, that most of Financial companies are denying installation of Chrome on the company's stations.
Mine included ;)
I´m using SRWare Iron for some time now and for the first time in my life I´m considering buying an apple product (Iphone), because Android malware got way out of control.
Posted on Reply
#14
Solidstate89
Prima.Vera said:
Is so bad, that most of Financial companies are denying installation of Chrome on the company's stations.
Mine included ;)
But it's a statistically proven fact - at every Pwn2Own even - that Chrome is among the hardest, if not the hardest browser to exploit. Followed usually by Edge or some other heavily sandboxed browser (so this excludes Firefox).

That literally makes no sense.
Posted on Reply
#15
Manu_PT
Apart from the lack of customization/extensions/plugins (wich are a big deal if you ask me), Edge is already a much better browser than chrome imo. Not to mention that chrome is like an OS inside another OS. The thing is killing CPUs and Ram usage got beyond acceptable. You can almost max out 8gb ram with Windows 10 + chrome with 10 tabs. My GPU is warmer on chrome than in some games I play.
Posted on Reply
#16
eidairaman1
The Exiled Airman
Manu_PT said:
Apart from the lack of customization/extensions/plugins (wich are a big deal if you ask me), Edge is already a much better browser than chrome imo. Not to mention that chrome is like an OS inside another OS. The thing is killing CPUs and Ram usage got beyond acceptable. You can almost max out 8gb ram with Windows 10 + chrome with 10 tabs. My GPU is warmer on chrome than in some games I play.
if you like that customization in phones just update the Android to the latest for yours.
Posted on Reply
#17
Vayra86
Prima.Vera said:
Is so bad, that most of Financial companies are denying installation of Chrome on the company's stations.
Mine included ;)
I work at a big name bank/insurance company and Chrome is the only browser besides IE11 right now that you can install, we even actively USE Chrome so we can test in a sandbox, and work in a sandbox, and 9 out of 10 times if we have service interruptions, accessing application through Chrome will show the most reliable results :P

So I would suggest you question the competence of your IT department over there, before you question Chrome's security :D The risk factor in my line of work is way too high and Chrome's sandbox is actually a big improvement over IE11 in terms of managing that risk. Keep in mind that the main reason for IE is because legacy applications run on IE and *may* not run on other browsers because they weren't built for that. Also, remember that building for IE was always the main cause for stagnation for any intranet based application in the workplace :) These days, companies want lean applications that can be browser independant.
Posted on Reply
#18
Jism
Manu_PT said:
Apart from the lack of customization/extensions/plugins (wich are a big deal if you ask me), Edge is already a much better browser than chrome imo. Not to mention that chrome is like an OS inside another OS. The thing is killing CPUs and Ram usage got beyond acceptable. You can almost max out 8gb ram with Windows 10 + chrome with 10 tabs. My GPU is warmer on chrome than in some games I play.
Close chrome fully once in a while, it will free up cache / used ram. As for the GPU, Chrome is using hardware acceleration which is normal.
Posted on Reply
#19
Shihabyooo
Darmok N Jalad said:
Then there's the whole publishing a bad exploit that puts users at more risk. Even if users aware of the issue could take preventative measures, how many millions of others would be totally unaware and exposed? And how soon could the nefarious exploit it versus a counter measure being discovered and implemented? Lastly, isn't google also a company that doesn't always respond to known issues in their own code?
Security through obscurity is bad, it's merely a delusion made up by lazy devs who can't be bothered being on call 24/7. Project Zero gives the software's developer up to three months to respond to issues before disclosing them in detail.


And as much as I am sceptic of this "Google is good" thing they keep repeating (or whatever they say), I don't recall an incident where Google refused or neglected to react to a severe issue with their products. Only two that come close are the [in]famous Android vulnerabilities, to which Google responded quickly enough but the issue remained because it was the OEMs' job to push the updates, and the Chrome memory and power consumption issues, which aren't security ones (and the former could be argued to be a system requirement).
Posted on Reply
#20
lexluthermiester
R-T-B said:
UPDATE: This issue has been patched by Microsoft, and has been detailed to be a Remote Execution Vulnerability in Windows Defender. Needless to say, this is an update you don't want to miss. Microsoft should be praised for it's rapid response here.
So for those of us who don't use and remove[delete] Windows Defender, this was and is non-issue.

Manu_PT said:
Is funny because Google Chrome itself and Android are full of vulnerabilities :)
Name ONE unpatched vulnerability in Android or Chrome. Just one..

With that challenge I'm calling BS. Google is nearly legendary for fixing security problems quickly. If you're going to try making funny quips, make sure they're backed by fact.

Manu_PT said:
I´m using SRWare Iron for some time now and for the first time in my life I´m considering buying an apple product (Iphone), because Android malware got way out of control.
OORR, and I'm going to go out on a limb here, you could try to use your Android device for something OTHER than visiting "ishouldntbehere dot com". Perhaps a firewall is in order? Do you know what a firewall is and how to use it? And just FYI there bucko, iOS has vulnerabilities too. And Apple is just as swift at fixing them as Google.

Manu_PT said:
Apart from the lack of customization/extensions/plugins (wich are a big deal if you ask me), Edge is already a much better browser than chrome imo. Not to mention that chrome is like an OS inside another OS. The thing is killing CPUs and Ram usage got beyond acceptable. You can almost max out 8gb ram with Windows 10 + chrome with 10 tabs. My GPU is warmer on chrome than in some games I play.
Again either your computing ethic needs massive improvement, or you're on drugs. I'm a Firefox fan, but Chrome is easily it's best competitor. While Edge is ok, It's not open source and therefore not trustworthy. And Chrome kicks Edge in the "jelly-beans" performance wise. If you want to be taken seriously, you need to sound less like a fan-boy..
Posted on Reply
#21
Manu_PT
lexluthermiester said:
So for those of us who don't use and remove[delete] Windows Defender, this was and is non-issue.


Name ONE unpatched vulnerability in Android or Chrome. Just one..

With that challenge I'm calling BS. Google is nearly legendary for fixing security problems quickly. If you're going to try making funny quips, make sure they're backed by fact.


OORR, and I'm going to go out on a limb here, you could try to use your Android device for something OTHER than visiting "ishouldntbehere dot com". Perhaps a firewall is in order? Do you know what a firewall is and how to use it? And just FYI there bucko, iOS has vulnerabilities too. And Apple is just as swift at fixing them as Google.


Again either your computing ethic needs massive improvement, or you're on drugs. I'm a Firefox fan, but Chrome is easily it's best competitor. While Edge is ok, It's not open source and therefore not trustworthy. And Chrome kicks Edge in the "jelly-beans" performance wise. If you want to be taken seriously, you need to sound less like a fan-boy..
Sound like a fanboy? Do you even know what you saying? I use Android and google chrome for years. You are telling me that Android only gets malware if you visit websites that you shouldn´t, so let me tell you that even on the play store you can download apps that contain malware, what about that? Android is the easiest OS ever, next to Windows XP, where it is so easy to remote control/view without you even knowing what´s going on. I am a experienced user and I still had problems already with Android and that´s why I don´t keep any important information there, I don´t trust it. From facebook spam scripts to trojans, you can get anything in any app on the store. You never know, the quality control is awful and the breaches are huge.

As for chrome are you kidding me? How many extensions are full of worms and malware? Do you live in this world? And sure if you don´t install any you are safe. FML if you don´t use computers or phones at all you are safe.
Posted on Reply
#22
Manu_PT
Even a simple flashlight app:

Posted on Reply
#23
lexluthermiester
Manu_PT said:
Sound like a fanboy? Do you even know what you saying?
Yes, and to that I'm going to add the following; clueless.
Manu_PT said:
I use Android and google chrome for years.
Just because you've used something for years does not mean you are an expert in it's functioning or use. Example; Lots of people know how to drive, but not everyone can be a race driver. Just because you USE a software platform doesn't make you an expert of it. I code on Android and make part of my living securing it and all the other platforms that cross my path. While I don't profess to know everything, I know enough to recognize an average user trying to play expert. More on that below.
Manu_PT said:
You are telling me that Android only gets malware if you visit websites that you shouldn´t, so let me tell you that even on the play store you can download apps that contain malware, what about that?
I never said "only". However my statements above were in reference to vulnerabilities in the OS and web browser. I made no reference to malware actively downloaded by the user. This is an example of you misunderstanding the context of the article and underlying discussion of it.
Manu_PT said:
Android is the easiest OS ever, next to Windows XP, where it is so easy to remote control/view without you even knowing what´s going on.
Wow. Ok. If you say so..
Manu_PT said:
I am a experienced user and I still had problems already with Android and that´s why I don´t keep any important information there, I don´t trust it.
"Experienced" does not equal "expert in security". And what you're really saying is that you do not have enough real experience pertaining to the context of this discussion.
Manu_PT said:
From facebook spam scripts to trojans, you can get anything in any app on the store. You never know, the quality control is awful and the breaches are huge.
More evidence you do not understand the context of the article, nor this discussion.
Manu_PT said:
As for chrome are you kidding me? How many extensions are full of worms and malware? Do you live in this world? And sure if you don´t install any you are safe. FML if you don´t use computers or phones at all you are safe.
No, I'm quite serious. And again, just wow..
Manu_PT said:
Even a simple flashlight app
I challenged you to post an known unpatched vulnerability in Android or Chrome and you post video about a malicious app.. Newsflash for you, this doesn't quality.

So I'm going to redirect your question back to you. What planet are YOU on?
Posted on Reply
#24
Manu_PT
I showed you at least one clear recent example (from yesterday news). What did you do? Quote every sentence and call other users "clueless" and "fanboys"? GG

Talking about fanboyism.....
Posted on Reply
#25
lexluthermiester
Manu_PT said:
I showed you at least one clear recent example (from yesterday news).
Except that the "clear recent example" you posted does NOT demonstrate an unpatched vulnerability in either the Android OS or the Chrome browser. YOU failed to understand the above article, the challenge offered and thus failed to provide a qualifying and lucid response.
Manu_PT said:
What did you do?
Gee, I don't know.. What did I do?
Manu_PT said:
Quote every sentence and call other users "clueless" and "fanboys"? GG
Oh, ok.
Manu_PT said:
Talking about fanboyism.....
Yup, sure.

So, anything more you'd like to offer?
Posted on Reply
Add your own comment