Microsoft misses Google-found flaw in Patch Tuesday updates

Microsoft misses Google-found flaw in Patch Tuesday updates

Summary: Despite rolling out five security updates, Microsoft missed out a patch for a zero-day flaw in Windows. And it just so happened it was discovered by its main rival in the business space.

SHARE:
TOPICS: Security, Microsoft
21
surface
(Image: CNET)

This month's Patch Tuesday saw five updates in total — one rated "critical" and four "important." But a key Windows vulnerability discovered weeks ago by a Google engineer still hasn't been patched.

Google information security engineer Tavis Ormandy discovered a bug in Windows 2000, Windows XP, and above, including Windows Server 2003 and 2008, that affects the user privileges of the logged-on user.

He made the zero-day flaw public, citing Microsoft as being "often very difficult to work with," and "treat[ing] vulnerability researchers with great hostility."

The software giant said it was not aware of any attacks and had not issued an advisory confirming the flaw.

It's not the first time Ormandy has published his discoveries on disclosure lists following the sluggish reactions by some companies. The rinse-repeat situation happened in mid-2010 on a zero-day vulnerability with Windows Help & Support, and in the same year disclosed a flaw in Java, which Sun failed to patch given adequate time.

Microsoft on Thursday confirmed the Google-discovered bug was not included in June's Patch Tuesday.

Microsoft Trustworthy Computing group manager Dustin Childs said in an emailed statement to ZDNet, "Microsoft carefully investigates newly discovered vulnerabilities and rigorously tests security updates on the affected operating systems and applications, and delivers solutions once they are ready."

Clear as mud, then. 

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • Adequate time...

    that is the point that needs to be settled here. What Ormandy thinks is reasonable or adequate might not be for the other companies. As he does not have access to their source code and does not have to worry about the in-depth testing scenarios that MS, among others, do, he probably has a very different idea of what reasonable is.

    Once he gives them the bug report, they have to replicate it on each platform and debug the code to find out where the problem is ocurring, then they have to find a fix, that works across all versions and platforms, then they have to test it on each variation of a platform, inlcuding with thousands of applications and utilities, to ensure that nothing got broken.

    Given the days of time I've had to invest in finding some obscure bugs, then the relatively short test scripts (only a couple of thousand test points to compare results on), I can see how the tests for something as complex as Windows or Java can take weeks, before a patch can be rolled out.

    I would also be interested in what he actually means by Microsoft being difficult to work with. Does he mean that they are beligerent and don't want to acknowledge errors, or are they saying it will take them 2 months to get it fully tested and rolled out, when he says he wants to go public in a week?

    At the end of the day, companies like MS and Sun have to do a risk assessment, do they rush out a fix in a couple of weeks, which solves the immediate problem, but due to lack of time to properly test it on all configurations, could leave tens of thousands of machines unable to boot, or certain applications stop working, or do they take the risk of rolling it out in 6 weeks, knowing it will work with all/most configurations and a handful of PCs might have been exploited?
    wright_is
    • Acknowledgement

      My understanding the issue was really precipitated by MS refusing to acknowledge the bug and give any evidence of even studying it. If so, then the problem is not Ormandy by MS for basically telling to get lost.
      Linux_Lurker
      • Linux_Lurker...Is it really possible

        that Microsoft would refuse to acknowledge the bug because it was discovered by Google. So where do you look for the correct answer first............in Google or Bing
        Over and Out
    • Is this *ever* going to stop?

      Security flaw in Windows 2000 and above?
      If the red bead on my abacus were not sticking, I'd seriously consider using it.
      radu.m
    • in-depth testing scenarios that MS, among others, do "Hah"

      Microsoft only test their software after they release. That is why Microsoft has tons of severe security flaws. There seems to be an infinite number of bugs in MS software because MS does NOT test. Microsoft rushes to market with garbage which they force on you and fix it later. We all know this. Why do you think that Zero Day flaw is still there. I mean, how long does MS need. The bug was reported like six months ago.
      tjordanchat
      • Errrr....

        "tons of severe security flaws" - Ya. Show me details. Links please. Last I checked and Microsoft software [call combined] isn't that large. For example, in 2011 alone Google Chrome Browser had more vulnerabilities than all Microsoft products [see GFI web site].
        If anything, unlike some of the competition, Microsoft will actually test the updates to see if there are any application "breaking" or whether it solves the problem. Anyone who thinks that a software company can fix a problem today and rush it out the next day is really dumb.
        "The bug was reported like six months ago." According to whom [besides you]? Link please?
        Gisabun
    • @wright_is

      Excellent comment. A nice description of the realities of dealing with a massive body of software.
      Cmd_Line_Dino
    • it's hopeless

      The Windows source code is "complex" because it is a mess. The whole windows stuff is one giant patch of patches. No wonder nobody can maintain it, not even Microsoft.

      Instead of patching the thing for two decades, they could have spent the time to cleanly rewrite it.

      But then, who am I to tell mighty Microsoft how to write software.. And why should I even care? :)
      danbi
  • LOL what a joke

    of a software company Microsoft is!

    This attitude has not changed a bit over the last decade or more. Why would anyone want to use Windows while MS acts like children at a tea party over serious security flaws.

    It is no wonder the Chinese can waltz right in and steal any top secret documents they want when Windows desktops are so unprotected and MS has this attitude toward security. Time for all sensitive computing to be done on other operating systems.
    DancesWithTrolls
  • So all other software dwvelopers/companies are perfect

    ... like OSX, Android, Linux,... Microsoft at least have secure coding practices embedded in their processes.
    AndrewLMacaulay
    • I run Windows 7 Home Edition and Linux Mint

      Windows 7 *requires* an antivirus. Linux Mint doesn't. I run one in Linux anyway - ClamAV - because I interact with Windows users and want to be able to say the files I'm sending have been checked.
      Run Windows without an arsenal of security software and it will be minutes before you're infected. I've been running Linux Mint for years now (the AV is only for checking files for Windows users) and have never had anything close to an infection.

      I'm not a geek... I don't administrate networks or anything like that. So, I represent the bulk of PC users. GNU/Linux is just a safer environment *by OS design*. That's just the reality of it.
      Robynsveil
      • Windows 7 *requires* an antivirus.

        Weird. Mine doesn't. Are you sure you're not using a hacked copy?

        "Run Windows without an arsenal of security software and it will be minutes before you're infected"

        Assuming you go download a malware executable and then run it. I haven't even had the most inept of users install a virus within minutes, on any OS. If you find a user that does manage, show him where to find p*** sites with less malware.

        "I'm not a geek... I don't administrate networks or anything like that"

        The accuracy of your statements makes this very, very clear.
        Sacr
      • Hmmmm

        Since you dislike Microsoft, why are you using Windows?
        Windows doesn't require any AV. But you have people creating malware out there to atract novices who click on anything. This is not a Windows bug.
        Also, Windows has 85%+ of the OS market share. Linux? 1.2%? Malware writers will go after the most used OS - not least - to get what they want. You think there are no Linux malware out there? Heard of Snakso-A? Rexob? RELx? Kagob a?
        Gisabun
    • @AndrewLMacaulay

      Yours is a good comment.

      The flag votes against you are from the haters who don't like their biased, unsubstantiated claims contradicted by facts.
      Cmd_Line_Dino
  • Surprised.....

    This is a surprise?....this is MICROSOFT people!....they have been doing this for YEARS!.......DECADES!......this is the Number One reason I have ceased to use ANY MS products at home! I'm strictly a Linux user, and I'm happier for it, yes there are the old "arguments"....(you won't be able to watch "wmv's..or any other MS extension type file....you won't be able to use MS office......you won't have the Internet Explorer web browser!) but I have found "replacements" that are above and beyond better! And I have an entire office suite (LibreOffice) that is about to come with it's own version of "Project".....so when it comes to Microsoft and their "flawed" software with it's constant patching?.....I'll pass!
    Knighthawk5193@...
    • And your point is?

      So what exactly are you reading a story about Windows when you don't like anything Microsoft?

      [OK, you can go back and compile your binaries again.]
      Gisabun
    • @Knighthawk5193

      Yeah we all missed you when you ceased using Microsoft.

      All the old "arguments" just happen to be true.

      If Linux is so wonderful why do you waste your time reading Microsoft themed articles?

      Is it that one can only read so many articles about Linux saying
      this is the release,
      this is the desktop,
      this is the year
      that at last John Q Consumer at least stops thinking Linux is a character in the Peanuts cartoon strip.

      Years ago I was deep in the OS/2 world. My firm was in partnership with IBM, MS, 3Com and Intel. OS/2 was technically superior and yet was crushed by Windows 3.1.

      OS/2 was better... users didn't care. Windows 3.1 did everything better for them even with its problems.

      I know what it's likes to be involved with the 2nd class platform.

      Today Windows is fantastic. Fierce price competition on hardware and software.
      Or free software for every need.
      Every new thing has a windows version.
      The novice can easily use windows. The expert can make it a power tool.

      Linux is just never going to "happen" ... unless you want to count Android
      Cmd_Line_Dino
    • You hate constant patching

      yet you use a Linux distro that... and they patch more frequently than Windows.

      >_>

      All software is flawed, all software gets patches. Just use what gets your work done faster, more efficiently, and leave it at that.
      Michael Alan Goff
      • Michael Alan Goff....I like to think of patches as

        a form of improvement to the OS........it dosn't matter if its Linux or Windows.

        I disagree with you that Linux has more patches that Windows for this reason that you can't compare them equally unless you look at only Linux LTR's. You can't compare a the Linux Six month release cycle to the average 3/4 year Windows release cycle and complain about about the number of patches.

        I started with Mandrake 4.0 and have never had a single issue in Linux that I couldn't solve and on that same note I've never had a Windows problem that I couldn't solve either.

        Windows is Windows and Linux is Linux is Linux and who really cares what anyone else is using, except the fan boys on either side that post here on Zdnet.
        Over and Out
  • Ya. Right.

    Seems there are some who don't get the way things are released in the software development world. You develop something. you test it thoroughly. Test again. And then you release it.
    With a security issue, no company will acknowledge an issue until they have had a chance to prove that there is one.
    Ormandy likes to get his name in the headlines by finding the big vulnerabilities [wondering what he actually does at Google]. His snitching was released probably too late for Microsoft to do anything to be included in this week's patches. No company will find [or verify] a flaw, fix it and then release it a day later without verifying that the patch fixes the flaw but also doesn't cause any side affects. [Maybe if you are your own company you can do that, but one wonders the amount of flaws could be found].
    Like any software development company, they go through various steps in testing the patch as part of various requirements they need to follow [like CMM or ISO requirements, if applicable]. They may also need to follow certain federal government requirements as well.
    Gisabun