Posts Tagged ‘Project Zero’

Project Zero hits MS again!

Written by Randy on . Posted in Microsoft, Randy's Blog, Security, Tech, Tech Tip

Microsoft is upset that yet again Google has disclosed an as yet (at time of disclosure) unpatched flaw in Windows 8.1.  Google did give MS proper notification and a 90 day deadline to address the issue.  Microsoft if upset that Google didn’t extend its (set in stone) 90 day deadline to allow Microsoft to release the patch within it’s normal Patch window on what’s called “Patch Tuesday”. I agree with the cutoff myself.  Especially if you look at it like this..  Microsoft put out a product that has security issues in it, some have been there for years undiscovered by Microsoft as it releases new versions of it’s OS.  New versions that often are still susceptible to the same flaws.  Many of these flaws are brought to Microsoft’s attention from ethical outside sources including Google.  Unethical hacker may already know and be using these flaws for malicious purposes.  It’s reported that our own NSA knew about HeartBleed the SSL flaw for years and kept it silent to exploit it. So the question remains.  How much time should a company have to patch a flaw from the time it is informed of it?  Each day a fix is delayed is a possible exploit of systems and data.  Security breaches, stolen data, pictures, passwords, credit card & financial info.  So the question is…  Is 90 days long enough or is it too long?  Think of Sony, or iCloud or any other data breach you’ve heard of in the recent history.  Then think..  Should MS be upset about the  flaws being disclosed or should they Really be apologizing for not fixing it sooner? Read Network Worlds take on it at the link below.

Google discloses another unpatched Windows flaw, irritates Microsoft | Network World.

Microsoft is slow to patch a vulnerability and Google lets us know.

Written by Randy on . Posted in Microsoft, Randy's Blog, Security, Tech

Microsoft was notified over 90 days ago about a vulnerability that would allow a user with local credentials to elevate their rights to that of admin.  Google’s Project Zero policy is to give 90 day for the vendor to fix the issue then disclose it to the public.  Wether fixed or not.

I approve of this practice.  90 days is ample time for a fix.  The more time a system is vulnerable the more likely someone will exploit it.

So what do you think?  Should Google continue the practice of disclosure after 90 days or just wait until the vendor fixes it regardless of how long that takes?

Google posts Windows 8.1 vulnerability before Microsoft can patch it.