Google exposes Windows 11 security flaw after Microsoft fails to patch it

 (neowin.net)

26 points | by UsamaJawad96 6 hours ago

7 comments

  • q3k 3 hours ago
    Here's the actual issue with technical details instead of useless blogspam: https://project-zero.issues.chromium.org/issues/437291456
  • steve1977 1 hour ago
    Microsoft, why don't you simply use Copilot to fix the vulnerability?
  • nwellnhof 4 hours ago
    It should be noted that Google Project Zero doesn't care whether a software product is maintained by multi-trillion corporations or a single volunteer. Imposing an "industry-standard" 90-day deadline on a unpaid solo developer without offering any help or compensation whatsoever is not sustainable. It forced me to step down as maintainer of libxslt: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
    [-]
    • naian 2 hours ago
      What is not sustainable is that someone decides to sit on a security bug for any reason. If someone doesn't want to or can't fix a security bug it should be made public so someone else can step in or, at least, so users (be it end users or software projects that use a library) can look for mitigation or alternatives.
    • philipallstar 4 hours ago
      The linked conversation looked pretty civil - looks as though you decided to step down, which is entirely reasonable, but I don't see anything forcing you or imposing anything on you.
      [-]
      • ThunderSizzle 3 hours ago
        Civil, but unreasonable. An unpaid maintainer of a free library isn't a vendor, and shouldn't be treated in any such way. A vendor is paid.
        [-]
        • UncleMeat 1 hour ago
          They aren't demanding anything of you. The alternative is immediate disclosure of bugs, not indefinite embargo of bugs.
        • concinds 2 hours ago
          This isn't the same as bigcorps offloading their compliance costs to open-source ""vendors"". No one's obligated to do anything. The disclosure window is meant to address a tradeoff between giving the dev a chance to fix it, and minimizing users' risk until patch issuance. But if the dev can't fix it, the risk tradeoff shifts and you do have a duty to make it public for users' sake. You can't take it for granted that you're the first one and only one to have found that vulnerability.
    • transpute 4 hours ago
      What do you think of https://bughunters.google.com/open-source-security/patch-rew...?
  • twelvechess 4 hours ago
    It seems lately every piece of software is getting more and more vulnerabilities, failures, crashes. Microsoft products are exceptionally high in the list.
    [-]
    • hsbauauvhabzb 3 hours ago
      More people are looking. Microsoft products have been large attack surface, poorly coded and heavily researched for a very long time.
  • nly 4 hours ago
    I don't understand why they wouldn't give a pre-release patch to the bug reporter (especially if it's someone like Google) for them to analyse before doing a final release.

    If they were actively working with Project Zero instead of being seemingly silent, this wouldn't happen

    This is where FOSS is still winning and will always win. Fixed happen in the open and bad fixes can be called out

    [-]
    • hsbauauvhabzb 3 hours ago
      I’m not sure why you think it’s the researchers responsibility to verify patches. It would be nice, especially if they’re knowledgeable in the code, but Microsoft have the resources to put someone else in that position too.
      [-]
      • nly 3 hours ago
        The researchers in this case literally checked the patch after release. It costs nothing to send them a pre-release and ask the question
  • hsbauauvhabzb 3 hours ago
    What’s the expectation for responsible disclosure when it comes to ineffective patches? Does that normally reset the counter to 90 days, or only if the patch was reasonable and in good faith?