Google discloses Windows vulnerability just 10 days after reporting it to MSFT(venturebeat.com)
venturebeat.com
Google discloses Windows vulnerability just 10 days after reporting it to MSFT
http://venturebeat.com/2016/10/31/google-discloses-actively-exploited-windows-vulnerability-just-10-days-after-reporting-it-to-microsoft/
5 comments
Exactly. If it's already out in the wild, being used, it's critical. venturebeat/microsoft have no idea what they are complaining about. users are already at risc and the vendor has to publish at least some sort of advice.
The explanation of this policy is https://security.googleblog.com/2013/05/disclosure-timeline-...
I believe Microsoft should have recommended a short term recommendation to mitigate this risk until a patch is available. Such as "Don't connect to the internet...", but instead they recommended to use Windows 10, which does not help at all. Windows 10 is actively exploited this way.
The explanation of this policy is https://security.googleblog.com/2013/05/disclosure-timeline-...
I believe Microsoft should have recommended a short term recommendation to mitigate this risk until a patch is available. Such as "Don't connect to the internet...", but instead they recommended to use Windows 10, which does not help at all. Windows 10 is actively exploited this way.
I think the notion in the article that it's the same or even worse this time because the exploit already is found to be exploited in the wild kind of strange. Isn't it far worse to disclose an unknown 0-day publicly then disclosing something that gets exploited already anyway?
That depends. Some vulnerabilities aren't easy or worth the hassle to exploit. If this one is being exploited by someone already, you're letting attackers know that it's worth the effort, and handing them the manual as well.
If someone is exploiting it then you _know_ the manual is already out there. How far it has been disseminated is unknown, but arguably it's better to assume it's being disseminated. Otherwise anybody could argue that "not enough" attackers know about an exploit as justification for criticizing disclosure.
https://security.googleblog.com/2016/10/disclosing-vulnerabi...
I would certainly hope it doesn't take Microsoft 3 months to fix it.