Welcome to WebmasterWorld Guest from 54.211.213.149

Forum Moderators: bill

Windows 10 Flash Vulnerability Reported By Google

     
11:29 am on Nov 1, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:23664
votes: 430


Google reported to Microsoft a critical vulnerability in Windows 10, and publicly disclosed it ten days later.
After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.
http://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html

According to reports, the vulnerability requires Adobe Flash, and if you don't have Flash installed, or already have it patched, it should have mitigated against the vulnerability. Although the link in Windows 10 is still there, the update from Microsoft will finally close the door. As with any of these things, update to help avoid problems.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
Windows 10 Critical Vulnerability Reported By Google [venturebeat.com]


Is it a good idea to expose the vulnerability so soon after reporting it?
11:42 am on Nov 1, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:7305
votes: 213


I received a Windows 10 update a couple days ago that included a patch for Flash.

However, I've resolved to never allow Flash again and have removed any browser support.

As for Google's public announcement, it seems we are in an era of transparency at all costs.
2:41 pm on Nov 2, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:23664
votes: 430


Whilst I applaud the exposure of these exploits, I don't believe it's wise to publish before a response from the original software developer. It just exposes the exploit to bad actors. Users cannot do anything about it until a fix is forthcoming.

By all means, let's have the software developers fix these bugs quicker.

It seems a patch is coming out on 8 November.
3:45 pm on Nov 2, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:7098
votes: 436


The "exploit" had already been fixed in the flash patch just prior to g's report. In that regard I'm not sure what g was thinking (I'd prefer do no evil ... )
4:08 pm on Nov 2, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:23664
votes: 430


I'm not sure what g was thinking

I'm sure there's something in it making Google look the good boy in this.