nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Google's Project Zero reveals another Microsoft flaw

Silver badge

Capable of Learning?

When will Slurp realize that ignoring bugs is a recipe for getting hammered in the tech press?

6
6
Silver badge

Re: Capable of Learning?

The day when it will have real effect on the day-to-day bottom line which the tech press does not.

10
1
LDS
Silver badge

Re: Capable of Learning?

Are you sure it is ignoring them? A rushed patch may be dangerous as well. Borking systems gets you hammered by the press as well.

More than the tech press, it looks it's Google that is using its hammer against competitors. Taking advantage it has far less customer-side code that can be analyzed - only Google has access to the code it runs on its servers.

8
5
Silver badge

Re: Capable of Learning?

More than the tech press, it looks it's Google that is using its hammer against competitors.

Give it a rest: the only way to judge Google is how they respond to similar reports about their software and so far their record is pretty good.

5
2
Silver badge

Re: Capable of Learning?

Give it a rest??? I beg to differ.

Google's record is abysmal. They're still unable to push security updates out to their Android installations.

Yeah, sure, there are OEMs in between them and their customers, but the same is true for Microsoft. (Only Apple doesn't have that barrier.)

Google is living in a glass house and it it putting its customers in that same glass house.

3
9
Silver badge

Re: Capable of Learning?

It is shit simple to toss a brick through a competitors window and any idiot with a PhD could do it.

The difficulty is making brick proof glass cheap enough for widespread consumer use, nobody at any company and no academic has done that yet.

It seems LDS is the only one of you lot with practical experience in massive scale systems deployed on a wide variety of hardware under the administration of a massive multi-locationed enterprise.

Rushing out fixes is a sure fire recipe for disaster.

Which is why the ethical thing to do is to register the bug with your nation's CERT and only release zero days when your nation's CERT says enough time has elapsed.

Too many inexperienced arrogant people outside are guessing the complexity with orders of magnitude error.

Especially these security types. If they think they're so smart why haven't they created a better operating system? Come on, the way they talk they should have it done in a fortnight.

2
7
Silver badge

Re: Capable of Learning?

"the only way to judge Google is how they respond to similar reports about their software and so far their record is pretty good."

Probably because to fix Chrome does not require a full restart of a computer, unlike IE or Edge.

6
0
Silver badge
Thumb Up

Re: Capable of Learning?

"Probably because to fix Chrome does not require a full restart of a computer, unlike IE or Edge."

WELL SAID!

1
0

Re: Capable of Learning?

"More than the tech press, it looks it's Google that is using its hammer against competitors. Taking advantage it has far less customer-side code that can be analyzed - only Google has access to the code it runs on its servers."

Wrong. Google doesn't have access to the source for Edge. Some parts have been open-sourced, but not all of it. Google is finding these issues simply through fuzzing. Google has way more customer facing code than Microsoft. About 2 billion lines in total, and it is fair to say it is all customer facing, as all services are provided over the Internet.

Microsoft supposedly views Edge as strategic, but they can't fix a simple out of bounds bug in 90 days? What is their status page @ https://developer.microsoft.com/en-us/microsoft-edge/platform/status/ all about? Are security fixes not getting enough upvotes? BTW, the Edge status page code IS open sourced.

0
0

This post has been deleted by a moderator

Silver badge

Re: I'm the Reason Google Found This!

I think you just b0rked my parser, Master of hounds.

12
0

Re: I'm the Reason Google Found This!

@Jake your parser is fine - it just threw an exception on error as expected

4
0
Silver badge

Is this the same Google that is still unable to update Android?

Dumb question, I know, but is this the same Google that is still unable to update Android?

Maybe instead of publishing "how to hacks" for other people's products and systems they should put some more time and effort into making their own products secure:

1. Figuring out how to make automatic updates work (like Apple did decades ago) and,

2. Getting vendors and re-sellers to agree to let that automatic update process work (like Microsoft did a decade ago).

Or is this some different Google?

Or does Google measure itself by different means than it measures other companies?

I know this other stuff, zero days in other people's products and systems, is important.

However, JOB ONE for Google should be taking care of its own products, its own customers and making stuff attached to its name secure -- rather than sitting up in their in their giant glass house throwing stones.

2
10
Silver badge
Gimp

Re: Is this the same Google that is still unable to update Android?

Your Waaaambulance is here.

Don't forget your coat and mask.

3
2
Silver badge

Re: Is this the same Google that is still unable to update Android?

@WatAWorld: the essential difference is that it's not Google's OS running on Android phones. Android is open source, and Samsung and others write their own version adapted to their own phones.

In comparison, Windows machines don't have a different OS depending whether it's sold by Dell or Lenovo. And of course only Apple sells iPhones.

3
2
Silver badge

Re: Is this the same Google that is still unable to update Android?

"the essential difference is that it's not Google's OS running on Android phones. Android is open source, and Samsung and others write their own version adapted to their own phones."

Um... no. That's just not true.

Leaving aside the fact that there's big chunks of Android which aren't open source, most of the phone manufacturers using it don't interfere with the core OS anyway - in fact, if you're a member of the Open Handset Alliance (which is pretty much everyone in the phone business) then you're contractually forbidden to fork Android. At most, you have a few proprietary drivers, a different skin on top and a few bonus apps. That's a pretty accurate description of Touchwiz, which is Samsung's Android 'skin'.

.

As a rule of thumb, if the device has access to the Google Play store, then it's full-fat Android in there with at most a reskin and some device-specific drivers. No-one is sat at Samsung, or Sony, or HTC re-writing Android code.

1
3

Re: Is this the same Google that is still unable to update Android?

"Dumb question, I know, but is this the same Google that is still unable to update Android?"

It is not their Android though. It is Sony's, LG's, or whoever names is on the front. Android is just an OS, that is everyone can use. While Google has been tightening up access, basically anyone can throw it onto a device, and sell that device. Why is Google now responsible for pushing updates to that device? Complain to your vendor about not making updates available for the device they sold you.

2
1
Silver badge

Again

Friends don't let friends use IE.

7
0
Silver badge

Re: Again

Or Edge.

4
0
Silver badge

A 32 function deep call stack just to handle a column break??

Someone at MS should suggest a project to rationalise their libraries as that is borderline absurd and also means that it is very unlikely that one person knows the entire stack tree code well enough to spot any more flaws. Mind you, it nicely explains why modern code requires such powerful processors to do tasks that used to be successfully done on devices with 1/100th the power.

5
0
Silver badge

Re: A 32 function deep call stack just to handle a column break??

Pretty sure Edge was supposed to be that project...

0
0
Silver badge

Re: A 32 function deep call stack just to handle a column break??

Pretty sure Edge was supposed to be that project...

Nah, IE 9 was the rewrite but it still contained wonderful things like Active X. All MS did with Edge was remove stuff like that and focus on graphics and JS performance.

0
0

ground-up rewrite?

I thought edge was supposed to be an all-new browser, finally throwing off the shackles of legacy IE code. Is it just coincidence the two have the exact same bug, or is Edge just a skin on top of a load of old IE code?

2
0
Silver badge

Re: ground-up rewrite?

They've obviously reused some core code. The question is how much?

0
0
Silver badge
Pirate

Flash?

Why is Microsoft releasing patches for Flash? Are they actually writing the patches, or just (re-)releasing Adobe's patches?

1
0
FAIL

rax and rcx are registers in x64.. not variables.. sich

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing