Not talking about the bug doesn't mean it's not there, but talking about it sure makes people aware that they should perhaps take extra precautions until Microsoft patches the bug. The attitude that "you're giving info to the evil hackers and now we're all unsafe!11" is the very essence of the fallacy of security by obscurity - your ignorance of a bug is not guarantee of others' ignorance of it. Pinning blame on Google for putting us all at risk is the exact wrong response; Microsoft is at blame for taking more than three months to fix a critical security bug, which has been there for even longer.
This sentiment is very visible in the comment section - the story's suggestion that Google did something wrong here, and the torrent of clueless commenters raging about how evil Google is being is disheartening, to say the least. I wonder how much of that is a result of the story's tone.
Yours is the standard argument against any form of disclosure. I'm not discounting it, because no disclosure has its merits, but responsible disclosure satisfies both an ethical imperative (you can't let people believe they're secure if you know otherwise) and provides pressure on vendors to fix their software, when the vendor might otherwise deem it not worth the time or money to fix the issue, which leaves their customers vulnerable.
The basic idea behind disclosure is "we might not be the first people to find this, and we definitely won't be the last, so let's remove all doubt and rob the bad guys of the element of surprise". Responsible disclosure is intended to permit responsible vendors to fix the issue before wide publication, but an uncooperative vendor doesn't mitigate the reality that the bug exists and will eventually be found by someone less benevolent.
But even if they did, that still isn't a "questionable practice" - if the full details of the exploit are public, you'd barely need a writeup to connect the dots.
> Even if patches were available, it would be far better to wait for most devices to be patched before releasing a full exploit.
So, for router exploits (say), that would be Infinity? If the manufacturer doesn't care, or the update ecosystem is broken (or nonexistent), nobody is more secure because someone did a writeup about a vuln that everyone (..interested) knows about.
Most exploits, however complex their discovery process may have been, end up as "send these bytes in this order" - they are usually very simple to duplicate once you know where the bodies are buried.
[1] As the GP says, 90 days is responsible disclosure.
The practice of a firm 90-day release schedule increases the probability that vendors will fix patches and take steps to assure that they are deployed to most devices within that period. But that only works if the practice is firm.
Sorry, but this is on the vendors. Saying Google shouldn't release details is like saying the public shouldn't be informed of a dangerous flaw in a car model's brake system until the manufacturer has decided whether to launch a new model and what the marketing plan for it should be.
I suppose that you will provide sources for that, don't you?
http://www.theverge.com/2015/1/2/7481069/google-publishes-wi...
Disappointing. Microsoft has no real argument here, other than perhaps allowing the NSA to use the bug for longer [1]. This is why the NSA has no need for real Windows backdoors. There are plenty of vulnerabilities such as these in Windows that allow privilege escalation or remote execution that are being discovered all the time. All Microsoft has to do is sit back for a few months on them, wait until another one appears, so NSA can start using that one and then fix the old one. "Everyone" wins.
Google gave everyone (only a few big companies actually - everyone else got the "full disclosure" deal) only a week after discovering Heartbleed, and Microsoft is whining about 3 months being too little? Give me a break.
[1] http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-t...
Are Microsoft downplaying or is this genuinely quite minor? The article discusses a disgruntled employee and since all their money comes from Enterprise presumably disgruntled employee can cause major damage is a pretty huge problem?
This isn't a remote root code execution bug, but it shouldn't be taken lightly, either. The exact environments where this bug would be applicable (locked-down) are the environments that could suffer severe damage because of an escalation issue.
The thing is, though, local privilege escalation isn't new, and it isn't novel. This is one in a long string of many, many similar bugs across most every major platform. It's completely unremarkable except for the reluctance on MS's part to patch it in a reasonable timeframe.
It means that every user effectively has root privileges. Which means that every user can eavesdrop on other users, view their saved data and files (unless encrypted on disk), intercept their network communications, impersonate them, steal their passwords (system, application, external web sites).
How bad that is depends on your particular use case. But for pretty much any setup where security is a concern or there's any sensitive data at stake, this is a very serious issue.
With the set up of Windows servers I've seen, only the admin logs in anyway. It's not really used as a "multi-user" system per-se, where you get different users logging in at the same time. It does happen, but it's not common.
[1] http://windows.microsoft.com/en-us/windows/lifecycle
[2] See point 6 at http://support2.microsoft.com/gp/lifepolicy
Just being practical.
On the other hand if MS wasn't responsive enough and upfront about the time it'd take to patch and reasons for that, then sure, 90 days seems more than needed leeway for Microsoft. But I don't know how things worked and I've seen enough to assume that both scenarios are possible.
Vendors with a quite good track record should be allowed to have some slip ups. You cannot compare a vendor who doesn't fix anything on time with one that usually fix issues promptly but occasionally shows a delay on a report. The process should take that into account. I think the binary handling by Google on this one is not very well thought-out.
