GRENADE! Project Zero pops pin on ANOTHER WINDOWS 0-DAY

Redmond ran out of time to patch Windows flaw


Google has once again decided Microsoft's moving too slowly on the security front – by dropping yet another proof-of-concept attack against a Windows 7 and 8.1 bug that Redmond tried and failed to fix this week.

The flaw is present in Windows on 32- and 64-bit architectures, and can accidentally disclose sensitive information or allow a miscreant to bypass security checks, apparently.

Google's Project Zero dropped the bug in line with its 90-day fix-it-or-else disclosure policy which this week ruffled its foe's feathers after a serious flaw was revealed two days before Redmond issued a fix.

Microsoft asked for the disclosure of that particular bug be held back slightly until it could be dealt with on Patch Tuesday, to reduce impact on customers.

Microsoft senior director Chris Betz said Google's actions are not useful, as they have the potential to hurt Windows users.

The Choc Factory for its part was sticking fast.

Google appears to be flinging fudge at all netizens that don't take patching seriously: coupled with its tight 90-day dump rule, the software giant also refused to fix a serious WebView flaw in its own Android platform for the old but hugely popular version 4.3.

It is estimated that close to a one billion users - 60 percent of the Android customer base - would be impacted unless they updated their phones and tablets. That feat's not simple, as device manufacturers and telcos need to get in on the act and push out Google's latest updates.

One alternative is for users to install supported modified operating systems such as Cyanogenmod that, while stable, may require a process too alien and fiddly for the non-technical masses.

Google said it was difficult to fix the WebView hole due to its integration into the core system as opposed to it running in Google Play services for later Android platforms.

The newly-disclosed Windows vulnerability affected the function CryptProtectMemory which together with an encryption key could allow memory sharing and logon session ID extraction between processes.

The flaw was in the CNG.sys implementation, which failed to run proper token checks meaning logon session IDs a normal user could decrypt or encrypt data for that logon session.

"This might be an issue if there's a service which is vulnerable to a named pipe planting attack or is storing encrypted data in a world readable shared memory section," the Google report says.

"This behaviour of course might be design, however not having been party to the design it's hard to tell." ®


Other stories you might like

  • D-Wave deploys first US-based Advantage quantum system
    For those that want to keep their data in the homeland

    Quantum computing outfit D-Wave Systems has announced availability of an Advantage quantum computer accessible via the cloud but physically located in the US, a key move for selling quantum services to American customers.

    D-Wave reported that the newly deployed system is the first of its Advantage line of quantum computers available via its Leap quantum cloud service that is physically located in the US, rather than operating out of D-Wave’s facilities in British Columbia.

    The new system is based at the University of Southern California, as part of the USC-Lockheed Martin Quantum Computing Center hosted at USC’s Information Sciences Institute, a factor that may encourage US organizations interested in evaluating quantum computing that are likely to want the assurance of accessing facilities based in the same country.

    Continue reading
  • Bosses using AI to hire candidates risk discriminating against disabled applicants
    US publishes technical guide to help organizations avoid violating Americans with Disabilities Act

    The Biden administration and Department of Justice have warned employers using AI software for recruitment purposes to take extra steps to support disabled job applicants or they risk violating the Americans with Disabilities Act (ADA).

    Under the ADA, employers must provide adequate accommodations to all qualified disabled job seekers so they can fairly take part in the application process. But the increasing rollout of machine learning algorithms by companies in their hiring processes opens new possibilities that can disadvantage candidates with disabilities. 

    The Equal Employment Opportunity Commission (EEOC) and the DoJ published a new document this week, providing technical guidance to ensure companies don't violate ADA when using AI technology for recruitment purposes.

    Continue reading
  • How ICE became a $2.8b domestic surveillance agency
    Your US tax dollars at work

    The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.

    The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.

    ICE did not respond to The Register's request for comment.

    Continue reading
  • Fully automated AI networks less than 5 years away, reckons Juniper CEO
    You robot kids, get off my LAN

    AI will completely automate the network within five years, Juniper CEO Rami Rahim boasted during the company’s Global Summit this week.

    “I truly believe that just as there is this need today for a self-driving automobile, the future is around a self-driving network where humans literally have to do nothing,” he said. “It's probably weird for people to hear the CEO of a networking company say that… but that's exactly what we should be wishing for.”

    Rahim believes AI-driven automation is the latest phase in computer networking’s evolution, which began with the rise of TCP/IP and the internet, was accelerated by faster and more efficient silicon, and then made manageable by advances in software.

    Continue reading
  • Pictured: Sagittarius A*, the supermassive black hole at the center of the Milky Way
    We speak to scientists involved in historic first snap – and no, this isn't the M87*

    Astronomers have captured a clear image of the gigantic supermassive black hole at the center of our galaxy for the first time.

    Sagittarius A*, or Sgr A* for short, is 27,000 light-years from Earth. Scientists knew for a while there was a mysterious object in the constellation of Sagittarius emitting strong radio waves, though it wasn't really discovered until the 1970s. Although astronomers managed to characterize some of the object's properties, experts weren't quite sure what exactly they were looking at.

    Years later, in 2020, the Nobel Prize in physics was awarded to a pair of scientists, who mathematically proved the object must be a supermassive black hole. Now, their work has been experimentally verified in the form of the first-ever snap of Sgr A*, captured by more than 300 researchers working across 80 institutions in the Event Horizon Telescope Collaboration. 

    Continue reading

Biting the hand that feeds IT © 1998–2022