Google Outs Critical Windows Vulnerability Microsoft Wouldn’t Fix

[Guest]

Google's Project Zero team publicly revealed a critical Windows bug that Microsoft has yet to fix, 90 days after the private disclosure.

Google Outs Critical Windows Vulnerability Microsoft Wouldn’t Fix : Read more

 

[Darkk]

Microsoft's advice: "Install all available Security Updates and enable the firewall on their computer"

Firewall isn't going to do squat since all it takes a user to get that infected .exe file and boom. You're screwed. Lucky most users know not to ever open an attachment that contains the .exe file.

Firewalls on PCs for outbound connections are useless since it allows all outbound unless you create specific rules to block them.

 

[maddad]

A firewall blocks incoming coming connections. So it is definitely good advice from Microsoft, plus the attacker has to get access to your computer so low probability of getting hit by this attack. Still 90 days should have been plenty of time for a fix!

 

[ahnilated]

A firewall blocks incoming coming connections. So it is definitely good advice from Microsoft, plus the attacker has to get access to your computer so low probability of getting hit by this attack. Still 90 days should have been plenty of time for a fix!

Are you kidding me? People click on these things all the time still. I work on computers and have to deal with them installing things they don't know about. It is even worse if it comes from an email account they know, they will blindly click on it and run it.

 

[red77star]

Wait...but go upgrade to Windows 8, 8.x because it is more secured than Windows XP and Windows 7? ***Sarcasm.

 

[turkey3_scratch]

Microsoft's advice: "Install all available Security Updates and enable the firewall on their computer"

Firewall isn't going to do squat since all it takes a user to get that infected .exe file and boom. You're screwed. Lucky most users know not to ever open an attachment that contains the .exe file.

Firewalls on PCs for outbound connections are useless since it allows all outbound unless you create specific rules to block them.

Lol exactly what I thought, like firewall is going to do anything. Firewalls are sometimes overrated and misunderstood.

 

[PerilSensitive]

I don't see any Android issues on that issue list. Are they kept separately?'

https://code.google.com/p/google-security-research/issues/list?can=1&q=&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles

 

[FTLAUDMAN]

Perhaps the US government was using this exploit and it was on their "stall until public" list of fixes.

 

[Ed Chombeau]

Who said it is "critical"---crying wolf again. This has NO affect on the average home user. If is was really serious don't u think a better explanation by Google would be the right thing to do; instead of "screaming fire" in a crowded theater---JERKS AT GOOGLE

 

[GreenPhantom]

Microsoft can't prevent stupidity.

 

[alextheblue]

Are you kidding me? People click on these things all the time still. I work on computers and have to deal with them installing things they don't know about. It is even worse if it comes from an email account they know, they will blindly click on it and run it.

Read the article. "they would first need to have valid log on credentials and be able to log on locally to a targeted machine." Sounds like you're already pretty well compromised at that point. Hardly a scary bug - if you've got local access there's plenty of things you could do.

all it takes a user to get that infected .exe file and boom. You're screwed. Lucky most users know not to ever open an attachment that contains the .exe file.

Firewalls on PCs for outbound connections are useless since it allows all outbound unless you create specific rules to block them.

First, read the article. As I said above, straight from the article, they can't just download an .exe and are automagically screwed.

Second, there are PLENTY of two-way firewalls that secure outbound connections by default. What you're describing is the simplest, dumbest old-school "firewall" on the planet. Even the built-in Windows firewall has some limited outbound protection capability out of the box for non-trusted programs.

Look at ZoneAlarm (just as an example - there are dozens of others) , they have been securing outbound access by programs since Win9x days. Back then you were prompted for each new/changed program requesting access. You could choose to allow/deny and it had options for remembering this choice until the program changes or until you change the settings yourself.

Now they use more automation and have various settings ranging from mostly-automated outbound security (learning mode, trusted vs unknown) to the classic strict mode I remember from years ago. Either way, there's more outbound program control available in the "Firewall" market than you can shake a stick at. Though many firewalls are now integrated into total security suites comprising AV, firewall, and anti-malware capabilities. Welcome to the 21st century.