Google exposes Windows 11 security flaw after Microsoft fails to patch it

https://www.neowin.net/news/google-exposes-windows-11-security-flaw-after-microsoft-fails-to-patch-it-properly/

39•UsamaJawad96•1mo ago

Comments

twelvechess•1mo ago

It seems lately every piece of software is getting more and more vulnerabilities, failures, crashes. Microsoft products are exceptionally high in the list.

hsbauauvhabzb•1mo ago

More people are looking. Microsoft products have been large attack surface, poorly coded and heavily researched for a very long time.

nly•1mo ago

I don't understand why they wouldn't give a pre-release patch to the bug reporter (especially if it's someone like Google) for them to analyse before doing a final release.

If they were actively working with Project Zero instead of being seemingly silent, this wouldn't happen

This is where FOSS is still winning and will always win. Fixed happen in the open and bad fixes can be called out

hsbauauvhabzb•1mo ago

I’m not sure why you think it’s the researchers responsibility to verify patches. It would be nice, especially if they’re knowledgeable in the code, but Microsoft have the resources to put someone else in that position too.

nly•1mo ago

The researchers in this case literally checked the patch after release. It costs nothing to send them a pre-release and ask the question

hsbauauvhabzb•1mo ago

That’s different. I’m not here to mark your work but if you publish your work, I’m happy to publicly point out that you’re wrong, especially if you’re Microsoft size and should have work checkers internally and are continually doing the wrong think and putting people at risk as a result.

nwellnhof•1mo ago

It should be noted that Google Project Zero doesn't care whether a software product is maintained by multi-trillion corporations or a single volunteer. Imposing an "industry-standard" 90-day deadline on a unpaid solo developer without offering any help or compensation whatsoever is not sustainable. It forced me to step down as maintainer of libxslt: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127

transpute•1mo ago

What do you think of https://bughunters.google.com/open-source-security/patch-rew...?

philipallstar•1mo ago

The linked conversation looked pretty civil - looks as though you decided to step down, which is entirely reasonable, but I don't see anything forcing you or imposing anything on you.

ThunderSizzle•1mo ago

Civil, but unreasonable. An unpaid maintainer of a free library isn't a vendor, and shouldn't be treated in any such way. A vendor is paid.

concinds•1mo ago

This isn't the same as bigcorps offloading their compliance costs to open-source ""vendors"". No one's obligated to do anything. The disclosure window is meant to address a tradeoff between giving the dev a chance to fix it, and minimizing users' risk until patch issuance. But if the dev can't fix it, the risk tradeoff shifts and you do have a duty to make it public for users' sake. You can't take it for granted that you're the first one and only one to have found that vulnerability.

UncleMeat•1mo ago

They aren't demanding anything of you. The alternative is immediate disclosure of bugs, not indefinite embargo of bugs.

philipallstar•1mo ago

I don't see how they were treated in that way, though?

ThunderSizzle•1mo ago

Put plainly, any sort of expectations as if they other person is an employee or coworker makes no sense to me.

If Google wants bugs fixed in open source software, they should also submit a PR with the fix, or provide a bounty for the fix.

The way this is done is an unveiled threat (if it was my library, I'd tell them as much. Deadlines are for vendors or employees, not for free libraries).

Jiro•1mo ago

You said "Being an unpaid volunteer, I also don't really care about external deadlines. I'll just make the issue and the fix public and people can patch libxslt themselves." But that's what they were going to do anyway if you didn't fix it--they were going to make the issue public. What's the problem?

hnburnsy•1mo ago

Google is a bunch of hypocrites, there are other cases where Google asked third parties for a disclosure extension and the fixes took longer than 90 days, but here is the most recent one I noticed...

https://news.ycombinator.com/item?id=43032464

hsbauauvhabzb•1mo ago

What’s the expectation for responsible disclosure when it comes to ineffective patches? Does that normally reset the counter to 90 days, or only if the patch was reasonable and in good faith?

q3k•1mo ago

Here's the actual issue with technical details instead of useless blogspam: https://project-zero.issues.chromium.org/issues/437291456

steve1977•1mo ago

Microsoft, why don't you simply use Copilot to fix the vulnerability?

Show HN: Django N+1 Queries Checker

Emacs-tramp-RPC: High-performance TRAMP back end using JSON-RPC instead of shell

Protocol Validation with Affine MPST in Rust

Female Asian Elephant Calf Born at the Smithsonian National Zoo

Show HN: Zest – A hands-on simulator for Staff+ system design scenarios

Show HN: DeSync – Decentralized Economic Realm with Blockchain-Based Governance

Automatic Programming Returns

Why Are There Still So Many Jobs? The History and Future of Workplace Automation [pdf]

The Search Engine Map

Show HN: Souls.directory – SOUL.md templates for AI agent personalities

Real-Time ETL for Enterprise-Grade Data Integration

Economics Puzzle Leads to a New Understanding of a Fundamental Law of Physics

Switzerland's Extraordinary Medieval Library

A new comet was just discovered. Will it be visible in broad daylight?

ESR: Comes the news that Anthropic has vibecoded a C compiler

Frisco residents divided over H-1B visas, 'Indian takeover' at council meeting

If CNN Covered Star Wars

Show HN: I built the first tool to configure VPSs without commands

AI agents from 4 labs predicting the Super Bowl via prediction market

EU bans infinite scroll and autoplay in TikTok case

Benchmarking how well LLMs can play FizzBuzz

Why I Joined OpenAI

Octave GTM MCP Server

Show HN: Portview what's on your ports (diagnostic-first, single binary, Linux)

Voyager CEO says space data center cooling problem still needs to be solved

Boilerplate Tax – Ranking popular programming languages by density

Zen: A Browser You Can Love

My GPT-5.3-Codex Review: Full Autonomy Has Arrived

Show HN: FastLog: 1.4 GB/s text file analyzer with AVX2 SIMD

God said it (song lyrics) [pdf]

Show HN: Django N+1 Queries Checker

Emacs-tramp-RPC: High-performance TRAMP back end using JSON-RPC instead of shell

Protocol Validation with Affine MPST in Rust

Female Asian Elephant Calf Born at the Smithsonian National Zoo

Show HN: Zest – A hands-on simulator for Staff+ system design scenarios

Show HN: DeSync – Decentralized Economic Realm with Blockchain-Based Governance

Automatic Programming Returns

Why Are There Still So Many Jobs? The History and Future of Workplace Automation [pdf]

The Search Engine Map

Show HN: Souls.directory – SOUL.md templates for AI agent personalities

Real-Time ETL for Enterprise-Grade Data Integration

Economics Puzzle Leads to a New Understanding of a Fundamental Law of Physics

Switzerland's Extraordinary Medieval Library

A new comet was just discovered. Will it be visible in broad daylight?

ESR: Comes the news that Anthropic has vibecoded a C compiler

Frisco residents divided over H-1B visas, 'Indian takeover' at council meeting

If CNN Covered Star Wars

Show HN: I built the first tool to configure VPSs without commands

AI agents from 4 labs predicting the Super Bowl via prediction market

EU bans infinite scroll and autoplay in TikTok case

Benchmarking how well LLMs can play FizzBuzz

Why I Joined OpenAI

Octave GTM MCP Server

Show HN: Portview what's on your ports (diagnostic-first, single binary, Linux)

Voyager CEO says space data center cooling problem still needs to be solved

Boilerplate Tax – Ranking popular programming languages by density

Zen: A Browser You Can Love

My GPT-5.3-Codex Review: Full Autonomy Has Arrived

Show HN: FastLog: 1.4 GB/s text file analyzer with AVX2 SIMD

God said it (song lyrics) [pdf]

Google exposes Windows 11 security flaw after Microsoft fails to patch it

Comments