Google on Monday posted to the Internet a previously unpublicized flaw that could pose a security threat to users of the Microsoft Windows operating system.
Google notified both Microsoft and Adobe of zero day vulnerabilities in their software on Oct. 21, wrote Neel Mehta and Billy Leonard, members of Google’s Threat Analysis Group, in an online post.
Google has a policy of making critical vulnerabilities public seven days after it informs a software maker about them. Adobe was able to fix its vulnerability within seven days; Microsoft was not.
“This [Windows] vulnerability is particularly serious because we know it is being actively exploited,” wrote Mehta and Leonard.
However, Google’s Chrome browser prevents exploitation of the vulnerability when running in Windows 10, they added.
Flaw Not Critical
Microsoft challenged Google’s analysis of the Windows flaw in a statement provided to TechNewsWorld by spokesperson Charlotte Heesacker.
“We disagree with Google’s characterization of a local elevation of privilege as ‘critical’ and ‘particularly serious,’ since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week,” Microsoft said.
After cracking a system, hackers typically try to elevate their privileges in it to obtain access to increasingly sensitive data.
“Additionally, our analysis indicates that this specific attack was never effective against the Windows 10 Anniversary Update due to security enhancements previously implemented,” Microsoft noted.
The Windows vulnerability Google’s team discovered is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape triggered by a win32k.sys call, according to Mehta and Leonard.
The sandbox in Google’s Chrome browser blocks win32k.sys calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of the sandbox escape vulnerability, they explained in their post.
Although Google contrasted Adobe’s quick action in patching its zero day vulnerability with Microsoft’s inaction, the comparison may be less than fair.
“The time to patch code in Adobe Reader or Flash versus something that integrates into an operating system is considerably different,” said Brian Martin, director of vulnerability intelligence at Risk Based Security.
What takes time is not so much changing the code as testing it after it’s changed, he explained.
“If Microsoft patches code in one version of Windows, it will likely affect several other versions,” Martin told TechNewsWorld.
“Then they have platform issues — 32-bit and 64-bit — and then the different versions — home, professional, server, whatever,” he pointed out.
“The amount of time it takes to patch it is one thing,” he said. “The amount of time to go through the full QA cycle is another. Seven days is generally considered unrealistic for an operating system.”
To Disclose or Not
The short deadline was necessary because it saw the vulnerability being exploited by hackers, Google’s team maintained. That logic, though can be a two-edged sword.
“To me, this doesn’t ultimately help achieve everyone’s goal, which should be keeping consumers and their data safe,” said Udi Yavo, CTO of enSilo.
“By disclosing a vulnerability early, without allowing time for a patch, Google opened up the small pool of people who found the vulnerability and knew how to exploit it, to all,” he told TechNewsWorld.
However, keeping the vulnerability under wraps at all is questionable, suggested Jim McGregor, principal analyst at Tirias Research.
“Considering how closely the hacker community communicates, seven days may have been too much time,” he told TechNewsWorld.
“Google was being a friendly corporate citizen by letting Microsoft know about the vulnerability, but in my mind it would have been more appropriate to make it public knowledge once you see it in the wild,” McGregor said.
“A vulnerability can spread though the hacker community in milliseconds,” he remarked. “By not making the vulnerability public, the only people who don’t know about it are the people who should know about it.”
KPMG RELOCATING IN STAMFORD, ADDING 110 JOBS
KPMG LLP plans to add 110 jobs over the next five years in a new Stamford office.
The audit, tax and advisory firm recently signed a long-term lease and plans to renovate space in the former UBS building at 677 Washington Boulevard, which it expects to occupy next spring. KPMG has had a presence in Stamford for nearly 40 years, where it currently employs 315 professionals at its location at 3001 Summer St. The firm’s Hartford office has 231 employees.
“KPMG’s commitment to growing its operations and creating jobs in Connecticut is a testament to our top-notch workforce and unbeatable quality of life,” Gov. Dannel Malloy said. “It is an encouraging sign that world-class companies are continually choosing to set up or expand operations in our state.”
The Connecticut Department of Economic and Community Development is supporting the business expansion in Stamford with a $3 million grant in arrears for leasehold improvements, equipment and other project-related costs. Portions of the grant will be released when certain job-creation milestones are met.
THE 7 MOST IN-DEMAND TECH JOBS FOR 2018
The 7 most in-demand tech jobs for 2018
CIO | Jun 6, 2018
From data scientists to data security pros, the battle for the best in IT talent will wage on next year. Here’s what to look for when you’re hiring for the 7 most in-demand jobs for 2018 — and how much you should offer based on experience.
Source: Computer World
AUTOMATION WILL MAKE LIFELONG LEARNING A NECESSARY PART OF WORK
As more companies adopt and learn through digital solutions, and as new forms of employment and investment opportunities strengthen the demand recovery, we expect productivity growth to recover, write James Manyika and Myron Scholes in Project Syndicate.
For years, one of the big puzzles in economics has been accounting for declining productivity growth in the United States and other advanced economies. Economists have proposed a wide variety of explanations, ranging from inaccurate measurement to “secular stagnation” to questioning whether recent technological innovations are productive.
But the solution to the puzzle seems to lie in understanding economic interactions, rather than identifying a single culprit. And on that score, we may be getting to the bottom of why productivity growth has slowed.
Examining the decade since the 2008 financial crisis – a period remarkable for the sharp deterioration in productivity growth across many advanced economies – we identify three outstanding features: historically low growth in capital intensity, digitization, and a weak demand recovery. Together these features help explain why annual productivity growth dropped 80%, on average, between 2010 and 2014, to 0.5%, from 2.4% a decade earlier.
Start with historically weak capital-intensity growth, an indication of the access labor has to machinery, tools, and equipment. Growth in this average toolkit for workers has slowed – and has even turned negative in the US.
In the 2000-2004 period, capital intensity in the US grew at a compound annual rate of 3.6%. In the 2010-2014 period, it declined at a compound annual rate of 0.4%, the weakest performance in the postwar period. A breakdown of the components of labor productivity shows that slowing capital-intensity growth contributed about half or more of the decline in productivity growth in many countries, including the US.
Growth in capital intensity has been weakened by a substantial slowdown in investment in equipment and structures. Making matters worse, public investment has also been in decline. For example, the US, Germany, France, and the United Kingdom experienced a long-term decline of 0.5-1 percentage point in public investment between the 1980s and early 2000s, and the figure has been roughly flat or decreasing since then, creating significant infrastructure gaps.
Intangible investment, in areas such as software and research and development, recovered far more quickly from a brief and smaller post-crisis dip in 2009. Continued growth in such investment reflects the wave of digitization – the second outstanding feature of this period of anemic productivity growth – that is now sweeping across industries.
By digitization, we mean digital technology – such as cloud computing, e-commerce, mobile Internet, artificial intelligence, machine learning, and the Internet of Things (IoT) – that is moving beyond process optimization and transforming business models, altering value chains, and blurring lines across industries. What differentiates this latest wave from the 1990s boom in information and communications technology (ICT) is the breadth and diversity of innovations: new products and features (for example, digital books and live location tracking), new ways to deliver them (for example, streaming video), and new business models (for example, Uber and TaskRabbit).
However, there are also similarities, particularly regarding the effect on productivity growth. The ICT revolution was visible everywhere, the economist Robert Solow famously noted, except in the productivity statistics. The Solow Paradox, as it was known (after the economist), was eventually resolved when a few sectors – technology, retail, and wholesale – ignited a productivity boom in the US. Today, we may be in round two of the Solow Paradox: while digital technologies can be seen everywhere, they have yet to fuel productivity growth.
MGI research has shown that sectors that are highly digitized in terms of assets, usage, and worker enablement – such as the tech sector, media, and financial services – have high productivity. But these sectors are relatively small in terms of share of GDP and employment, whereas large sectors such as health care and retail are much less digitized and also tend to have low productivity.
MGI research also suggests that while digitization promises significant productivity-boosting opportunities, the benefits have not yet materialized at scale. In a recent McKinsey survey, global firms reported that less than a third of their core operations, products, and services were automated or digitized.
This may reflect adoption barriers and lag effects, as well as transition costs. For example, in the same survey, companies with digital transformations under way said that 17% of their market share in core products or services was cannibalized by their own digital products or services. Moreover, less than 10% of the information generated and that flows through corporations is digitized and available for analysis. As these data become more readily available through blockchains, cloud computing, or IoT connections, new models and artificial intelligence will enable corporations to innovate and add value through previously unseen investment opportunities.
The last feature that stands out in this period of historically slow productivity growth is weak demand. We know from corporate decision-makers that demand is crucial for investment. For example, an MGI survey conducted last year found that 47% of companies increasing their investment budgets were doing so because of an increase in demand or demand expectations.
Across industries, the slow recovery in demand following the financial crisis was a key factor holding back investment. The crisis increased uncertainty about the future direction in consumer and investment demand. The decision to invest and boost productivity was correctly deferred. When demand started to recover, many industries had excess capacity and room to expand and hire without needing to invest in new equipment or structures. That led to historically low capital-intensity growth – the single biggest factor behind anemic productivity growth – in the 2010-2014 period.
But, as more companies adopt and learn through digital solutions, and as new forms of employment and investment opportunities strengthen the demand recovery, we expect productivity growth to recover. Myriad factors contribute to productivity gains, but it is the twenty-first century’s steam engine – digitization, data, and its analysis – that will power and transform economic activity, add value, and enable income-boosting and welfare-enhancing productivity gains.
Source: Project Syndicate