August 13th - Still no response from google(!), disclosing publicly.
Basically that's integer type overflow, the moment I saw the four line patch, I knew what it was going to be. Everyone else would see that too cause it's a classic and can modify whatever exploit code they already have in a matter of minutes to work again.
I have a nit too. I don't like the term "responsible" used in this context. I prefer coordinated if anything. The responsible as in responsible disclosure is such a loaded term.
By the severity and simplicity here as well as the attention from the recent talk, this was a fine course of events in my personal opinion.
What I wish would have happened is someone at google would have done a better code review and caught the bug, it's pretty glaring as these things go, but still it happens all the time so considering that the patches were simply applied the next option I wish would have happened otherwise is that someone at google would have responded. In a case like this I would have liked to see a day or two at the most.
But none of that happened and considering the other concerns laid-out in the post, releasing the info publicly after almost a week is pretty responsible.
August 13th - Still no response from google(!), disclosing publicly.
Basically that's integer type overflow, the moment I saw the four line patch, I knew what it was going to be. Everyone else would see that too cause it's a classic and can modify whatever exploit code they already have in a matter of minutes to work again.
I have a nit too. I don't like the term "responsible" used in this context. I prefer coordinated if anything. The responsible as in responsible disclosure is such a loaded term.
By the severity and simplicity here as well as the attention from the recent talk, this was a fine course of events in my personal opinion.
What I wish would have happened is someone at google would have done a better code review and caught the bug, it's pretty glaring as these things go, but still it happens all the time so considering that the patches were simply applied the next option I wish would have happened otherwise is that someone at google would have responded. In a case like this I would have liked to see a day or two at the most.
But none of that happened and considering the other concerns laid-out in the post, releasing the info publicly after almost a week is pretty responsible.