I'm feel like I didn't explain myself carefully enough, so just one more time, just to clarify, I'm going to re-state:
The attackers this disclosure contemplates have both browser RCE and a zero-day Windows kernel privilege escalation vulnerability. There is no site you can direct them to that an attacker can't briefly replace with a malware installation vector. The advice you're suggesting Google provide simply doesn't apply.
> The attackers this disclosure contemplates have both browser RCE and a zero-day Windows kernel privilege escalation vulnerability. There is no site you can direct them to that an attacker can't briefly replace with a malware installation vector. The advice you're suggesting Google provide simply doesn't apply.
> A source close to the company also shared that the exploit Google describes requires the Adobe Flash vulnerability. Since Flash has been patched, the Windows vulnerability is mitigated. That said, Microsoft still needs to plug the security hole as it could be leveraged in other types of attacks.
So, it would appear there's no RCE and that there's just an 0day priv-esc.
If you're talking about the set of unknown size we're calling undisclosed RCEs, then we have two potential decisions which hinge on attack economics whereby an attacker leverages an unknown RCE in tandem with this priv-esc in:
• targeted attacks (much more likely)
• mass campaigns (I'd argue much less likely)
Since Google's disclosure is to everyone, advice which applies to everyone will also cover the set of people who:
• aren't targets of attackers with an unknown RCE, and
• are likely to download attachments w/ the priv-esc alone.
I don't have the stats, but telling everyone to be careful also tells this likely-majority subset of people to be careful, optimistically mitigating the substantially higher risk that they'll be owned by the priv-esc alone. The remaining at-risk set is the population of people for whom attackers may decide that burning an unpublished RCE is a valuable trade.
•••
If you're also talking about known and patched RCEs, then users who are missing those updates have bigger problems.
•••
To quote one of my employees who's got an eye on this thread: "At this point, the argument between the two of you is entirely pedantic in nature." heh
This is a lot of words, but the point here is simple:
The modern browser security model depends in part on the idea that arbitrary RCE does not equate to system privileges. That's what sandboxes and multi-process models are for.
A kernel privesc vulnerability bypasses the modern browser security model. That's why it's a big deal.
The disclosure points out that Chrome's sandbox preemptively blocks this particular privilege escalation bug, by not exposing its vector in its sandbox. But other browsers don't.
Microsoft seems to disagree without explicitly stating it, and Google didn't explicitly state this either.
Edit with relevant PR-speak from Microsoft:
"We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
It would be interesting to see if Project Zero tested for this in Edge, but since they gave no indication that other browser are vulnerable or not, it's fair to assume they haven't. Heh.
The attackers this disclosure contemplates have both browser RCE and a zero-day Windows kernel privilege escalation vulnerability. There is no site you can direct them to that an attacker can't briefly replace with a malware installation vector. The advice you're suggesting Google provide simply doesn't apply.