Google discloses major Windows bug, Microsoft not happy
Google made the details of the bug public 10 days after reporting the bug to Microsoft
Google’s threat analysis group has disclosed a critical vulnerability in Windows in a public post on the company’s security blog. The bug itself is very specific — allowing attackers to escape from security sandboxes through a flaw in the win32k system, but serious enough to be categorized as critical and which are being actively exploited.
Because of the nature of the bug, Google made the details of the bug public 10 days after reporting the bug to Microsoft, before a patch could be coded and deployed. The result is that, although Google has already deployed a patch protecting its Chrome users, Windows in itself is still vulnerable — and at a much higher risk to be attacked.
Google’s disclosure provides only a general description of the bug, giving users enough information to recognize a possible attack without making it too easy for criminals to replicate. Exploiting the bug also depends on a separate exploit in Adobe Flash, for which the company has released a patch.
Microsoft has however, criticized Google’s move about the disclosure. “Today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said to VentureBeat. “We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
The brief grace period is in accordance with Google’s policy of disclosure timeline for vulnerabilities under active attack. However, this is the first major invocation of the policy in the three years since it was put into place. “We encourage users to verify that auto-updated Flash — and to manually update if not,” Google’s post recommends, “and to apply Windows patches from Microsoft when they become available.”