Google discloses Windows bug, makes Microsoft unhappy
Google’s threat analysis group has disclosed a critical vulnerability in the Windows OS in a public post on the company's security blog.
Google’s threat analysis group has disclosed a critical vulnerability in the Windows OS in a public post on the company's security blog. The bug is very specific — allowing attackers to escape from security sandboxes through a flaw in the win32k system, but serious enough to be categorized as critical and are being actively exploited.
Because of the nature of the bug, Google made the details public 10 days after reporting to Microsoft, before a patch could be deployed. Although Google has already deployed a patch protecting its Chrome users, Windows in itself is still vulnerable — at a much higher risk. Google's disclosure provides only a general description of the bug, giving users enough information to recognize a possible attack without making it too easy for criminals to replicate. Exploiting the bug also depends on a separate exploit in Adobe Flash, for which a patch is released.
Microsoft has however, criticized Google's move. “Today's disclosure by Google puts customers at potential risk,” Microsoft spokesperson told VentureBeat. “We recommend Windows 10 and Microsoft Edge browser for the best protection.” The brief grace period is in accordance with Google's policy of disclosure timeline for vulnerabilities under active attack. “We encourage users to verify auto-updated Flash and manually update if not,” Google’s post recommends.