Google posted about the zero-day vulnerability on its security blog, saying Microsoft had yet to publish a fix or issue an advisory about the software flaw.
"This vulnerability is particularly serious because we know it is being actively exploited," Google said. It lets hackers exploit a bug in the Windows kernel, via a win32k.sys system call, to bypass the security sandbox.
The search giant originally told Microsoft about the problem 10 days ago, on Oct. 21. It waited to say anything about it publicly so Microsoft could fix the problem first. But Google has a strict policy of giving vendors only seven days to either publish a patch or issue a warning about a flaw.
"Seven days is an aggressive timeline and may be too short for some vendors to update their products,"Google said in a blog post in 2013. "But it should be enough time to publish advice about possible mitigations."
Microsoft slammed Google's move. “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk," the company said in an email on Monday.
It's not the first time the two companies have disagreed over disclosing a vulnerability. In 2015, Google disclosed publicly unknown holes in Windows before Microsoft had a chance to issue patches. This prompted Microsoft to complain.
"Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result," the company said at the time.
Brian Martin, director of vulnerability intelligence at Risk Based Security, said it would be impossible for Microsoft to come up with a patch in seven days. Fixing a Windows vulnerability can mean addressing problems in several different platforms of the OS and ensuring that the resulting patch doesn't disrupt any of the existing programming, he said.
"It's just too complex to do that in a matter of days," Martin said. However, Google had some justification in warning the public, given that hackers were already exploiting the vulnerability, he said.
"It goes back to an age-old debate of how much time you should give," he said. "In this case, because the vulnerability was being exploited in the wild, it forces Microsoft to up their schedule."
Google said that on Windows 10, its Chrome browser will prevent the problem from occurring. Using its own sandbox, the browser can block win32k.sys system calls.
As bad flaws go, this one was particularly nasty. Google found a flaw in a security tool used in all modern Windows systems, known as the Microsoft Malware Protection Engine, that allowed total remote control over a vulnerable PC by just sending an email.
4 years, 4 months ago
With its Creators Update for Windows 10, Microsoft promised that users would have the option to postpone future updates for a limited period of time and many rejoiced. But now that the update has started rolling out, it’s become apparent that there are still some stability issues and performing a manual installation isn’t recommended right now.
4 years, 5 months ago
Maurice pourrait suivre l’exemple de l’Australie qui a décidé d’obliger les multinationales de l’informatique à cesser de déclarer, dans d’autres juridictions où les impôts sont plus faibles, des revenus engrangés sur son marché.
4 years, 5 months ago
Yahoo in April of last year began secretly scanning the incoming emails of its hundreds of millions of users to comply with an order from the U.S. intelligence community, a move that prompted at least two company officials to leave, according to a former Yahoo employee familiar with the matter.
4 years, 11 months ago
Software giant Microsoft Corporation launched its new flagship operating system Windows 10 on Wednesday, July 29th. This was Redmond, Washington-based Microsoft Corp.'s first new operating system in three years, and has been designed to work across laptops, desktop and smartphones.
6 years, 1 month ago