On Monday, Google’s Threat Analysis Group published
details of a critical vulnerability in Microsoft’s Windows
10 that allows hackers to escape security sandboxes
by using a system call with win32k.sys. The reason
Google chose to go public with this knowledge is
because it believes the vulnerability is being “actively
exploited”.
Google had informed both Adobe and Microsoft of
zero-day vulnerabilities only 10 days ago on October
21. While Adobe has already issued a patch for Flash
– which is available via auto-updater or manual install
– Microsoft has yet to send out an update for
Windows 10 that blocks the use of this mechanism.
And hence, as you’d expect, Microsoft isn’t happy with
the disclosure.
“We believe in coordinated vulnerability disclosure, and
today’s disclosure by Google puts customers at
potential risk,” Microsoft conveyed to VentureBeat via a
statement. “Windows is the only platform with a
customer commitment to investigate reported security
issues and proactively update impacted devices as
soon as possible. We recommend customers use
Windows 10 and the Microsoft Edge browser for the
best protection.”
Google’s short disclosure period for "vulnerabilities
under active attack" came into effect in May 2013,
bringing it down from 60 days to just a week. Google
noted that 7 days might be “an aggressive timeline and
may be too short for some vendors to update their
products” but it justified the urgency of its disclosures
by saying that it’s still enough time to inform users
and give some advice.
Issuing a fix for a web plug-in such as Adobe Flash is
obviously much easier than patching an operating
system, which is why Google’s policy for vulnerabilities
under active attack has remained controversial. For
now, you should check to see Flash is updated and
install Windows patches the moment Microsoft issues
them.
