TechSpot

Microsoft isn't happy about Google revealing a Windows vulnerability that's being actively exploited

By midian182
Nov 1, 2016
Post New Reply
  1. Google has angered Microsoft by announcing a critical security flaw in Windows that remains unpatched ten days after disclosing it to the Redmond-based company.

    In its blog post, Google explains that it reported the zero-day vulnerabilities to Adobe and Microsoft on October 21. Adobe issued a critical fix to patch the bug last Friday, but the Windows vulnerability still hasn’t been addressed by Microsoft. Worst of all, Google says it is being actively exploited in the wild.

    “After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” wrote Google’s Threat Analysis Group.”This vulnerability is particularly serious because we know it is being actively exploited.”

    The Windows zero-day, which can be triggered via a win32k.sys system call, could allow an attacker to escape from the operating system’s security sandbox and gain administrator privileges. Google recommends updating Flash as soon as possible and applying Windows patches as soon as they become available.

    Microsoft is angry that Google publicly announced the vulnerability before it had a chance to issue a fix.

    “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

    Microsoft clarified that exploiting the Windows vulnerability requires the Flash bug, so users that have received the patch are protected. But VB points out that until Microsoft sends out a fix, the flaw could be leveraged in other types of attacks.

    Permalink to story.

     
  2. Cycloid Torus

    Cycloid Torus TS Evangelist Posts: 1,664   +312

    @Rob Thubron

    "Microsoft clarified that exploiting the Windows vulnerability requires the Flash bug"

    Which 'Flash bug'?
     
  3. Kibaruk

    Kibaruk TechSpot Paladin Posts: 2,518   +506

    The Adobe Flash without updates? This is as much as I can get out of the article.

    The way to go would be to just uninstall flash =)
     
  4. Uncle Al

    Uncle Al TS Evangelist Posts: 1,682   +787

    The thought of Microsoft complaining so loudly just cracks me up .... talk about the pot calling the kettle black!
     
    wastedkill likes this.
  5. Win7Dev

    Win7Dev TS Evangelist Posts: 567   +174

    So maybe they could... I don't know... fix the problem instead of whining about it being released?
     
    LenovoX likes this.
  6. DDS Central

    DDS Central TS Rookie

    Flash needs to die faster...

    From security standpoint, it's best to completely disable Flash (or better: remove it).
    If you REALLY need to have Flash enabled (eg. for Flash games), at least use some kind of Flash blocker with a play button.

    "We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
    Yeah, right...
     
    FloofyFox and veLa like this.
  7. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 8,558   +2,900

    So Adobe has presented a temporary security update once again. And Microsoft didn't bend over and place Adobe's **** as top priority. Anyone that knows who is really at fault will never throw stones at Microsoft.
     
  8. mbrowne5061

    mbrowne5061 TS Evangelist Posts: 340   +133

    Patching an OS is not a simple process. They need to test against hundreds, if not thousands, of different hardware profiles to ensure the fix they come up with doesn't break anything - and that is after the time it takes to develop that fix. 7 days is not enough time by any measure, and Google would know this if they even tried to patch their any of their "OS" offerings.
     
    Teko03 likes this.
  9. Puiu

    Puiu TS Evangelist Posts: 1,914   +537

    one of the gazillion still not patched.
     
  10. infiltrator

    infiltrator TS Booster Posts: 141   +21

    "We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection"

    Lol, this quote makes me laugh so damn hard. How is using a Windows 10 and Edge browser going to help protect against a zero day vulnerability?
     
  11. Kenrick

    Kenrick TS Booster Posts: 189   +88

    Kill the flash!
     
  12. mbrowne5061

    mbrowne5061 TS Evangelist Posts: 340   +133

    Because it easier and quicker for them to test internal produced, actively maintained software. Just because it gets patched for Win10 and Edge doesn't mean that there won't be an outlier vulnerability when using Chrome or Firefox that takes more time to even notice (let alone patch, again)
     
  13. Kibaruk

    Kibaruk TechSpot Paladin Posts: 2,518   +506

    It's thanks to a feature that starts with s and finishes with andbox.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...