Microsoft isn't happy about Google revealing a Windows vulnerability that's being actively exploited

midian182

Posts: 7,064   +62
Staff member

Google has angered Microsoft by announcing a critical security flaw in Windows that remains unpatched ten days after disclosing it to the Redmond-based company.

In its blog post, Google explains that it reported the zero-day vulnerabilities to Adobe and Microsoft on October 21. Adobe issued a critical fix to patch the bug last Friday, but the Windows vulnerability still hasn’t been addressed by Microsoft. Worst of all, Google says it is being actively exploited in the wild.

“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” wrote Google’s Threat Analysis Group.”This vulnerability is particularly serious because we know it is being actively exploited.”

The Windows zero-day, which can be triggered via a win32k.sys system call, could allow an attacker to escape from the operating system’s security sandbox and gain administrator privileges. Google recommends updating Flash as soon as possible and applying Windows patches as soon as they become available.

Microsoft is angry that Google publicly announced the vulnerability before it had a chance to issue a fix.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

Microsoft clarified that exploiting the Windows vulnerability requires the Flash bug, so users that have received the patch are protected. But VB points out that until Microsoft sends out a fix, the flaw could be leveraged in other types of attacks.

Permalink to story.

 

Kibaruk

Posts: 3,836   +1,186
The Adobe Flash without updates? This is as much as I can get out of the article.

The way to go would be to just uninstall flash =)
 

Uncle Al

Posts: 8,153   +6,895
The thought of Microsoft complaining so loudly just cracks me up .... talk about the pot calling the kettle black!
 
Flash needs to die faster...

From security standpoint, it's best to completely disable Flash (or better: remove it).
If you REALLY need to have Flash enabled (eg. for Flash games), at least use some kind of Flash blocker with a play button.

"We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
Yeah, right...
 

cliffordcooley

Posts: 12,919   +6,250
So Adobe has presented a temporary security update once again. And Microsoft didn't bend over and place Adobe's **** as top priority. Anyone that knows who is really at fault will never throw stones at Microsoft.
 

mbrowne5061

Posts: 1,902   +1,105
So maybe they could... I don't know... fix the problem instead of whining about it being released?

Patching an OS is not a simple process. They need to test against hundreds, if not thousands, of different hardware profiles to ensure the fix they come up with doesn't break anything - and that is after the time it takes to develop that fix. 7 days is not enough time by any measure, and Google would know this if they even tried to patch their any of their "OS" offerings.
 

infiltrator

Posts: 171   +31
"We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection"

Lol, this quote makes me laugh so damn hard. How is using a Windows 10 and Edge browser going to help protect against a zero day vulnerability?
 

mbrowne5061

Posts: 1,902   +1,105
"We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection"

Lol, this quote makes me laugh so damn hard. How is using a Windows 10 and Edge browser going to help protect against a zero day vulnerability?
Because it easier and quicker for them to test internal produced, actively maintained software. Just because it gets patched for Win10 and Edge doesn't mean that there won't be an outlier vulnerability when using Chrome or Firefox that takes more time to even notice (let alone patch, again)
 

Kibaruk

Posts: 3,836   +1,186
"We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection"

Lol, this quote makes me laugh so damn hard. How is using a Windows 10 and Edge browser going to help protect against a zero day vulnerability?
It's thanks to a feature that starts with s and finishes with andbox.