Google has angered Microsoft by announcing a critical security flaw in Windows that remains unpatched ten days after disclosing it to the Redmond-based company.
In its blog post, Google explains that it reported the zero-day vulnerabilities to Adobe and Microsoft on October 21. Adobe issued a critical fix to patch the bug last Friday, but the Windows vulnerability still hasn’t been addressed by Microsoft. Worst of all, Google says it is being actively exploited in the wild.
“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” wrote Google’s Threat Analysis Group.”This vulnerability is particularly serious because we know it is being actively exploited.”
The Windows zero-day, which can be triggered via a win32k.sys system call, could allow an attacker to escape from the operating system’s security sandbox and gain administrator privileges. Google recommends updating Flash as soon as possible and applying Windows patches as soon as they become available.
Microsoft is angry that Google publicly announced the vulnerability before it had a chance to issue a fix.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
Microsoft clarified that exploiting the Windows vulnerability requires the Flash bug, so users that have received the patch are protected. But VB points out that until Microsoft sends out a fix, the flaw could be leveraged in other types of attacks.