There’s a big gaping security hole in Windows and Adobe Flash and Google took it upon itself to disclose this vulnerability not only to Microsoft but the public as well.
Google says that it alerted Microsoft and Adobe to the security vulnerability on 21st October and while Adobe was able to release a patch to fix the vulnerability, Microsoft has not yet released a patch.
So why release details of the vulnerability before Microsoft can release a fix? Well according to a blog post it’s Google’s policy, apparently.
“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited,” wrote Google.
Google also took it upon itself to provide details about the vulnerability.
[su_quote]The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability. [/su_quote]
Of course the argument is that if Adobe could patch its flaw why can’t Microsoft? To that we say, an operating system is far more complex than a piece of Flash software. Google’s policy is also incredibly unfair, while it has outlined what the vulnerability entails seven days to make a fix is simply not enough time.
You could argue that Google is trying to light a fire under Microsoft to get it working faster but this behaviour seems more like Google flexing its muscle than having its user’s best interests at heart, and Microsoft is not happy about it.
A Microsoft spokesperson told VentureBeat, “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk.” The spokesperson then goes on to lob a bit of shade at Google saying that its customers should use Windows 10 and the Edge browsers for the best protection.
Google’s advice is also rather thin. It suggests that users check to see if Flash has automatically updated and to manually update the software if it hasn’t. As for all those Windows users who are now vulnerable to an exploitation Google’s advice is “Apply Windows patches from Microsoft when they become available for the Windows vulnerability.”
[Via – VentureBeat][Image – CC BY 2.0 Tyler Merbler]