Earlier this week, Google disclosed a critical vulnerability in Windows that Microsoft has yet to issue a fix for. Microsoft has hit back at Google, criticising the company for releasing details of the security bug prematurely. The bug was disclosed by Google just seven days after the company raised it with Microsoft.
The bug in question involves local privilege escalation in the Windows kernel. Attackers would start by exploiting an Adobe Flash zero-day vulnerability to gain control of a web browser’s process, elevate privileges to escape the browser sandbox and then install a backdoor to access the victim’s computer.
According to the Google Threat Analysis Group:
“It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”
Adobe has already released a fix for the Flash security bug. Microsoft is still testing a patch for the Windows kernel vulnerability, which is due out around November 8. The bug is present in Windows Vista through to the Windows 10 November Update. Microsoft has implemented new exploit mitigation in the win32k kernel component that stops all known instances of this exploit in-the-wild, but it doesn’t guarantee that attackers won’t find a workaround. The latest Microsoft Edge browser already protects users against the backdoor installation, to some extent.
Microsoft executive vice-president for Windows and Devices group Terry Myerson was unimpressed with Google’s decision to disclose the vulnerability before a fix was available:
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”
Google’s excuse was that the bug was already actively being exploited. Microsoft has hit back, highlighting the fact that the vulnerability was only exploited in low-volume spear-fishing attacks that were targeted and didn’t affect the general public.
Disclosing security bugs is always a touchy subject. On the one hand, security researchers want to raise security flaws to software vendors so they can fix them and protect customers as soon as possible. On the other hand, vendors argue that disclosing vulnerabilities before patches are available gives attackers a leg up in exploiting them. But you have to consider that some vendors can take a long time to develop a fix and some don’t even bother to release patches, which leaves these security holes wide open for extended periods of time.
What are your thoughts on responsible disclosure of security bugs? Let us know in the comments.
You may have noticed Lifehacker Australia looks different. We’re keen to hear your thoughts on the redesign. Share your feedback here!
Comments
4 responses to “Google Just Revealed A Windows Zero-Day Bug And Microsoft Isn’t Happy”
Offering a vendor 90 days to fix a vulnerability before publicily disclosing it is a well accepted industry standard, and one which Google adopts themselves. Frankly, they should be ashamed of themselves, this is a petty move meant to do nothing but undermine Microsoft.
Normally I’d agree with you, except with this being an actively used exploit Microsoft should be moving faster on it. I mean come on, Adobe Flash got a patch out faster.
If you read the Google blog they link to their disclosure policy. One which states that for ACTIVELY EXPLOITED vulnerabilities (i.e. zero day exploits) they only wait 7 days. Honestly for a zero-day I would want day 1 disclosure, so potentially I can try and workaround the exploit until a true patch has been pushed. Either through custom signatures, disabling software, etc. So given that Google waited 7 days on this, and note that it was 7 days after Google had discovered it, not 7 days since it had been being actively exploited. For all we know, since this exploit goes all the way back to Windows Vista it could have been being used under the radar for years.
So no, Microsoft should be ashamed, if anything, for not getting off their butts and pushing a fix for this.
Can’t wait for Microsoft to do the same.
If Microsoft had no interest or weren’t being proactive in addressing the vulnerability, far enough.
In any other case, it’s poor form from Google and a blatant disregard to the greater community.
Even if the exploit was in use, there’s no honour amongst crooks by ‘sharing the secret’. Publicising the weakness to all only makes things much worse.
Granted, Google do find some nuggets and it’s a good thing to reporting them, but they need to be pragmatic.