Earlier this week, Google disclosed a critical vulnerability in Windows that Microsoft has yet to issue a fix for. Microsoft has hit back at Google, criticising the company for releasing details of the security bug prematurely. The bug was disclosed by Google just seven days after the company raised it with Microsoft.
The bug in question involves local privilege escalation in the Windows kernel. Attackers would start by exploiting an Adobe Flash zero-day vulnerability to gain control of a web browser’s process, elevate privileges to escape the browser sandbox and then install a backdoor to access the victim’s computer.
According to the Google Threat Analysis Group:
“It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”
Adobe has already released a fix for the Flash security bug. Microsoft is still testing a patch for the Windows kernel vulnerability, which is due out around November 8. The bug is present in Windows Vista through to the Windows 10 November Update. Microsoft has implemented new exploit mitigation in the win32k kernel component that stops all known instances of this exploit in-the-wild, but it doesn’t guarantee that attackers won’t find a workaround. The latest Microsoft Edge browser already protects users against the backdoor installation, to some extent.
Microsoft executive vice-president for Windows and Devices group Terry Myerson was unimpressed with Google’s decision to disclose the vulnerability before a fix was available:
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”
Google’s excuse was that the bug was already actively being exploited. Microsoft has hit back, highlighting the fact that the vulnerability was only exploited in low-volume spear-fishing attacks that were targeted and didn’t affect the general public.
Disclosing security bugs is always a touchy subject. On the one hand, security researchers want to raise security flaws to software vendors so they can fix them and protect customers as soon as possible. On the other hand, vendors argue that disclosing vulnerabilities before patches are available gives attackers a leg up in exploiting them. But you have to consider that some vendors can take a long time to develop a fix and some don’t even bother to release patches, which leaves these security holes wide open for extended periods of time.
What are your thoughts on responsible disclosure of security bugs? Let us know in the comments.
You may have noticed Lifehacker Australia looks different. We’re keen to hear your thoughts on the redesign. Share your feedback here!