In a blog post yesterday, Google’s Threat Analysis Group has revealed that it found a Windows bug that Microsoft hasn’t yet fixed 10 days after Google reported the matter to them.
The bug also affected Adobe, and the company released a fix on October 26. Microsoft is yet to issue an advisory or a fix for the problem, but they’ve harshly criticized Google’s actions, saying that it “puts customers at potential risk.”
The vulnerability has been tagged by Google as CVE-2016-7855, and notifications were sent to both Microsoft and Adobe, according to Google’s blog post. The blog post also gave an overview of the bug, without going into specifics that would allow criminals to misuse that information:
“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”
Microsoft’s reaction at this point is limited to telling consumers to “use Windows 10 and the Microsoft Edge browser for the best protection,” but apart from that they are yet to officially advise customers about what to do about the vulnerability.
On its part, Google has protected their Chrome users via Chrome auto-update. The disclosure is actually compliant with their own 7-day policy (published in 2013) for other companies to fix critical vulnerabilities, or at least let users know what to do and so on. The standard period is 60 days, but Google says:
“We believe that more urgent action — within 7 days — is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised….
…Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management.”
In summary, Google has warned users about a vulnerability to Windows, Microsoft is pissed but hasn’t done anything about it, and users are currently left with nothing more than “Use Windows 10 and the Edge browser for the best protection” from Microsoft’s PR team.
Let’s watch how this plays out over the next few days.
Thanks for reading our work! Please bookmark 1redDrop.com to keep tabs on the hottest, most happening tech and business news from around the world. On Apple News, please favorite the 1redDrop channel to get us in your news feed.