Google did something some think they could have handled in another way. They disclosed a critical security flaw in Windows in a public post yesterday even though they claim it that they first sent notice of this to Microsoft on the 21st of October. This bug allows attackers to escape from security sandboxes and they do this by exploiting a flaw in the win32K system.
“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”
Well Google says it came out publicly just 10 days after reporting it to Microsoft to protect users or make them aware of this while Microsoft develops a patch for the flaw. They want users to have enough information about this because exploiting this bug in the win32K system also depends on a hacker breaking separately into Adobe Flash. A patch has been issued for this and Google is urging users to update the software. We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not — and to apply Windows patches from Microsoft when they become available for the Windows vulnerability.
But why did they make it public if Microsoft is already working on a patch?
The first thing to know is that Microsoft is not happy with the disclosure because hackers who may not have known of that flaw could suddenly start exploiting this. In a statement provided by Microsoft on VentureBeat, they said the following;
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk…Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
But Google has a defense;
In 2013, they updated their policy with respect to making vulnerabilities public. Let me quote a portion of the policy below for you to see;
Based on our experience, however, we believe that more urgent action — within 7 days — is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.
Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information.
So if you want to interpret the above quote literally, it means they don’t think Microsoft’s anger over this is justified. But if you also consider that this is the first time they would be invoking that policy in three years, then you may also think something doesn’t sound right about this. Microsoft’s is major tech rival to Google and this could be interpreted as a business decision.
In any case, update Flash on your Windows computer while Microsoft works to deal with the flaw in its win32K system.