Russell Brandom says, “Today, Google’s Threat Analysis group disclosed a critical vulnerability in Windows in a public post on the company’s security blog. The bug itself is very specific — allowing attackers to escape from security sandboxes through a flaw in the win32k system — but it’s serious enough to be categorized as critical, and according to Google, it’s being actively exploited. As a result, Google went public just 10 days after reporting the bug to Microsoft, before a patch could be coded and deployed. The result is that, while Google has already deployed a fix to protect Chrome users, Windows itself is still vulnerable — and now, everybody knows it.

Google’s disclosure provides only a general description of the bug, giving users enough information to recognize a possible attack without making it too easy for criminals to replicate. Exploiting the bug also depends on a separate exploit in Adobe Flash, for which the company has also released a patch. Still, simply knowing that the bug exists will likely spur a lot of criminals to look for viable ways to exploit it against computers that have yet to update Flash.

First reached by VentureBeat, Microsoft harshly criticized the disclosure. “Today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said. “We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

The brief grace period is in accordance with a policy Google put in place in 2013, allowing critical vulnerabilities to be disclosed only seven days after they’re reported to the vendor”.

Google just disclosed a major Windows bug — and Microsoft isn’t happy

Re/code

Sharing is caring