Jump to content

Microsoft isn't happy about Google revealing a Windows vulnerability that's being actively exploited


Recommended Posts

Posted

2016-11-01-image-3.jpg

Google has angered Microsoft by announcing a critical security flaw in Windows that remains unpatched ten days after disclosing it to the Redmond-based company.

In its blog post, Google explains that it reported the zero-day vulnerabilities to Adobe and Microsoft on October 21. Adobe issued a critical fix to patch the bug last Friday, but the Windows vulnerability still hasn’t been addressed by Microsoft. Worst of all, Google says it is being actively exploited in the wild.

“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” wrote Google’s Threat Analysis Group.”This vulnerability is particularly serious because we know it is being actively exploited.”

The Windows zero-day, which can be triggered via a win32k.sys system call, could allow an attacker to escape from the operating system’s security sandbox and gain administrator privileges. Google recommends updating Flash as soon as possible and applying Windows patches as soon as they become available.

Microsoft is angry that Google publicly announced the vulnerability before it had a chance to issue a fix.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

Microsoft clarified that exploiting the Windows vulnerability requires the Flash bug, so users that have received the patch are protected. But VB points out that until Microsoft sends out a fix, the flaw could be leveraged in other types of attacks.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.