Google Exploit Announcements put customer at potential risk says Microsoft
Google discloses actively exploited Windows vulnerability just 10 days after reporting it to Microsoft. Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild.
That means attackers have already written code for this specific security hole and are using it to break into Windows systems reports venturebeat today.
A 0-day vulnerability is a publicly disclosed security flaw that wasn’t known before. In other words, the company that makes the software has not yet issued a patch for it. Indeed, Microsoft has not released a fix nor issued an advisory for this flaw. Google described this particular Windows vulnerability as follows:
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Also on October 21, Google shared a Flash vulnerability (CVE-2016-7855) with Adobe, which that company patched on October 26. That means users can simply update to the latest version of Flash. For the other security flaw, Google merely recommends “to apply Windows patches from Microsoft when they become available for the Windows vulnerability.”
A web plugin like Flash is a lot less complex than an operating system like Windows. This is one of the reasons why Google’s policy for actively exploited critical vulnerabilities — namely publicly disclosing details after seven days — is so controversial. Many software companies argue that a week is not enough time to code, test, and issue a patch for a security flaw. Google prefers to make the public aware sooner rather than later, but many security researchers maintain that details should only be shared once a patch is available. This is not the first time that Google has disclosed Windows vulnerabilities before a patch was ready. In fact, the company did this for Windows 8.1 twice in January 2015. Microsoft understandably wasn’t pleased, but this time around is even more serious. Both of those earlier vulnerabilities weren’t being actively exploited.
We have reached out to Microsoft regarding Google’s disclosure today and will update you if we hear back.
Update at 12:45 p.m. Pacific: Microsoft issued a statement, though the company did not share when a patch could be expected.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
A source close to the company also shared that the exploit Google describes requires the Adobe Flash vulnerability. Since Flash has been patched, the Windows vulnerability is mitigated. That said, Microsoft still needs to plug the security hole as it could be leveraged in other types of attacks.
Google explains reasons behind 30-minute service outage - 01/27/2014 08:52 AM
Following one of the longer cross-service outages for Google in recent memory, the search and software giant sent out an apology and explanation for today's occurrences. According to the Official Goo...
Tour the Titanic with Google Earth - 04/16/2012 09:21 AM
Google Earth has made possible to tour a 3D model of the ship as it lies in pieces on the bottom of the Atlantic Ocean. ...
Google Earth gets Improved - 01/29/2012 12:39 PM
Google has published Google Earth 6.2. This new release offers a seamless globe, as the search giant devised a way to harmonize aerial photography taken on different dates and under different lighting...
Google exits China, routes traffic to Hong Kong - 03/23/2010 11:23 AM
A shame that this had to happen really, but clever solve. After weeks of negotiations with Chinese authorities, Google has stopped censoring results on its Chinese search engine. Starting today, visit...
Get famous on Google Earth - 03/29/2009 10:01 AM
Hehe .. too funny really. An 18-year old UK fellah thought the best way to get noticed on Google Earth would be to paint a giant 60 feet phallus on the flat roof of his parent's mansion. His parents o...
Senior Member
Posts: 2741
Joined: 2007-05-31
Google did the right thing, make noise and force m$ to actually fix the problem instead of pulling crap.
Now this hussle not just between coders.
google is a pure imperialist company and represent evil

not that M$ is good... but...
Senior Member
Posts: 178
Joined: 2013-02-07
Have to agree. While it is akin to bullying, it takes a company as big as Google to make this happen. Microsoft provides the OS and Microsoft is responsible for security of its own code. Google is helping them by reporting and allows 10 days before reporting publicly. If they dropped the 10 days, what incentive does Microsoft have to expedite a resolution? Feet to fire - pull feet back or watch them melt.
Microsoft has publicly said 10 days is too short as the correct code must undergo validation testing. This is a feet dragging excuse made by every tech company. SSD has problem that needs correction by firmware? Company says the fix is undergoing testing. New BIOS to correct memory instability? Company says the fix is undergoing testing. New code to fix security exploit? Company says the fix is undergoing testing. Problem is, if they knew how to validate properly the flaw wouldn't be there in the first place. More time for testing is just a delay tactic.
Senior Member
Posts: 214
Joined: 2014-06-11
So does this mean I should or should not use a PC until it's fixed?

Senior Member
Posts: 1748
Joined: 2014-08-15
You should stay in basement 'till then.

Battle between Corporations,nothing new.

M$$$ wants some market share from Google,nothing new.Chrome is bad, IE & Edge are good,yeah right.
Senior Member
Posts: 297
Joined: 2014-11-06
google are as bad as microsoft personlly i dont trust anything they say about security risks , i have a win 7 32 bit which i removed some microsofts junk and i never update it if u dont want virus you need a good non microsoft firewall and a good vpn