Google Exploit Announcements put customer at potential risk says Microsoft
Google discloses actively exploited Windows vulnerability just 10 days after reporting it to Microsoft. Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild.
That means attackers have already written code for this specific security hole and are using it to break into Windows systems reports venturebeat today.
A 0-day vulnerability is a publicly disclosed security flaw that wasn’t known before. In other words, the company that makes the software has not yet issued a patch for it. Indeed, Microsoft has not released a fix nor issued an advisory for this flaw. Google described this particular Windows vulnerability as follows:
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Also on October 21, Google shared a Flash vulnerability (CVE-2016-7855) with Adobe, which that company patched on October 26. That means users can simply update to the latest version of Flash. For the other security flaw, Google merely recommends “to apply Windows patches from Microsoft when they become available for the Windows vulnerability.”
A web plugin like Flash is a lot less complex than an operating system like Windows. This is one of the reasons why Google’s policy for actively exploited critical vulnerabilities — namely publicly disclosing details after seven days — is so controversial. Many software companies argue that a week is not enough time to code, test, and issue a patch for a security flaw. Google prefers to make the public aware sooner rather than later, but many security researchers maintain that details should only be shared once a patch is available. This is not the first time that Google has disclosed Windows vulnerabilities before a patch was ready. In fact, the company did this for Windows 8.1 twice in January 2015. Microsoft understandably wasn’t pleased, but this time around is even more serious. Both of those earlier vulnerabilities weren’t being actively exploited.
We have reached out to Microsoft regarding Google’s disclosure today and will update you if we hear back.
Update at 12:45 p.m. Pacific: Microsoft issued a statement, though the company did not share when a patch could be expected.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
A source close to the company also shared that the exploit Google describes requires the Adobe Flash vulnerability. Since Flash has been patched, the Windows vulnerability is mitigated. That said, Microsoft still needs to plug the security hole as it could be leveraged in other types of attacks.
Google explains reasons behind 30-minute service outage - 01/27/2014 08:52 AM
Following one of the longer cross-service outages for Google in recent memory, the search and software giant sent out an apology and explanation for today's occurrences. According to the Official Goo...
Tour the Titanic with Google Earth - 04/16/2012 09:21 AM
Google Earth has made possible to tour a 3D model of the ship as it lies in pieces on the bottom of the Atlantic Ocean. ...
Google Earth gets Improved - 01/29/2012 12:39 PM
Google has published Google Earth 6.2. This new release offers a seamless globe, as the search giant devised a way to harmonize aerial photography taken on different dates and under different lighting...
Google exits China, routes traffic to Hong Kong - 03/23/2010 11:23 AM
A shame that this had to happen really, but clever solve. After weeks of negotiations with Chinese authorities, Google has stopped censoring results on its Chinese search engine. Starting today, visit...
Get famous on Google Earth - 03/29/2009 10:01 AM
Hehe .. too funny really. An 18-year old UK fellah thought the best way to get noticed on Google Earth would be to paint a giant 60 feet phallus on the flat roof of his parent's mansion. His parents o...
Member
Posts: 34
Joined: 2016-05-25
Are Windows 7 updates fixed by chance? I have had W7 updates disabled for the last 6 months.. and would re-enable if it happens to be functioning again..
Senior Member
Posts: 19503
Joined: 2010-04-21
lol, nope, dunno about installs last updated 6 months back, but clean installs still need a PITA workaround to get them to see WUs, or use 3rd party tools
Senior Member
Posts: 6074
Joined: 2011-01-02
Google did the right thing, make noise and force m$ to actually fix the problem instead of pulling crap.
Now this hussle not just between coders.
Senior Member
Posts: 6074
Joined: 2011-01-02
Didnt update mine for a loooong time now, nothing but trouble came out of updating Win7.
Unless you actually trying to get your PC infested you are fine. If someone serious after your PC, believe me, latest win upgrade and anti-viruses wont stop him. Anti viruses are just malware this days, it has cute UI showing its hard work and how you would be ****ed up if you dont use it.
So yeah, relax. There probably much more horrible exploits out there, yet to be discovered by good guys and announced.
Senior Member
Posts: 586
Joined: 2008-06-20
Ok, Google, piss off. Your Chrome is not perfect and has its share of issues, it is stupid to promote it in such way.