Google on Monday posted to the Internet a previously unpublicized flaw that could pose a security threat to users of the Microsoft Windows operating system.
Google notified both Microsoft and Adobe of zero day vulnerabilities in their software on Oct. 21, wrote Neel Mehta and Billy Leonard, members of Google’s Threat Analysis Group, in an online post.
Google has a policy of making critical vulnerabilities public seven days after it informs a software maker about them. Adobe was able to fix its vulnerability within seven days; Microsoft was not.
“This vulnerability is particularly serious because we know it is being actively exploited,” wrote Mehta and Leonard.
However, Google’s Chrome browser prevents exploitation of the vulnerability when running in Windows 10, they added.
“We disagree with Google’s characterization of a local elevation of privilege as ‘critical’ and ‘particularly serious,’ since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week,” Microsoft said.
After cracking a system, hackers typically try to elevate their privileges in it to obtain access to increasingly sensitive data.
“Additionally, our analysis indicates that this specific attack was never effective against the Windows 10 Anniversary Update due to security enhancements previously implemented,” Microsoft noted.
The Windows vulnerability Google’s team discovered is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape triggered by a win32k.sys call, according to Mehta and Leonard.
The sandbox in Google’s Chrome browser blocks win32k.sys calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of the sandbox escape vulnerability, they explained in their post.
Google’s decision to release details of the vulnerability before Microsoft had a chance to get out a fix has surfaced a long-standing debate over responsible disclosure. Many security researchers have long held that vendors should be given a reasonable shot at fixing reported flaws in their products before details of the vulnerability are publicly disclosed.
Others, especially bug hunters, have said the only way to get some vendors to address security issues quickly is to give them a tight deadline for fixing the issues and to threaten them with public disclosure if they don’t.
The latest incident shows why some sort of regulatory requirement is implemented to guide disclosure practices, said Udi Yavo, chief technology officer and co-founder at security vendor enSilo.
“The Google-Microsoft disclosure dispute is yet another example of why the 90-day window for vulnerability disclosure that has been industry practice for some time should be an actual regulatory requirement,” he said in an emailed statement.
The legislation should spell out the grace time that is available for vendors that are not able to meet the 90-day window and the consequences for violating these rules