Google decided to post details of a critical security flaw in Windows on the company’s blog only 10 days after notifying Microsoft, explaini...
Google decided to post details of a critical security flaw in Windows on the company’s blog only 10 days after notifying Microsoft, explaining that the vulnerability is already being exploited by attackers.
The disclosure was published by the company’s Threat Analysis group, whose policy states that software companies have 7 days to issue a patch for the security flaws that are found in their products before they are publicly disclosed.
Specifically, Google explains that it discovered a security issue in the Win32k system that allows attackers to bypass the security sandbox of the operating system and gain administrator privileges on the vulnerable systems.
“No advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited,” Google says.
Microsoft, on the other hand, doesn’t seem to agree with Google’s policy and says that this public disclosure exposes its users to attacks.
“Today’s disclosure by Google puts customers at potential risk. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection,” the company explained.
Microsoft Edge has already received the same Adobe Flash Player patch as Google Chrome, it’s been reported, so exploits shouldn’t be possible. In the case of other browsers, however, users are still vulnerable to attacks.
Google says that the easiest way to block attacks is to manually update Flash Player, explaining that users should also install Windows patches… when they become available.
Microsoft’s next Patch Tuesday takes place on November 8, but the company could release an out-of-band update in the coming days in order to fix the flaw given the fact that it’s already being exploited in the wild. Most likely, Redmond’s plan was to wait until Patch Tuesday to deliver a fix, but given Google’s disclosure policy, the firm now has to ship it a few days earlier.
COMMENTS