Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on 21 October 21. Rather than being hauled over the carpet for its double standards, Microsoft is being portrayed in the press as the bad guy for not fixing the fault. Google claims the critical Windows vulnerability is being actively exploited in the wild so it knows that the disclosure is putting Vole's customers at risk
“That means attackers have already written code for this specific security hole and are using it to break into Windows systems and yet Microsoft has not still released a fix nor issued an advisory for this flaw,” screamed Venture Beat.
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
However most software companies think that week is not enough time to code, test, and issue a patch for a security flaw – particularly on an operating system.
Google claims that it prefers to make the public aware sooner rather than later, but it is not clear why that policy does not apply to Apple. Many security researchers maintain that details should only be shared once a patch is available.
Google has done this twice before to Microsoft both times in January 2015. Microsoft understandably wasn’t pleased, but this time around is even more serious. Both of those earlier vulnerabilities weren’t being actively exploited.
Vole issued a statement saying that Google’s disclosure has placed customers at potential risk.
“Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”