Google Exposes Active Windows Kernel Level 0-Day Vulnerability And It's Still Unpatched
Once again Google and Microsoft are at odds over the former's decision to disclose a zero-day vulnerability affecting the latter's Windows operating system. Google alerted both Adobe and Microsoft on October 21, 2016, of previously disclosed security flaws it discovered and in the time that has passed Adobe has issued patch (CVE-2016-7855) and Microsoft has not.
Google's policy on zero-day and other critical vulnerabilities it believes are being actively exploited in the wild is to give software makers seven days to issue a patch or advisory. Once that time period elapses, Google discloses the security to the public. In this case, Google waited 10 days before disclosing the vulnerability on Halloween.
"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability," Google stated in a blog post.
Microsoft and Google have never been in agreement with Google's policy of disclosing vulnerabilities after just seven days. While Google thinks it is imperative to inform users of critical security flaws that are being exploited, Microsoft feels the exploitation aspect is the very reason Google should be more patient.
"We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk," a Microsoft spokesperson said in a statement. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
Microsoft made a fuss when Google disclosed zero-day flaws in Windows 8.1 last year, though to no avail—Google responded by disclosing even more vulnerabilities just days later. Now the two are seemingly at odds again.
As for Windows 10, Microsoft squashed five zero-day bugs in a patch released earlier this month, so it's not as if Microsoft is sitting idle here.
Google's policy on zero-day and other critical vulnerabilities it believes are being actively exploited in the wild is to give software makers seven days to issue a patch or advisory. Once that time period elapses, Google discloses the security to the public. In this case, Google waited 10 days before disclosing the vulnerability on Halloween.
"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability," Google stated in a blog post.
Microsoft and Google have never been in agreement with Google's policy of disclosing vulnerabilities after just seven days. While Google thinks it is imperative to inform users of critical security flaws that are being exploited, Microsoft feels the exploitation aspect is the very reason Google should be more patient.
"We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk," a Microsoft spokesperson said in a statement. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
Microsoft made a fuss when Google disclosed zero-day flaws in Windows 8.1 last year, though to no avail—Google responded by disclosing even more vulnerabilities just days later. Now the two are seemingly at odds again.
As for Windows 10, Microsoft squashed five zero-day bugs in a patch released earlier this month, so it's not as if Microsoft is sitting idle here.
