Google Discloses Unpatched Windows Bug Despite Microsoft Objections

Google late on Monday released details of a serious flaw in Windows over the objections of Microsoft, which argued the disclosure puts users at risk since there is currently no fix available.

The search company regularly releases bug reports through its controversial security programe, which has a policy to disclose flaws on a set schedule whether they have been fixed or not.

Vendor pressure

The policy is intended to put pressure on software makers to make fixes available faster.

In most cases Google waits 60 days before disclosure, but when a bug is known to be actively exploited to attack systems – as in this instance – the period drops to seven days.

“After seven days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” Google said. “This vulnerability is particularly serious because we know it is being actively exploited.”

Google explained that the bug allows remote attackers who have access to a low-level account to execute code with higher-level privileges, allowing it bypass a security sandbox and do more damage.

Danger to users

It can be triggered using a particular win32k.sys system call, detailed by Google in its advisory.

The company said its own Chrome browser blocks such calls using the Win32k lockdown mitigation feature in Windows 10.

Microsoft said the disclosure could expose customers to danger: “Today’s disclosure by Google could put customers at potential risk. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

Last year Google said it would give software vendors extensions to its 60-day disclosure period if they say they’re working on a patch, but that doesn’t apply to bugs being actively exploited, which get only seven days.

‘Aggressive’ policy

“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information,” Google said in the policy statement.

“As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.”

Google also disclosed a bug in Adobe’s Flash Player that it had reported to Adobe on 21 October, the same day it informed Microsoft of the Windows flaw. Adobe fixed the bug, identified as CVE-2016-7855, in a 26 October update, Google said.

“We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not — and to apply Windows patches from Microsoft when they become available for the Windows vulnerability,” Google noted.

Windows 10: what do you know about the one operating system to rule them all? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Ordered To Pay $43m By Australian Court

Search engine Google fined $43 million by Australian court for tracking Android users location data…

1 day ago

Hacker Touts Data Sale Of 48.5m Users Of Covid App – Report

Personal data of 48.5 million Chinese citizens who used Shanghai's Covid App, is being offered…

1 day ago

Facebook Tests Default End-to-End Encryption For Messenger

Privacy move. Platform tests secure storage of people's chats on Messenger, in a move sure…

1 day ago

UK’s CMA Begins Probe Of Viasat Acquisition Of Inmarsat

British competition regulator the CMA, begins phase one investigation of $7.3 billion merger between Inmarsat…

2 days ago

Cisco Admits ‘Security Incident’ After Breach Of Corporate Network

Yanluowang ransomware hackers claim credit for compromise of Cisco's corporate network in May, while Cisco…

2 days ago

Google Seeks To Shame Apple Over RCS Refusal

Good luck convincing Tim. Google begins publicity campaign to pressure Aple into adopting the cross…

2 days ago