Google discloses actively exploited Windows vulnerability before Microsoft patch is ready
Google has shared details of a 0-day vulnerability in Windows a mere 10 days after informing Microsoft of the problem. In Google's own words, "this vulnerability is particularly serious because we know it is being actively exploited", but the company is accused of putting users at risk.
Microsoft is yet to produce a patch for the security problem, and it's not clear when one will be released.
Google's argument is -- as it has been in the past -- that publicly revealing problems with Windows and other software helps to protect users by encouraging developers to fix things faster than they otherwise might. But "disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released" is a controversial move simply because of the sheer number of people using the operating system.
Writing about the vulnerability on its security blog, Google says:
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Google says that the public revelation is in line with its standard disclosure policy, but this does not mean that the news has gone down well. Microsoft is far from happy about Google's announcement. In a statement to VentureBeat the company says:
We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.