Google's Threat Analysis Group has been doing good work of late, but this time some have argued they jumped the gun. Yesterday, the search giant revealed to the public a Windows exploit without giving its competitor much time to fix it.
According to Google's Neel Mehta and Bill Leonard, The security flaw “is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered by the win32k system call NtSetWindowLongPtr() for the index GWLP_ID.”
It's worth noting that Google has not reduced its release time in regards to Microsoft. The team's usual timeframe is seven days for vulnerabilities they deem critical – the Redmond giant actually had ten.
“We believe that more urgent action — within 7 days — is appropriate for critical vulnerabilities under active exploitation,” states the company's policy. “The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”
Though Google notes that seven days is not enough for most vendors to fix problems, it believes it's enough time to put workarounds in place or disable services. However, Microsoft thinks the release puts customers at risk.
Early this morning, a Microsoft spokesperson told VentureBeat:
“We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
It's clear that this is yet another thing the rivals don't agree on. However, a source close to Microsoft reveals this exploit does require the Flash Player vulnerability. Google revealed this issue on October 26th.
The report describes a hacker taking control of a machine and has targets across Windows, 8.1 and 10. For now, Google recommends updating to the latest Flash version, which should mitigate both issues. A Windows security patch will likely follow shortly.