On October 21, Google informed Microsoft’s security team of a zero-day vulnerability. Google says that the vulnerability in the Windows kernel is being actively exploited in the wild by attackers.
Yesterday, a little over a week after telling Microsoft and before a patch has been released, Google has disclosed details of the vulnerability (known as CVE-2016-7855):
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
If the issue is, as it sounds, deep down within the internals of Windows then it’s not something that necessarily can be fixed in a few minutes - and Microsoft will want to do thorough testing of any patch before they push out a fix to its millions of users.
And yet Google has once again got ants in its pants, pressuring one of its arch-rivals by sharing details publicly of the flaw. It’s not as though Microsoft hasn’t stumbled before by releasing security updates before they have been properly tested…
And, if there were previously any malicious attackers who didn’t know where to look for an unpatched zero-day vulnerability in Windows, they have now got a good idea of where they should be focusing their attention - thanks to Google.
Google’s security researchers would argue that they’re doing the internet community a service by going public and telling Windows users to be sure to apply a patch whenever Microsoft comes up with one.
I, however, tend to side more with Microsoft - particularly with the comment that they offered VentureBeat:
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk.”
No, it’s bad that Windows has a zero-day vulnerability that is being exploited. Yes, Microsoft should have found the flaw itself rather than having to depend on a third-party to tell them about it. But I feel confident that Microsoft recognises the importance of fixing the security hole, and is working hard at doing so.
Google’s security team are being unrealistic about the complexity of fixing software vulnerabilities in such important software, and should have co-ordinated more closely with Microsoft to responsibly disclose the issue when a security patch was made available.
But worse than that, Google’s petulant insistence that software companies release security patches to unrealistic deadlines imposed by Google puts more users at risk.