Microsoft: Google has put our customers at potential risk

Google shares details of unpatched zero-day vulnerability in Windows, just ten days after telling Microsoft about it.

Microsoft: Google has put our customers at potential risk

On October 21, Google informed Microsoft's security team of a zero-day vulnerability. Google says that the vulnerability in the Windows kernel is being actively exploited in the wild by attackers.

Yesterday, a little over a week after telling Microsoft and before a patch has been released, Google has disclosed details of the vulnerability (known as CVE-2016-7855):

The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.

If the issue is, as it sounds, deep down within the internals of Windows then it's not something that necessarily can be fixed in a few minutes - and Microsoft will want to do thorough testing of any patch before they push out a fix to its millions of users.

And yet Google has once again got ants in its pants, pressuring one of its arch-rivals by sharing details publicly of the flaw. It's not as though Microsoft hasn't stumbled before by releasing security updates before they have been properly tested...

And, if there were previously any malicious attackers who didn't know where to look for an unpatched zero-day vulnerability in Windows, they have now got a good idea of where they should be focusing their attention - thanks to Google.

Google's security researchers would argue that they're doing the internet community a service by going public and telling Windows users to be sure to apply a patch whenever Microsoft comes up with one.

I, however, tend to side more with Microsoft - particularly with the comment that they offered VentureBeat:

"We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk."

No, it's bad that Windows has a zero-day vulnerability that is being exploited. Yes, Microsoft should have found the flaw itself rather than having to depend on a third-party to tell them about it. But I feel confident that Microsoft recognises the importance of fixing the security hole, and is working hard at doing so.

Google's security team are being unrealistic about the complexity of fixing software vulnerabilities in such important software, and should have co-ordinated more closely with Microsoft to responsibly disclose the issue when a security patch was made available.

But worse than that, Google's petulant insistence that software companies release security patches to unrealistic deadlines imposed by Google puts more users at risk.

Update: Microsoft says you'll have to wait another week for critical Windows zero-day patch.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

10 Responses

  1. Bob

    November 1, 2016 at 12:16 pm #

    One of the exploits in the wild relies upon this exploit being used in concert with Flash* for extra effect/control. Microsoft took a long time patching their embedded version of Flash (in Edge) which exacerbated the problem.

    *https://www.grahamcluley.com/patch-flash/

    So far Google Chrome users are protected from this vulnerability BUT if you use any other application (e.g. Outlook, Dropbox, iTunes) that connects to the internet then you are at risk from this latest vulnerability.

    The best advice is make sure you've got Google Chrome up-to-date, ensure you've got decent anti-virus running and a firewall installed and pray that Microsoft will fix it ASAP.

  2. Erzengel

    November 1, 2016 at 3:27 pm #

    "Chrome's sandbox … prevents exploitation of this sandbox escape vulnerability."
    Call me cynical, but this right here is why Google made this revelation in such an unrealistic timeframe. Not to service the internet community, but to encourage people to use Chrome, since it's "protected".

    • Bob in reply to Erzengel.

      November 1, 2016 at 3:46 pm #

      Yes, you are cynical because Google release details of all manufacturers vulnerabilities after the time period has expired. Whether the grace period is sufficient is the question.

      Some software companies don't remediate vulnerabilities unless they're made public which is why Google have the policy they do.

      One other thing to remember is that this vulnerability has been known to Microsoft for a while. The recent Flash vulnerability (see Graham's article) was well known within the expert community. It became of critical significance a few days before it was made public.

      • Claire in reply to Bob.

        November 1, 2016 at 6:45 pm #

        Google then went on to say its windows version chrome is safe from this vulnerability…so its intention is very clear.
        Oh well bob, except for you lol

        • Bob in reply to Claire.

          November 1, 2016 at 9:39 pm #

          Actually, Claire, Microsoft Edge is "safe" but until they fix the vulnerability in the underlying OS there is always a way to break out of the sandbox in Chrome or Edge.

          Google always disclose vulnerabilities, irrespective of the manufacturer, after the time period has elapsed.

          • Erzengel in reply to Bob.

            November 1, 2016 at 11:31 pm #

            Then perhaps they should have included a list of protected browsers instead of crowing about their own browser's protective capabilities? It makes it look like an advert rather than a PSA.

            Google's policy on disclosure of zero-day exploits is 90 days with a 14 day extension if the affected company is in the process of testing. Google violated their own policy here. Why?

  3. Sandra

    November 1, 2016 at 6:28 pm #

    7 days is very tight for fixing a complex vulnerability, I think we agree here. But if I understand Google correctly, they don't expect a fix within a week. They would be happy with an MS security bulletin, stating the problem and that they are working on a fix.

    It should be possible for MS to publicly acknowledge the issue within 7 days.

  4. Claire

    November 1, 2016 at 6:44 pm #

    So Google leveraged its connections to patch Chrome quickly, but gave Microsoft 7 days to patch hundreds of millions of computers before disclosing the vulnerability to everyone. Is this how you "don't be evil"?

    • LizH in reply to Claire.

      November 1, 2016 at 7:47 pm #

      The "win32k lockdown" used by Chrome to mitigate this vulnerability has existed since December 2014, at least (https://googlechromereleases.blogspot.com/2014/12/dev-channel-update_18.html). I would say that Microsoft has had MUCH longer than 7 days to address this issue.

    • Bob in reply to Claire.

      November 1, 2016 at 9:41 pm #

      You might want to read this:

      https://en.wikipedia.org/wiki/Don%27t_be_evil

      How do you think a big corporation like Google are *not* going to "be evil"?

Leave a Reply