On Monday, Google’s Threat Analysis Group published details of a critical vulnerability in Microsoft’s Windows 10 that allows hackers to escape security sandboxes by using a system call with win32k.sys. The reason Google chose to go public with this knowledge is because it believes the vulnerability is being “actively exploited”.
Google had informed both Adobe and Microsoft of zero-day vulnerabilities only 10 days ago on October 21. While Adobe has already issued a patch for Flash – which is available via auto-updater or manual install – Microsoft has yet to send out an update for Windows 10 that blocks the use of this mechanism. And hence, as you’d expect, Microsoft isn’t happy with the disclosure.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” Microsoft conveyed to VentureBeat via a statement. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
Google’s short disclosure period for "vulnerabilities under active attack" came into effect in May 2013, bringing it down from 60 days to just a week. Google noted that 7 days might be “an aggressive timeline and may be too short for some vendors to update their products” but it justified the urgency of its disclosures by saying that it’s still enough time to inform users and give some advice.
Issuing a fix for a web plug-in such as Adobe Flash is obviously much easier than patching an operating system, which is why Google’s policy for vulnerabilities under active attack has remained controversial. For now, you should check to see Flash is updated and install Windows patches the moment Microsoft issues them.