GOOGLE HAS gone public with a zero-day flaw in Windows just days after reporting the problem to Microsoft.
Google has a policy of notifying the public of unpatched vulnerabilities in third-party software seven days after reporting them to the company concerned if it sees them being actively exploited.
The firm claims to have notified Microsoft 10 days earlier, before going public on Monday. Google generally goes public after 90 days for unexploited glitches.
"We always report these cases to the affected vendor immediately, and we work closely with them to drive the issue to resolution. Over the years, we've reported dozens of actively exploited zero-day vulnerabilities to affected vendors," the company explained in a Google Security Blog post.
Google has provided only basic information about the vulnerability, which is a privilege escalation bug, so as not to give hackers ammunition.
"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape," said a post on Google's Security blog.
"It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD."
Google goes on to say that the Chrome browser's sandbox feature blocks such system calls.
"Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability," the firm said.
Microsoft did not welcome Google's intervention, saying that it increased the risk of a successful exploit.
"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," said a Microsoft spokesperson.
"Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
Microsoft has not said when a patch will be made available to fix the vulnerability but did point out that a bug in Adobe Flash Player (CVE-2016-7855) is needed to exploit the Windows vulnerability so users with up-to-date Flash Player applications should be safe.
Adobe released an emergency patch for this flaw which Google told the company about on 27 October. µ
The INQUIRER's sister site Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.
Archaic prototype shows Redmond has come a long way in hardware design
And woe betide if you're called Mohammed too
Lack of proper comms gets a frosty reception from Project Zero's Travis Ormandy
Wine 3.0 brings support for Windows apps to Google's mobe OS