Google has a Threat Analysis group that is constantly looking for any vulnerabilities in systems. The group recently discovered one such vulnerability in Windows and Microsoft is not very happy about it. Google went so far to say that the bug that has been discovered is being exploited by cyber criminals.
About the Bug
Google is categorizing the bug as critical even though it is very specific. It is allowing attackers to escape from security sandboxes. The escape path is through a flaw in the win32k system. The description of the bug is basic but Google did release data that allows the public to be able to recognize an attack. However, they did limit the information provided so they do not make it an easy attack for cyber criminals to use to their advantage.Strontium, a Russian group, is attributed to the exploitation of the bug.
Why Google Released the Data and Not Microsoft
Google had originally notified Microsoft of the bug 10 days prior to bringing the news to the public. The information was released before a patch could be developed and used in the Windows program. At the time of the release of data, Google had already developed a way to protect all Chrome users while Microsoft had yet to fix Windows. Microsoft did promise to have a patch for the big on November 8. Google does have the right to release this information about the bug in a vendor system and has technically not stepped on many toes but Microsoft does not agree.
Why Microsoft is Not Happy
Many people would look at the situation and think that Microsoft is not happy with the release of information because it may make them look as though they are not trying to fix it. However, Microsoft has released a statement to explain why they are not happy with Google for releasing the information. They have said that Google is putting customers at risk by releasing information that can be used against them. Microsoft has also recommended that people use Windows 10 as well as the Microsoft Edge browser to better protect themselves until the bug has been fixed.
The Grace Period Enforced in 2013
According to a Google policy, there is a seven day grace period where any vulnerabilities cannot be disclosed. This accounts for seven days after they have notified their vendor. In this circumstance, Google did not report anything until 10 days after reporting it to Microsoft. There have been many people, before this incident, to say that this grace period is not enough time to fix any vulnerabilities and that companies should have more time. While this was only a concern in the past, this is the first time that the company has had to use the policy to inform the public. Google also said that it was important to release the data because the bug was actively being exploited at the time, leaving many customers vulnerable to an attack.
Importance of Applying Patches and Updates
It has been said before and this incident is even more proof that the rule needs to be reiterated. In order to ensure you are are protected as possible, you must install any system updates and patches as soon as they become available. The updates may be small or they may protect you from an attack like this one.