Google warns of Windows zero-day under active exploit

Microsoft ceases selling Windows 7 and 8.1 licenses to PC manufacturers

Google warns of Windows zero-day under active exploit

The privilege escalation bug in Microsoft's Windows is deemed a zero-day vulnerability and while Microsoft may frown upon Google's announcement, the public disclosure might speed up the patch delivery.

After informing Microsoft about a critical Windows vulnerability on 21 October, Google has now publicly disclosed the security flaw despite the fact that Microsoft has yet to release a patch to fix it. The spokesperson added that the company recommended the use of Window 10 and also Microsoft's Edge browser in order to avail of the best protection. Microsoft and Google have never been in agreement with Google's policy of disclosing vulnerabilities after just seven days.

"We encourage users.to apply Windows patches from Microsoft when they become available for the Windows vulnerability", Google employees said in a blog post announcing the vulnerability.

When approached by VentureBeat about the Google Threat Analysis post, Microsoft did not mince its words.

Google has just disclosed a crucial open vulnerability in Windows publicly.

It can be triggered using a particular win32k.sys system call, detailed by Google in its advisory. "The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised".

Google Chrome already blocks this sort of an attack on Windows 10 using a modification to the Chromium sandbox called "Win32k lockdown".

It's not even the first time Google and Microsoft have squabbled over the former's tight timeline for fixing vulnerabilities.

Microsoft's Chris Betz wrote at the time "The decision feels less like principles and more like a "gotcha", with customers the ones who may suffer as a result". It suggests that users check to see if Flash has automatically updated and to manually update the software if it hasn't.

Ilia Kolochenko, CEO of High-Tech Bridge told SCMagazineUK.com: "I think Google shall finally find a way to cooperate with Microsoft in a straightforward and rapid manner, instead of scaring them with full disclosure". Adobe Flash Player was affected by the vulnerability, and the security patch prevents attackers from gaining control of the system. Since Flash has been patched, the Windows vulnerability is mitigated.

Latest News