The firm goes public with unpatched Windows security flaw

Nov 1, 2016 06:27 GMT  ·  By

Google decided to post details of a critical security flaw in Windows on the company’s blog only 10 days after notifying Microsoft, explaining that the vulnerability is already being exploited by attackers.

The disclosure was published by the company’s Threat Analysis group, whose policy states that software companies have 7 days to issue a patch for the security flaws that are found in their products before they are publicly disclosed.

Specifically, Google explains that it discovered a security issue in the Win32k system that allows attackers to bypass the security sandbox of the operating system and gain administrator privileges on the vulnerable systems.

“No advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited,” Google says.

Google’s blog post, however, does not include instructions on how to build the exploit, but it goes without saying that attackers could start looking into ways to replicate a successful attack now that they are aware of the unpatched vulnerability.

According to the same disclosure, a successful exploit also involves an Adobe Flash vulnerability which Google has already patched, so Chrome users are supposed to be entirely protected.

Microsoft blames Google for making users vulnerable to attacks

Microsoft, on the other hand, doesn’t seem to agree with Google’s policy and says that this public disclosure exposes its users to attacks.

“Today’s disclosure by Google puts customers at potential risk. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection,” the company explained.

Microsoft Edge has already received the same Adobe Flash Player patch as Google Chrome, it’s been reported, so exploits shouldn’t be possible. In the case of other browsers, however, users are still vulnerable to attacks.

Google says that the easiest way to block attacks is to manually update Flash Player, explaining that users should also install Windows patches… when they become available.

Microsoft’s next Patch Tuesday takes place on November 8, but the company could release an out-of-band update in the coming days in order to fix the flaw given the fact that it’s already being exploited in the wild. Most likely, Redmond’s plan was to wait until Patch Tuesday to deliver a fix, but given Google’s disclosure policy, the firm now has to ship it a few days earlier.