Today, Google’s Threat Analysis group disclosed a critical vulnerability in Windows in a public post on the company’s security blog. The bug itself is very specific — allowing attackers to escape from security sandboxes through a flaw in the win32k system — but it’s serious enough to be categorized as critical, and according to Google, it’s being actively exploited. As a result, Google went public just 10 days after reporting the bug to Microsoft, before a patch could be coded and deployed. The result is that, while Google has already deployed a fix to protect Chrome users, Windows itself is still vulnerable — and now, everybody knows it.
Google’s disclosure provides only a general description of the bug, giving users enough information to recognize a possible attack without making it too easy for criminals to replicate. Exploiting the bug also depends on a separate exploit in Adobe Flash, for which the company has also released a patch. Still, simply knowing that the bug exists will likely spur a lot of criminals to look for viable ways to exploit it against computers that have yet to update Flash.
First reached by VentureBeat, Microsoft harshly criticized the disclosure. “Today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said. “We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
On Tuesday, Microsoft followed up with more detail in a post by Executive VP Terry Myerson. Myerson attributed the exploitation of the bug to a group called Strontium, a Russia-linked group also called Fancy Bear. Myerson emphasized that Windows 10 users browsing with Edge would be protected from the attack, and promised a system-wide patch to be shipped on November 8th.
The brief grace period is in accordance with a policy Google put in place in 2013, allowing critical vulnerabilities to be disclosed only seven days after they’re reported to the vendor. At the time, a number of researchers criticized the policy as overly harsh, arguing that seven days was not enough time to properly respond to a complex vulnerability. This is the first major invocation of the policy in the three years since it was put in place, although Google’s engineers defended it as necessary given the active exploitation of the bug.
“We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not,” Google’s post recommends, “and to apply Windows patches from Microsoft when they become available.”
Update 4:44PM: Updated with more detail from Myerson post.