Google has infuriated Microsoft by disclosing a critical vulnerability in Windows before it had a chance to fix it.
After warning Microsoft of the bug, Google gave the company just 10 days to fix it, rather than the usual 60 - because it is already being actively exploited by attackers. Microsoft has since criticised Google's behaviour, telling VentureBeat in a statement: "We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk." The entire incident highlights a debate in the security industry about the ethics and correct approach to disclosing 0-day vulnerabilities in the software of others.
Microsoft believes that the responsible thing for Google to do would be to wait until the problem had been patched, so hackers can't use the disclosure to try and figure out what the vulnerability is so they can exploit it as well. But the counter-argument is that because the bug is already being actively exploited, the best thing Google could do was give Microsoft a smaller window to fix it, then publicly disclose it so potentially affected users can be made aware.
"We encourage users ... to apply Windows patches from Microsoft when they become available for the Windows vulnerability," Google employees said in a blog post announcing the vulnerability.
So what is the bug? It allows an attacker to escape from a security sandbox in Windows and execute code, compromising the target's computer. Google considers it a "critical" vulnerability.
Here's how Google describes the issue:
"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."
Microsoft did not immediately respond to Business Insider's request for comment.
Xiaomi has once again decided not to sell their top product in India. According
This week didn't look good for Apple. Google's new Pixel phone launched to posit
With the PS4 Pro hitting the shelves in less than 10 days, the age of iterative
OnePlus Co-Founder Carl Pei on Monday revealed CM12S will be released for the On
Sony may have broke the news during its E3 presser that GTA 5 is headed to the P
Lenovo seems to be betting big on convertible laptops. The company expanded its
Lenovo India started rolling out an update to the Vibe K5 Note that brings 4G Vo
Mindtree today announced its new analytics platform, based on Microsoft Azure se
Twitter Inc said Thursday it would cut 9 percent of its global workforce to keep
Google launched the Pixel phones in two sizes - 5-inch and 5.5-inch. The Pixel a