Google discloses Windows zero-day, Microsoft argues disclosure ethics

On Monday, Google disclosed a zero-day vulnerability in Windows, which if exploited will enable an attacker to use it as a security sandbox escape. In response, Microsoft didn’t offer details on a fix, instead choosing to promote Windows 10 and argue for coordinated disclosure.

Google says the flaw was discovered on October 21, along with a vulnerability in Adobe’s Flash. Adobe fixed their software last Wednesday, but since the Windows vulnerability is being actively exploited online, Google disclosed basic details about the flaw on Monday.

“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” a Google blog post explains.

A Microsoft spokesperson said Google’s actions have potentially placed customers at risk. The statement goes on to reiterate the software giant’s belief in coordinated vulnerability disclosure, along with a brief nudge for everyone to update to Windows 10.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection,” the company said in a statement emailed to Salted Hash.

Google normally has a 60-day limit on disclosure, which starts form the time they discover a given vulnerability and notify the vendor. When the vulnerability is being actively exploited, Google will wait seven days before disclosing.

While the ultimate goal is a complete fix, Google believes that seven days might be too soon for a proper patch, but it’s plenty of time to issue guidance and notification.

This isn’t the first time that Google and Microsoft have been at odds over disclosure, and it won’t be the last.

It’s also worth noting the exploit referenced by Google is already mitigated for some since it requires the previously patched Adobe Flash vulnerability. However, if a system is vulnerable to the Flash vulnerabilities – as outlined here – the Windows flaw disclosed by Google is still an issue.

6:11 p.m. – This story was updated with a statement from Microsoft.

11/01/2016 – Microsoft issued additional details and comments, the full blog post is available here. The highlight is that a patch for the flaw will be released on November 8. The blog also blames a Russian actor they call Stronium for the attacks against the flaw, via low-level Phishing campaigns.

We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.