Google went public a couple of days ago with a zero-day flaw in Windows just days after reporting the problem to Microsoft. Google has a policy of notifying the public of unpatched vulnerabilities in third-party software seven days after reporting them to the company concerned if it sees them being actively exploited.
Hackers already knew about the vulnerability and were using it to compromise people’s machines, Google said in a post on its security blog. No fix is available yet.
Google notified Microsoft of the problem on Oct. 21, and made it public on October 31st. normally, Google would wait 60 days before making such bugs public. But when attackers are actively exploiting a vulnerability, that timeframe drops to a week. The bug affects the Windows kernel, the deepest and most privileged part of the operating system, and can be used to escape security sandboxes, or tools designed to isolate malicious code.
This resulted in the information about the hack being released into the wild before Microsoft could develop a patch, placing a billion Windows users at risk. In a response on November 1st, Microsoft’s Executive Vice President, Windows and Devices Group, Terry Myerson defended Microsoft and expressed disappointment in Google’s behaviour.
Myerson explained that the so called exploits in the wild were “spear-phishing” attacks ie. sent to specific people in low volume, rather than being widely distributed to the general public and that users on the Windows 10 Anniversary Update using the Edge browser should already be protected from it.
Microsoft’s efforts to force roll-out of updates are now clearly proving to be a good idea as already 76% of Windows 10 users are on the latest version, according to AdDuplex data. Terry went on to say :
“Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. And we take this responsibility very seriously.”
Note his words, “the only platform” and that they take the “responsibility very seriously.” Sounds to me by implication Terry is suggesting that Google did not take its responsibility to Android users equally seriously, with a large percentage of Android users on older versions of the operating system who are not having any OS updates.
A patch is already in testing for release on the 8th November i.e. Patch Tuesday. Until then, Microsoft recommends customers to “use Windows 10 and the Microsoft Edge browser for the best protection.”
Read Terry Myerson’s full post below:
Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. And we take this responsibility very seriously.
Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.
We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.
We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.
To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we’ve ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack. Customers who have enabled Windows Defender Advanced Threat Protection (ATP) will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence.
What do you take of Microsoft’s rather snarky response? Do you think Google should have given Microsoft more time to release a patch before coming out with it publicly? Sound off in the comments.
Source : VentureBeat