Yesterday, Threat Analysis, a Google group, revealed an important vulnerability present in Windows, through its public posting on the security blog of the company.
The bug posted by Google is a specific one that allows the attacker to escape from the security sandbox, due to a flaw present in the Windows win32k system. However, the bug is considered critical and Google claims that the bug is being exploited. Google made a public post about the bug, having reported the bug to the company, Microsoft, ten days back.
The result of this is that though Google has used a fix for protecting users of Chrome, Windows remains vulnerable and everybody using it must be aware of it. The disclosure made by Google only offered very general information about the bug. However, this is enough for users to recognize if an attack is made, so that it is not very easy for the criminal to replicate the attack.
Zero Day Risk
Google has disclosed the bug as a zero day one, which means that it comes under the category of unknown flaws in the Windows software. Hackers, however, are aware of the bug and have started using it in order to compromise several users’ devices, according to Google’s post, claiming that there was no fix available so far.
Criminals who are interested in exploiting this Windows bug will have to depend on another exploit made in Adobe Flash. Google has released a security patch in this case as well.
Updating the Patch
However, though Google has issued these security patches, there are several criminals out there who now know about the existence of such a bug. They will surely attempt to look for ways of exploiting the same against devices that have not updated the new Flash patch.
VentureBeat reached Microsoft to check out their reaction to the bug disclosure and the response of the company was one of harsh criticism. According to a spokesperson of Microsoft, the disclosure of the bug by Google puts the customer at a risk. The spokesperson added that the company recommended the use of Window 10 and also Microsoft’s Edge browser in order to avail of the best protection.
Google allowed a grace period of ten days before revealing the bug in a public post, in accordance with its policy started in 2013. According to the policy, a critical vulnerability can be disclosed publicly only after seven days have elapsed since the information is given to the concerned vendor. The policy had been criticized as being too harsh, according to several researchers. This was because they felt that seven days time was not enough for the vendor to respond and rectify a complicated vulnerability.
This is, however, the first time that Google has invoked the policy since the time it was put in place. In addition the engineers at Google claim that the disclosure of the bug was essential, as it was being actively exploited.
The post put up by Google recommends users to verify that the automatic updates have updated Flash on their computers. If they have not, users should ensure that they update Flash manually. They must also make sure to apply the patches from Windows as soon as they are available.