Google on Monday posted to the Internet a previously unpublicized flaw that could pose a security threat to users of the Microsoft Windows operating system.
Google notified both Microsoft and Adobe of zero day vulnerabilities in their software on Oct. 21, wrote Neel Mehta and Billy Leonard, members of Google’s Threat Analysis Group, in an online post.
Google has a policy of making critical vulnerabilities public seven days after it informs a software maker about them. Adobe was able to fix its vulnerability within seven days; Microsoft was not.
“This [Windows] vulnerability is particularly serious because we know it is being actively exploited,” wrote Mehta and Leonard.
However, Google’s Chrome browser prevents exploitation of the vulnerability when running in Windows 10, they added.
Flaw Not Critical
Microsoft challenged Google’s analysis of the Windows flaw in a statement provided to TechNewsWorld by spokesperson Charlotte Heesacker.
“We disagree with Google’s characterization of a local elevation of privilege as ‘critical’ and ‘particularly serious,’ since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week,” Microsoft said.
After cracking a system, hackers typically try to elevate their privileges in it to obtain access to increasingly sensitive data.
“Additionally, our analysis indicates that this specific attack was never effective against the Windows 10 Anniversary Update due to security enhancements previously implemented,” Microsoft noted.
The Windows vulnerability Google’s team discovered is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape triggered by a win32k.sys call, according to Mehta and Leonard.
The sandbox in Google’s Chrome browser blocks win32k.sys calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of the sandbox escape vulnerability, they explained in their post.
Although Google contrasted Adobe’s quick action in patching its zero day vulnerability with Microsoft’s inaction, the comparison may be less than fair.
“The time to patch code in Adobe Reader or Flash versus something that integrates into an operating system is considerably different,” said Brian Martin, director of vulnerability intelligence at Risk Based Security.
What takes time is not so much changing the code as testing it after it’s changed, he explained.
“If Microsoft patches code in one version of Windows, it will likely affect several other versions,” Martin told TechNewsWorld.
“Then they have platform issues — 32-bit and 64-bit — and then the different versions — home, professional, server, whatever,” he pointed out.
“The amount of time it takes to patch it is one thing,” he said. “The amount of time to go through the full QA cycle is another. Seven days is generally considered unrealistic for an operating system.”
To Disclose or Not
The short deadline was necessary because it saw the vulnerability being exploited by hackers, Google’s team maintained. That logic, though can be a two-edged sword.
“To me, this doesn’t ultimately help achieve everyone’s goal, which should be keeping consumers and their data safe,” said Udi Yavo, CTO of enSilo.
“By disclosing a vulnerability early, without allowing time for a patch, Google opened up the small pool of people who found the vulnerability and knew how to exploit it, to all,” he told TechNewsWorld.
However, keeping the vulnerability under wraps at all is questionable, suggested Jim McGregor, principal analyst at Tirias Research.
“Considering how closely the hacker community communicates, seven days may have been too much time,” he told TechNewsWorld.
“Google was being a friendly corporate citizen by letting Microsoft know about the vulnerability, but in my mind it would have been more appropriate to make it public knowledge once you see it in the wild,” McGregor said.
“A vulnerability can spread though the hacker community in milliseconds,” he remarked. “By not making the vulnerability public, the only people who don’t know about it are the people who should know about it