Google’s Threat Analysis Group recently discovered vulnerabilities in Adobe Flash and Microsoft’s Windows which allow malware attacks on the Chrome web browser. The company made the discovery on Oct. 21 and has also disclosed it publicly today, which isn’t sitting well with Microsoft.
Adobe has already issued a patch to fix the vulnerability this past Friday. However, Microsoft hasn’t released a patch yet which prompted Google to announce it to the public in order to warn its users.
“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows which no advisory fix has yet been released,” Google’s Threat Analysis Groups said (via ArsTechnica). “This vulnerability is particularly serious because we know it is being actively exploited.”
The said vulnerability is found within the Windows kernel (win32k.sys) and allows an attacker to escape the security sandbox, a system that’s responsible for letting programs execute without administrator access. This basically means that an attacker would be able to fully access a Windows computer and execute a code without the user’s knowledge.
Google’s disclosure of the vulnerability is part of the company’s strict seven-day policy, wherein the company will alert the public seven days after the a security flaw has been reported to the vendor regardless of whether a patch has already been rolled out. The policy is controversial as many software companies believe that a week is not enough to code, test and rollout a fix.
Google’s disclosure has already drawn flak from Microsoft. “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft representative told VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers user Windows 10 and the Microsoft Edge browser for the best protection.”
A source also indicated that the vulnerability in Windows described by Google requires the Adobe Flash vulnerability in order to be exploited by an attacker. Since a patch has already been implemented for Flash, the vulnerability in Windows is now less severe. That being said, Microsoft will still need to provide its own patch to fully protect users from any malicious attack.