Microsoft: Google has put our customers at potential risk

Google shares details of unpatched zero-day vulnerability in Windows, just ten days after telling Microsoft about it.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Microsoft: Google has put our customers at potential risk

On October 21, Google informed Microsoft’s security team of a zero-day vulnerability. Google says that the vulnerability in the Windows kernel is being actively exploited in the wild by attackers.

Yesterday, a little over a week after telling Microsoft and before a patch has been released, Google has disclosed details of the vulnerability (known as CVE-2016-7855):

The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.

Sign up to our free newsletter.
Security news, advice, and tips.

If the issue is, as it sounds, deep down within the internals of Windows then it’s not something that necessarily can be fixed in a few minutes – and Microsoft will want to do thorough testing of any patch before they push out a fix to its millions of users.

And yet Google has once again got ants in its pants, pressuring one of its arch-rivals by sharing details publicly of the flaw. It’s not as though Microsoft hasn’t stumbled before by releasing security updates before they have been properly tested…

And, if there were previously any malicious attackers who didn’t know where to look for an unpatched zero-day vulnerability in Windows, they have now got a good idea of where they should be focusing their attention – thanks to Google.

Google’s security researchers would argue that they’re doing the internet community a service by going public and telling Windows users to be sure to apply a patch whenever Microsoft comes up with one.

I, however, tend to side more with Microsoft – particularly with the comment that they offered VentureBeat:

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk.”

No, it’s bad that Windows has a zero-day vulnerability that is being exploited. Yes, Microsoft should have found the flaw itself rather than having to depend on a third-party to tell them about it. But I feel confident that Microsoft recognises the importance of fixing the security hole, and is working hard at doing so.

Google’s security team are being unrealistic about the complexity of fixing software vulnerabilities in such important software, and should have co-ordinated more closely with Microsoft to responsibly disclose the issue when a security patch was made available.

But worse than that, Google’s petulant insistence that software companies release security patches to unrealistic deadlines imposed by Google puts more users at risk.

Update: Microsoft says you’ll have to wait another week for critical Windows zero-day patch.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

10 comments on “Microsoft: Google has put our customers at potential risk”

  1. Bob

    One of the exploits in the wild relies upon this exploit being used in concert with Flash* for extra effect/control. Microsoft took a long time patching their embedded version of Flash (in Edge) which exacerbated the problem.

    *https://grahamcluley.com/patch-flash/

    So far Google Chrome users are protected from this vulnerability BUT if you use any other application (e.g. Outlook, Dropbox, iTunes) that connects to the internet then you are at risk from this latest vulnerability.

    The best advice is make sure you've got Google Chrome up-to-date, ensure you've got decent anti-virus running and a firewall installed and pray that Microsoft will fix it ASAP.

  2. Erzengel

    "Chrome's sandbox … prevents exploitation of this sandbox escape vulnerability."
    Call me cynical, but this right here is why Google made this revelation in such an unrealistic timeframe. Not to service the internet community, but to encourage people to use Chrome, since it's "protected".

    1. Bob · in reply to Erzengel

      Yes, you are cynical because Google release details of all manufacturers vulnerabilities after the time period has expired. Whether the grace period is sufficient is the question.

      Some software companies don't remediate vulnerabilities unless they're made public which is why Google have the policy they do.

      One other thing to remember is that this vulnerability has been known to Microsoft for a while. The recent Flash vulnerability (see Graham's article) was well known within the expert community. It became of critical significance a few days before it was made public.

      1. Claire · in reply to Bob

        Google then went on to say its windows version chrome is safe from this vulnerability…so its intention is very clear.
        Oh well bob, except for you lol

        1. Bob · in reply to Claire

          Actually, Claire, Microsoft Edge is "safe" but until they fix the vulnerability in the underlying OS there is always a way to break out of the sandbox in Chrome or Edge.

          Google always disclose vulnerabilities, irrespective of the manufacturer, after the time period has elapsed.

          1. Erzengel · in reply to Bob

            Then perhaps they should have included a list of protected browsers instead of crowing about their own browser's protective capabilities? It makes it look like an advert rather than a PSA.

            Google's policy on disclosure of zero-day exploits is 90 days with a 14 day extension if the affected company is in the process of testing. Google violated their own policy here. Why?

  3. Sandra

    7 days is very tight for fixing a complex vulnerability, I think we agree here. But if I understand Google correctly, they don't expect a fix within a week. They would be happy with an MS security bulletin, stating the problem and that they are working on a fix.

    It should be possible for MS to publicly acknowledge the issue within 7 days.

  4. Claire

    So Google leveraged its connections to patch Chrome quickly, but gave Microsoft 7 days to patch hundreds of millions of computers before disclosing the vulnerability to everyone. Is this how you "don't be evil"?

    1. LizH · in reply to Claire

      The "win32k lockdown" used by Chrome to mitigate this vulnerability has existed since December 2014, at least (https://googlechromereleases.blogspot.com/2014/12/dev-channel-update_18.html). I would say that Microsoft has had MUCH longer than 7 days to address this issue.

    2. Bob · in reply to Claire

      You might want to read this:

      https://en.wikipedia.org/wiki/Don%27t_be_evil

      How do you think a big corporation like Google are *not* going to "be evil"?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.