Google's Threat Analysis Group publicly disclosed a critical Windows vulnerability today, issuing a warning on its security blog.
The company made the public disclosure just 10 days after notifying Microsoft of the bug, leaving the Windows maker with little time to patch things up and deploy a fix. Needless to mention, Microsoft was not happy about the disclosure.
"Today's disclosure by Google puts customers at potential risk," a Microsoft spokesperson told VentureBeat. "We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
Google, for its part, has already deployed a patch to protect Chrome users. The company warns that the bug is very specific, but it's risky enough to categorize the vulnerability as critical. Google says the Windows vulnerability in question is actively exploited, allowing hackers to bypass security sandboxes through a win32k system flaw.
Because of the critical status, Google decided to go public just 10 days after bringing the issue to Microsoft's attention. However, Google offered only a general description of the vulnerability, aiming to provide users with just enough details to recognize a potential attack but without paving the way for attackers to exploit the flaw.
At the same time, Google also points out that it respected its policy to wait for seven days to publicly disclose a vulnerability after notifying the party who should deliver the patch.
It's worth pointing out that exploiting the flaw also depends on another flaw found in Adobe Flash. Google notified both Adobe and Microsoft of the exploits it found on Oct. 21 and Adobe issued an update for Flash on Oct. 26 to address the issue. Microsoft has yet to provide a solution other than instructing users to rely on Windows 10 and the Edge browser.
"After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released," Google warns. "This vulnerability is particularly serious because we know it is being actively exploited."
The privilege escalation bug in Microsoft's Windows is deemed a zero-day vulnerability and while Microsoft may frown upon Google's announcement, the public disclosure might speed up the patch delivery. With the public now aware of the issue, Microsoft is facing more pressure to fix it as soon as possible.
Microsoft has not offered any details as to when it will roll out a fix for the issue, but it shouldn't take long now. In the meantime, users are advised to update Flash and apply Windows patches as soon as they become available.
