Google revealed the threat yesterday, ten days after finding it inside the Windows kernel. The company explained that a security sandbox escape in the “win32k.sys” system file could allow attackers to break out of isolated areas of code and run arbitrary instructions. This could give a hacker complete control of the machine, allowing them to escalate their privileges and execute code with full access.
According to Google, the vulnerability is already being actively exploited by attackers. It has reported the zero-day exploit to Microsoft but the company has not yet been able to patch the problem. Microsoft expressed exasperation at Google’s decision to disclose the flaw before it could issue an update, suggesting the company could have done more to help by staying quiet.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said to VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
For its part, Google considers early disclosure to help protect PC users. Because the details are freely available, Microsoft is put under greater pressure to release a patch quickly. However, Microsoft would rather have the time it needs to create an update, without publicising how to exploit the vulnerability in the meantime. The debate over which approach is the most effective, as well as the most ethical, is still an ongoing concern in the industry.
Google uses a disclosure timeline devised in 2013 to decide when to publicly release details of vulnerabilities. For the majority of problems, it offers a 60 day grace period. However, the most serious exploits, including the win2k.sys bug found last month, are given just seven days.
“We encourage researchers to publish their findings if reported issues will take longer to patch,” Google said in 2013. “Based on our experience, however, we believe that more urgent action — within 7 days — is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”
Google also detailed another zero-day vulnerability yesterday. A flaw in Adobe’s Flash facilitates the Windows attack. Since Adobe has already updated Flash with a fix for the problem, the win2k.sys exploit risk has been mitigated. It will still take an official patch from Microsoft to close the hole and ensure computer users’ safety, however.