Connect with us

Hi, what are you looking for?

Tech & Science

Controversy over Google’s disclosure of bug in Microsoft Windows

Google revealed the threat yesterday, ten days after finding it inside the Windows kernel. The company explained that a security sandbox escape in the “win32k.sys” system file could allow attackers to break out of isolated areas of code and run arbitrary instructions. This could give a hacker complete control of the machine, allowing them to escalate their privileges and execute code with full access.
According to Google, the vulnerability is already being actively exploited by attackers. It has reported the zero-day exploit to Microsoft but the company has not yet been able to patch the problem. Microsoft expressed exasperation at Google’s decision to disclose the flaw before it could issue an update, suggesting the company could have done more to help by staying quiet.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said to VentureBeat. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
For its part, Google considers early disclosure to help protect PC users. Because the details are freely available, Microsoft is put under greater pressure to release a patch quickly. However, Microsoft would rather have the time it needs to create an update, without publicising how to exploit the vulnerability in the meantime. The debate over which approach is the most effective, as well as the most ethical, is still an ongoing concern in the industry.
Google uses a disclosure timeline devised in 2013 to decide when to publicly release details of vulnerabilities. For the majority of problems, it offers a 60 day grace period. However, the most serious exploits, including the win2k.sys bug found last month, are given just seven days.
“We encourage researchers to publish their findings if reported issues will take longer to patch,” Google said in 2013. “Based on our experience, however, we believe that more urgent action — within 7 days — is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”
Google also detailed another zero-day vulnerability yesterday. A flaw in Adobe’s Flash facilitates the Windows attack. Since Adobe has already updated Flash with a fix for the problem, the win2k.sys exploit risk has been mitigated. It will still take an official patch from Microsoft to close the hole and ensure computer users’ safety, however.

Written By

You may also like:

Social Media

Online privacy campaigners said they had filed complaints in several European countries against six Chinese companies including TikTok.

Social Media

French researchers have developed an application to help users migrate their whole online community from Elon Musk's X to rival social platforms.

Business

Like Brexit, Amexit doesn’t need to happen. Any guesses what will happen?

World

The United States's second-largest city has never faced a blaze of this scale, driven by an extreme autumn drought and fierce Santa Ana winds.