​Google outs Windows zero-day but shields Chrome first

  • Liam Tung (CSO Online)
  • 01 November, 2016 07:11

Microsoft says Google disclosure puts customers at risk but the Redmond company hasn't said when it will release a patch.

Google and Microsoft are clashing again over their different approaches to disclosing security flaws. While Microsoft believes researchers should keep a bug under wraps until the vendor has fixed the issue, Google has committed to exposing a bug if the vendor doesn't meet its deadlines of between 90 days and seven days.

Google security researchers on Monday exposed a previously unseen or zero-day flaw in Windows despite Microsoft not yet releasing a patch for it. Google said it disclosed details of a Windows sandbox escape just 10 days after reporting the issue to Microsoft to protect end-users. Google has also recently added measures in Chrome to mitigate the attack on PCs running Windows 10.

Under normal circumstances, Google gives software vendors 90 days to either warn users or deliver a patch before disclosing details of a bug. However, when a bug is already being attacked Google has promised to go public with details after seven days. Google has maintained this bug disclosure policy since 2013.

“This vulnerability is particularly serious because we know it is being actively exploited,” said Google’s Threat Analysis Group researchers Neel Mehta and Billy Leonard.

The attack on Windows is related to a zero-day flaw that Adobe patched last week. Google’s update on Monday suggests the attackers were combining a sandbox escape in Windows with a remote execution bug in Flash Player to attack targets using a Windows PC.

Mehta and Leonard said they notified Adobe and Microsoft about the attacks on October 21. Only Adobe’s response met Google’s deadline, meaning attackers cannot use the Flash Player bug to compromise Windows.

Upon releasing the patch, Adobe said the Flash Player bug was being exploited in “limited, targeted attacks” against users running Windows versions 7, 8.1, and 10.

Google also suggests that Windows 10 users are safer for now switching to Chrome since Google has added new protections in its browser to thwart the specific attack.

“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” said Google’s Mehta and Leonard.

“We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not — and to apply Windows patches from Microsoft when they become available for the Windows vulnerability,” they added.

Microsoft defended its approach to patching and said Google’s manner of disclosure — using its own deadline, rather than coordinating one with Microsoft — has put Windows users at risk.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection,” a Microsoft spokesperson said in a statement to CSO Australia.

Microsoft and Google have clashed on numerous occasions over bug disclosures. Last year Microsoft criticized Google's rigid adherence to its disclosure policies, accusing the search company of putting its own rules ahead of the security of end-users. In that case, Google published details two days before Microsoft had scheduled a fix in its monthly Patch Tuesday update.