Windows flaw disclosed before patch can be developed
Technicians at software giant Microsoft were angered after Alphabet-owned Google published details of an as-yet-unfixed flaw in the Windows operating system.
Tech giant Google gave Microsoft a week to respond before going public with details of the issue, saying the flaw was “particularly serious since we know it is being actively exploited”.
In response, Microsoft countered that Google’s exposure of the issue could put consumers at risk as it needs more time to develop a patch.
A Microsoft spokesperson spoke to news site VentureBeat, telling them:
“We believe in co-ordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk.Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”
Win32k.sys used in “security sandbox escape”
The flaw disclosed by Google involves a Windows system file called Win32k.sys, which is used by the operating system to display graphics. Google’s outline explains how the file can be compromised and used to access and alter unrelated computer functions in what’s known as a “security sandbox escape” .
Google recommends users limit their exposure to potential exploits by using the Chrome browser, which is not vulnerable. Currently Microsoft’s only advice to its users is to “use Windows 10 and Microsoft’s Edge browser for the best protection.”
Dr. Steven Murdoch from University College London, called for Microsoft to release more details.
“What Google has done is understandable, bearing in mind it says the bug is already being exploited, but whether or not it was right to have made the flaw public is a matter of debate – there are reasonable arguments on both sides, and we still don’t know who are the attackers and who are the targets.
“But certainly, Microsoft could now do more to provide advice to its customers about how they could reduce their risk.”