Google Discloses Exploited Windows Vulnerability 10 Days After Telling Microsoft

An anonymous reader writes: Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild. That means attackers have already written code for this specific security hole and are using it to break into Windows systems.In a blog post, security researchers at Google write, "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

Re:Neel Mehta is a real crumbum

[AK+Marc]

With no exploit in the wild, Google should quietly inform MS. With an exploit in the wild, it has already been publicly disclosed, but to a limited audience, so Google should disclose widely, so everyone is informed of the exploits.

What in that behavior do you find unethical?

Different from the Kid Gloves They Used for Apple

[Luthair]

Interesting this comes mere days after the story that Google sat on an Apple vulnerability for 5-months? Though maybe given this is being actively exploited the treatment is justifiably different...

Is the policy

Vulns. already being exploited in the wild are published 7 days after reporting it to the vendor. This is nothing new and is Google's policy on this (dated 2013).
See: https://security.googleblog.com/2013/05/disclosure-timeline-for-vulnerabilities.html

Sleazy attempt to paint Google in a bad way. This flaw is already being exploited, the bad guys already know about it!

Re:Microsoft's statement

[Etcetera]

The VentureBeat article has been updated with a response from Microsoft:

"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," a Microsoft spokesperson told VentureBeat. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

What the hell are they smoking? Apple, the various Linux distributions, and the BSDs all are committed to "investigating reported security issues and proactively updating impacted devices as soon as possible." They all routinely release immediate updates for critical exploits. I think even Cisco's IOS has a better track record than Windows in time-to-fix for critical vulnerabilities.

I might be wrong, but it seems like that's a crack at the security issues within Google's Android ecosystem...

MS isn't the one that let it get to a point where a bazillion hacked devices without updates are in the field a mere year or two after hardware was released.
XP had support for 10 years.

Re:Different from the Kid Gloves They Used for App

[AmiMoJo]

No, the difference is that the Windows exploit is being actively used in the wild by malware. It's better to know about it so we can mitigate the risk as much as possible.

In Apple's case no-one was taking advantage of the flaw, as far as we know, so it was better to keep it quiet while they fixed it.