The giants are at it again; Google is a massive company with a lot of things going on at the same time, one of them is making sure users are secure while using whatever they are using. The trouble with that is – Google doesn’t own everything (yet), so Google’s Threat Analysis Group also works on finding vulnerabilities in software by other companies.
Here’s the issue: If a vulnerability found by the Threat Analysis Group is given a ‘Critical’ rating, the parties responsible for fixing it are given only seven days to fix it – until it is made public by Google.
The vulnerability, in this case, has something to do with sandboxing on Windows – but Microsoft wasn’t the only one responsible, Adobe’s Flash was involved as well.
Google disclosed the vulnerability and its details privately to Microsoft and Adobe on October 21st – note that this was a 0-day vulnerability, meaning it wasn’t known to anyone except those who were exploiting it – which Google claimed was happening, but didn’t give too many details about it.
While Adobe fixed the vulnerability and released a patch on October 26th – within Google’s seven given days – Microsoft was still working on the patch for Windows.
Unfortunately, Google has a strict policy to maintain, and so on October 31st, Google disclosed the vulnerability publicly, causing Microsoft to scramble for a response.
Now, in a blog post, Microsoft’s Executive Vice President, Windows and Device Group, Terry Myerson, announced that a patch is in works, and will be released on November 8th – following the usual Windows update schedule.
Myerson also mentioned the importance of coordination when dealing with these vulnerabilities.
We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.
More details were also revealed about who exactly is exploiting the vulnerability – Microsoft blames STRONTIUM, a Russia-linked hacker group known for targeting government agencies, diplomatic institutions, and military organizations.
In his blog post, Myerson also details the requirements to use the exploit: long story short, you need Adobe Flash.
The exploit uses a vulnerability in Adobe Flash to gain control of the browser process, after which it uses a vulnerability in Windows to escape the browser’s sandboxed environment and install a backdoor for the attackers.
Adobe has already published a patch for the vulnerability, consequently also mitigating the need for a Windows patch. Since Flash can no longer be exploited, the attackers can never get to the second step of exploiting Windows.
The vulnerability also relies on the browser – Microsoft claims that its Edge browser is already secured, while Google claims Chrome has been patched for the vulnerability as well.
Microsoft still needs to patch the vulnerability, of course, to prevent attacks of other types using the same security holes – but it isn’t as urgent as Google makes it out to be.
Microsoft will release an update for Windows to fix the vulnerability altogether on November 8th – Patch Tuesday. In the blog post, while Microsoft did say it was disappointed with Google’s behavior – it is also thankful for the Threat Analysis Team’s assistance in investigating the vulnerability.
As Microsoft is following its regular patch schedule and releasing a fix for this critical vulnerability on 8th, Google was also following its policy of releasing critical vulnerabilities publicly after seven days of disclosing them to affected parties.
It might not be responsible behavior, but it is the standard procedure for both companies.