Google’s early disclosure of a Windows kernel-level zero-day bug potentially endangers customers, said Microsoft officials.
Microsoft rebuked Google for releasing details of a security flaw in the Windows kernel for which a patch is not yet available. Microsoft officials said that Google’s disclosure potentially endangers customers and that they believe in coordinated vulnerability disclosures.
In an Oct. 31 blog post, Neel Mehta and Billy Leonard, security researchers with Google’s Threat Analysis Group, said a local privilege escalation bug exists in the Windows kernel. Attackers can take advantage of the flaw to escape a security sandbox, the researchers warned. The vulnerability is especially serious because attackers are already exploiting it in the wild, the two Google researchers said.
However, in an statement emailed to eWEEK, Microsoft challenged Google’s description of the issue. “We disagree with Google’s characterization of a local elevation of privilege as ‘critical’ and ‘particularly serious,'” the statement said.
In a Nov. 1 blog post, Terry Myerson, executive vice president of Microsoft’s Windows and Devices group, said the attack identified by Google’s Threat Analysis Group used two-zero days, one in the Windows kernel and the other in Adobe Flash.
Adobe has already patched the flaw, so the attack scenario that the Google researchers described has already been fully mitigated. Patches for all affected Windows versions are being tested and will be released Nov. 8, Myerson wrote.
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure,” Myerson wrote. “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”
The Google researchers claimed to have notified Microsoft of the issue on Oct. 21 and then disclosed the flaw publicly after seven days, in keeping with Google’s vulnerability disclosure policy for zero-day bugs that are being actively exploited.
Typically, Google gives software developers 60 days to address critical vulnerabilities that are reported in their product before going public with the data.
For companies that are unable for some reason to get a fix out in that time frame—especially flaws that are being exploited—Google has recommended they at least issue within seven days some sort of a mitigation procedure for working around the issue. Google has admitted that seven days is an aggressive timeline, but insists it is enough to at least publish advice about potential mitigations.
Google’s decision to release details of the vulnerability before Microsoft had a chance to get out a fix has surfaced a long-standing debate over responsible disclosure. Many security researchers have long held that vendors should be given a reasonable shot at fixing reported flaws in their products before details of the vulnerability are publicly disclosed.
Others, especially bug hunters, have said the only way to get some vendors to address security issues quickly is to give them a tight deadline for fixing the issues and to threaten them with public disclosure if they don’t.
The latest incident shows why some sort of regulatory requirement is implemented to guide disclosure practices, said Udi Yavo, chief technology officer and co-founder at security vendor enSilo.
“The Google-Microsoft disclosure dispute is yet another example of why the 90-day window for vulnerability disclosure that has been industry practice for some time should be an actual regulatory requirement,” he said in an emailed statement.
The legislation should spell out the grace time that is available for vendors that are not able to meet the 90-day window and the consequences for violating these rules.
Releasing vulnerability information prematurely before a vendor has fixed a zero-day flaw, as Google did in this instance, serves no one, except the small community of researchers who know how to take advantage of it, Yavo said.
“We have been here before,” said Chris Thomas, strategist at Tenable Network Security. “Vendors need to remember that when it comes to releasing bugs the researcher has all the power. They can do whatever they want with their information, including completely ignoring their carefully crafted disclosure policies.”
In this instance, it appears that the Google researchers did not feel that Microsoft’s policy for addressing actively exploited bugs was reasonable, Thomas said in a statement.
