Microsoft Not Happy After Google Revealed Unpatched Windows Bug; Word War On?
On Friday, Google reported certain zero-day vulnerabilities that the company considered "critical." While Google initially made no specifics about the announcement, it notified the involved companies with those critical vulnerabilities.
When Google notified Adobe and Microsoft about certain vulnerabilities that have been actively exploited by hackers in obtaining information about web users, within 7 days, Adobe was quick to update their Flash in addressing the CVE-2016-7855 fix, and it is available in the website's updater as well as in the new Chrome auto-update.
The Windows is a vulnerability that can be used as a "security sandbox escape." According to the blog, " It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD." It adds, "Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."
After disclosing the assessment of the vulnerability in Windows, Microsoft released a statement saying that it disagrees with Google's analysis, saying that they do not agree Google's depiction of a local issue as "critical" and "serious" since the attack scenario that was described was abated when the Adobe Flash update was released last week. Microsoft adds that they conducted their own analysis which indicates that the particular attack mentioned in Google's analysis was not successful in their latest Windows 10 Anniversary update as it implemented enhanced security features.
This is not the first time Google and Microsoft had a word war about fixing certain issues. In 2015, Google announced another bug online after 90-day grace period from Microsoft. But in this case, however, both companies agreed that the issues were not critical, so Microsoft delayed the fix until the next regular update schedule.