Microsoft not happy with Google's disclosure of Windows bug

The web giant says no fix or advisory has been issued even though it reported the flaw 10 days ago.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
Watch this: Microsoft mad at Google for revealing big Windows bug

Google on Monday disclosed details about a critical vulnerability in Windows, and Microsoft isn't happy about it.

The bug can be used to bypass the security sandboxing in the Windows32K system, Google said in a blog post. Compounding the issue, Google said it reported the bug to Microsoft 10 days ago but the company has done nothing to address the issue publicly.

"After seven days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released," Google wrote. "This vulnerability is particularly serious because we know it is being actively exploited."

Google said it repaired the vulnerability for its Chrome users, and Adobe issued an update for Flash last week.

Microsoft apparently wasn't pleased by Google's revelation.

"We believe in coordinated vulnerability disclosure, and today's disclosure by Google could put customers at potential risk," the company said in a statement, though it did not share when a patch could be expected to be released.

In a later statement, Microsoft said Google's assessment of the threat is erroneous.

"We disagree with Google's characterization of a local elevation of privilege as 'critical' and 'particularly serious,' since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week. Additionally, our analysis indicates that this specific attack was never effective in the Windows 10 Anniversary Update due to security enhancements previously implemented."

First published October 31, 6:42 p.m. PT.
Update, November 1 at 8:45 a.m. and 10:15 a.m. PT: Adds Microsoft statements.