Microsoft not happy with Google's disclosure of Windows bug
The web giant says no fix or advisory has been issued even though it reported the flaw 10 days ago.
Google on Monday disclosed details about a critical vulnerability in Windows, and Microsoft isn't happy about it.
The bug can be used to bypass the security sandboxing in the Windows32K system, Google said in a blog post. Compounding the issue, Google said it reported the bug to Microsoft 10 days ago but the company has done nothing to address the issue publicly.
"After seven days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released," Google wrote. "This vulnerability is particularly serious because we know it is being actively exploited."
Google said it repaired the vulnerability for its Chrome users, and Adobe issued an update for Flash last week.
Microsoft apparently wasn't pleased by Google's revelation.
"We believe in coordinated vulnerability disclosure, and today's disclosure by Google could put customers at potential risk," the company said in a statement, though it did not share when a patch could be expected to be released.
In a later statement, Microsoft said Google's assessment of the threat is erroneous.
"We disagree with Google's characterization of a local elevation of privilege as 'critical' and 'particularly serious,' since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week. Additionally, our analysis indicates that this specific attack was never effective in the Windows 10 Anniversary Update due to security enhancements previously implemented."
First published October 31, 6:42 p.m. PT.
Update, November 1 at 8:45 a.m. and 10:15 a.m. PT: Adds Microsoft statements.