Microsoft has hit back at Google after the search engine giant unveiled a “critical vulnerability” in Windows.
On October 21, Google warned Microsoft privately about a major security flaw in Windows that was already being exploited by hackers. Then, just 10 days later, Google went live to the public with the flaw. Unfortunately, when Google published its findings in detail, Microsoft still hadn’t fixed the issue, which potentially left Windows users more exposed than they had been before.
“After seven days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” reads a blog post written by Neel Mehta and Billy Leonard, of Google’s Threat Analysis Group. “The vulnerability is particularly serious because we know it is being actively exploited.”
It continued: “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape."
But in a statement to VentureBeat, Microsoft revealed it wasn’t too chuffed with Google going public about the flaw. It reads:
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
So what should you do to stay safe? Well, it appears that the vulnerability can be traced to a flaw in Adobe Flash, which has since been patched by Adobe. But Google still recommends that if you’re using an auto-updater for Flash, you should verify whether or not you have the latest version. And it also recommends that you immediately apply any Windows patches from Microsoft “when they become available for the Windows vulnerability”.
