Google Discloses an Unpatched Critical Windows Bug That’s Being Exploited in the Wild


Google's Threat Analysis group has today disclosed details of a critical Windows security vulnerability in a public post on the company's blog. According to Google, the zero-day Windows bug is being actively exploited in the wild. The company revealed the details to the public just 10 days after reporting the bug to Microsoft, before the Redmond software giant could code and deploy the patch.

Google shares details of a Windows security bug - Microsoft ain't happy

Google has a 7-days policy, after which it publicly shares the vulnerability information. It's not the first time the company has done that, prompting many to argue if 10 days is enough to release a patch.

The bug is very specific as it allows attackers to bypass security sandboxes through a bug in win32k system. The company had also informed Adobe of a zero-day vulnerability, which has been fixed. Google itself too has already deployed a fix to protect Chrome users, but millions of Windows users are at bigger risk as more attackers are now aware of this critical Windows security exploit.

It is being reported that the exploit requires Adobe Flash vulnerability to work. Since Adobe has flashed the bug, the Windows security exploit is essentially mitigated. But, Microsoft would still need to patch the security holes to avoid attackers leveraging it in other types of attacks.

Microsoft, of course, is not happy. "We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

Microsoft has not yet published a security advisory, but it is expected that the company will now expedite the process since the information has been publicly disclosed.

"We encourage users to verify that auto-updaters have already updated Flash - and to manually update if not - and to apply Windows patches from Microsoft when they become available for the Windows vulnerability," Google said. For more information on the exploit, visit the company's blog.

- Thanks for the tip, Jesse.