Google Details Zero-Day Windows Flaw Before Patch PreppedMicrosoft Slams Lack of 'Coordinated Vulnerability Disclosure'
Update (Nov. 2): Microsoft has detailed more about the related flaws, saying they have been exploited by Russian hackers in highly targeted spear-phishing attacks.
See Also: You've Got BEC!
Warning: Attackers have been targeting a zero-day flaw in Windows to escape Windows security sandboxes and exploit PCs.
So say engineers at Google, who have publicly announced the flaw and how it can be triggered, just 10 days after first sharing related vulnerability details with Microsoft.
The timing of Google's announcement is sure to reignite long-running debates over what constitutes a "reasonable" time period for bug spotters to wait before publicly announcing the details of a flaw, and the amount of time a software vendor should take to verify and fix flaws (see Google's Psychological Patch Warfare).
In this case, Microsoft was decidedly nonplussed over the timing of the alleged new flaw. "We believe in coordinated vulnerability disclosure, and [the] disclosure by Google could put customers at potential risk," a Microsoft spokeswoman tells me.
So far, the company has declined to discuss the alleged flaw any further or to detail a timeline for when it might get fixed. But the spokeswoman added: "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible."
Attackers Are Exploiting Flaw
In Google's defense, the company says its decision to detail the "critical vulnerability in Windows for which no advisory or fix has yet been released" was due entirely to it already being actively exploited in the wild by attackers. Otherwise, Google says it waits 60 days - down previously from 90 days - before making flaws public.
"This vulnerability is particularly serious because we know it is being actively exploited," Google security engineers Neel Mehta and Billy Leonard say in an Oct. 31 blog post.
The Google engineers have also detailed how the flaw can be exploited. "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape," they say, noting that the flaw can be triggered via a win32k.sys system call. While Chrome has been updated to block related exploits, that still leaves the rest of the Windows "user space" at risk.
Google's self-determined notification policy is that it gives vendors just seven days to issue an advisory or fix for a flaw that's being actively exploited. Otherwise, Google says it reserves the right to make details of the flaw public.
Adobe's Fast Flash Fix
For comparison's sake, Google says it notified both Adobe and Microsoft of separate flaws - in Adobe Flash and Microsoft Windows, respectively - on Oct. 21. Adobe issued a patch for Flash just five days later, in the form of updates for Flash Player for Windows, Macintosh, Linux and Chrome OS (see 2016 Resolution: Ditch Flash).
The patched flaw, designated CVE-2016-7855, constituted "a critical vulnerability that could potentially allow an attacker to take control of the affected system," Adobe said.
"Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10," it added.
Patching Flash, however, is one thing. Is it reasonable to give Microsoft just seven days to investigate a flaw in its Windows operating system, which has a much larger code base and base of users?
As Cris Thomas - the security researcher better known as Space Rogue - has noted, this is a repeat of a spat that Google and Microsoft got into for the same reasons in early 2015, when both claimed that their approach best protected users (see Google Reveals More Microsoft Zero Days). "It brings up a debate that has been raging in security circles for over a hundred years starting way back in the 1890s with the release of locksmithing information," Thomas wrote in a blog post at the time.
Embracing the Rollup
The rekindled debate over the speed with which actively exploited flaws get fixed comes as Microsoft has been attempting to move away from issuing individual patches altogether.
Nathan Mercer, a senior product marketing manager for Microsoft, noted in an August blog post that Microsoft had begun testing a "convenience rollup" - defined as "multiple patches rolled together into a single update" - in May for Windows 7 SP1, and decided to extend the concept to other supported operating systems.
That move came to fruition in October, when Microsoft switched to a single download for all security updates, replacing the previous approach of allowing users to just download - and test - patches for specific products. The move affects Windows 7 SP1 and Windows 8.1, as well as Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
Microsoft says it no longer ships individual patches, but now only offers a single security update every month that "collects all of the security patches for that month into a single update," Mercer says. "The security-only update will allow enterprises to download as small of an update as possible while still maintaining more secure devices," but will not be available via Windows Update.
That's because Microsoft now plans to release a monthly rollup - for each supported operating system - that includes both updates and security patches, which will be available via Windows Update, amongst other update channels. Mercer says the goal is to make these monthly updates "fully cumulative and you need only to install the latest single rollup to be up to date."
Such rollups have big upsides, not least for ensuring that products get fully patched. But when it comes to fixing critical flaws being actively exploited in the wild, users will still require more focused fixes that get released as quickly as possible.