Microsoft flips Google the bird after Windows kernel bug blurt
Security flaw will be fixed next week, says Redmond exec
Microsoft has not responded well to Google's bug grenade, accusing the ad giant of screwing over netizens and getting its facts wrong.
"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," Microsoft said in a statement. It then disputed Google's claims about the seriousness of the hole.
"We disagree with Google's characterization of a local elevation of privilege as 'critical' and 'particularly serious,' since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week," said a Microsoft spokesperson, adding that not all versions of Windows are affected.
"Additionally, our analysis indicates that this specific attack was never effective against the Windows 10 Anniversary Update due to security enhancements previously implemented."
Windows boss Terry Myerson described Google's actions as "disappointing." He said the vulnerability was being exploited on a "low-volume scale" by the Russia-linked Strontium group, which is also known as Fancy Bear and is accused of ransacking the US Democratic National Committee's computers. We previously reported that Fancy Bear was exploiting several unpatched software vulnerabilities to hijack systems.
In Myerson's view, Strontium was abusing the Google-reported flaw in limited spear-phishing attacks, therefore the vast majority of Windows users weren't being targeted and thus there was no need for Google to go public so soon.
Myerson said the flaw will be patched by Microsoft next Tuesday.
On Monday this week, the Beast of Redmond received its own personal Halloween gift in the form of a public Windows vulnerability disclosure just 10 days after Google discovered the flaw.
CVE-2016-7855 can be used by malware to gain admin access on a Windows system through a local privilege escalation; a kernel bug can be exploited to pull off a security sandbox escape, Google claimed, calling it "particularly serious."
So why did it give Microsoft just a week before making it public? According to Google, because of its importance and the fact that exploits are already in the wild.
Not exactly happy
But it's a call that Microsoft clearly did not appreciate. Although Adobe managed to put out a patch ASAP, Microsoft has not yet, meaning that Windows users are potentially at risk and everyone and their dog now knows about it.
The public disclosure of an unpatched bug broadly serves two functions: one, it makes users (well, sysadmins) at least aware of the problem; and second, it lights a fire under the developer to get a patch done and out there.
Google engineers are pretty sharp at finding security holes in Microsoft's software so the relationship is an important one.
There have been persistent tensions however. Back in June 2010, a Google engineer gave Microsoft just five days of notice before publishing details on a serious Windows hole (and included example attack code). And in January last year, Google refused to budge on the 90-day deadline it gave Microsoft to fix a reported security bug before it went public with details of the flaw.
That time, Microsoft's senior director for trustworthy computing Chris Betz called out Google: "We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," he complained, adding that Google's decision to move ahead regardless "feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result."
He went on: "What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."
That outburst gave Google pause for thought and it announced shortly after that it was revising how its Project Zero bug-finding system would disclose flaws. The 90 days was made more flexible and the Chocolate Factory said it would extend the disclosure deadline by a grace period of up to 14 days, provided a vendor lets it know that a patch will be released on a specific date within the extra fortnight.
In a post, Google's security team noted: "Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed."
That policy appears to have been given a pretty big caveat with this latest disclosure however: if Google can see exploits in the wild, all bets are off. ®