This is a good article for this week’s lesson. The Google Threat analysis group disclosed a critical vulnerability in Windows in a public post on the company’s security blog. The vulnerability allows hackers to escape from security sandboxes through a weakness in the win32k system. Google went public ten days after reporting the bug to Microsoft, before a patch could be deployed. Google has already sent out a fix to protect users that use Chrome and Windows is still vulnerable.
I don’t like how Google went public before Microsoft sent a patch out. This just increases the risk of hackers who might not have known about this to exploit it. Even if they went public, how is the general public going to use this new-found knowledge to defend themselves? I understand that Google has a 7 day policy for vendors to either send a patch or disclose ways to mitigate the issue, and I really like this idea. However, I don’t agree on their decision to disclose this issue if that criteria is not met.
Apparently, Microsoft is not pleased with the way Google handled this situation. It’s a good thing to discover the vulnerability and share it, but Microsoft feels that it should have been allowed a little bit more time to work on a patch. Companies need to develop a better coordination approach when discovering vulnerabilities of this nature for the common good of cyber security.