This week, Google went ahead and disclosed details surrounding a critical vulnerability currently present in Windows and it turns out that Microsoft isn't too pleased about it. The vulnerability is apparently being actively exploited by hackers, something that Google apparently knew about prior to making the bug public.
Google disclosed the issue privately to Microsoft back on the 21st of October but went public with it just ten days later, before Microsoft could issue a fix. Google describes the flaw as a “local privilege escalation in the Windows kernel”, this can be used by attackers to break into Windows systems.
This isn't the first time that Google has pulled the rug out from under Microsoft when it comes to vulnerabilities. Google went public with two Windows 8.1 issues in 2015 before a patch was ready. In a statement given to VentureBeat, Microsoft fired back at Google for putting customers at potential risk:
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
Right now, there is no news on when this vulnerability will be fixed but Microsoft should be working on it as fast as possible now that everything is out in the open.
Discuss on our Facebook page, HERE.
KitGuru Says: While there are some companies out there that will ignore critical security errors unless they are publicly outed, Microsoft isn't really in a position to do that with Windows. Hopefully, a patch for this comes soon. Do you guys think Google should have publicly disclosed this bug so soon after informing Microsoft? Do you think Microsoft should have been quicker in patching?
Lol edge
Hilarious indeed how MS used to have the worst browser and now basically has the best.
This is bad practice by Google.
Google better watch out Karma is knocking at their door….
Bad practice is when you ignore prioritizing an issue already being exploited. Going public is the only way to really put the pressure on Microsoft to do their job and fix the product. Now they’re getting sour because it’s extra embarrassing since it’s now public that they didn’t even notice the exploit to begin with…
Google would do this if they haven’t been notified that the bug is being looked into. Ethical hackers often go public with bugs if the company they are researching doesn’t mention or take the issue seriously. Google has the right to protect its users, who use their software on a windows platform. If Microsoft hadn’t gone back to google with confirmation of investigation then I’m siding with google on this one. However, if Microsoft did get back to google and say “we’re looking into this matter and will update you in X days, then google should have given more time to Microsoft to perform their analysis.
“best”
Probably not the best but it’s by no means bad
I can believe that it’s better than internet explorer but arguably that’s not that hard to accomplish.
More like bad practice by Microsoft. They were informed and instead of fixing the issue right away, they are sitting on it. It will be thanks to Google that Microsoft gets off their butts and fix the issue.
How do you KNOW they arent working on it? Honestly have you ever coded or looked at an Operating system? Not that easy, especially if you dont wanna brick or ruin millions of computers stop looking for instant gratification. Shit takes time, they didnt want it announced so more people wouldnt get attacked by hackers while they work on fixing it. As much as I wouldnt mind google making them focus on it, I highly doubt that they weren’t already working on it.
This isn’t about whether Shane has or has not coded/looked at an operating system, google specifically states in their disclosure that they announce the bug to the firm in question, they then wait 7 days for a notification of acknowledgement or a fix to be applied.
All Microsoft’s team needed to do was notify google that they were looking into it.
You know that the hackers get into the computer no matter if you know about the problem or not, but as google also says, that google’s chrome browser patches the problem, i don’t see why microsoft can’t get help from google to fix this problem asap….
Where does it state that MS was made aware of the exploit? And when? If Google didn’t mention it and just outed it publicly, it’s still bad practice on them. This doesn’t absolve MS by any means as they should have caught this on their own.
10 day disclosure turn around time. Come on, thats not enough time to push a patch thru validation. Unless you like broken shit.
IE had to maintain compatibility with a whole raft of things in Enterprise that Chrome and Firefox gave 0 fucks about.
If your going to bash IE, at least have context.
10 days is nowhere even close for patch validation. Unless you like getting your shit broken of course.
That’s why I prefer Chrome to Edge or Fire Fox. Chrome is looked after 24/7. On the other hand, if something goes wrong with Edge, you have to wait for fix, u’ll be lucky if it only takes days, not weeks or months.
In the second paragraph of the article, it says that Google privately disclosed information about the bug to Microsoft on October 21. Please read the article before posting.
So I apparently overlooked that. Good Lord. You need a bandaid for your sore bottom?
I’d like three please. Just make sure you read the article before posting about it. Makes you look dumb. Cheers!
I read the article and as I said, I apparently missed it.
What does patch validation have to do with anything? Half the updates in Windows 10 break things in the first place. Anniversary update with webcams? Breaking controller exclusive mode access? Breaking DirectX 9 libraries, causing MANY older games to suddenly not work anymore?
If they were running a tight ship and had an actually decent OS with stable updates, I would be inclined to agree. As of right now, WHQL means nothing and windows updates break more basic things than they fix… saying they need a patch to be “validated” holds no water in the current state of things.
10 days isn’t enough to issue a fix at all. Some things take weeks to fix. Google had their own critical flaw in chrome that took them 3 weeks to roll an update out for. But the people who reported it to google didn’t go public, because google gave them constant update. 10 days to Research the flaw, test the flaw in real world scenarios, research why the flaw has come around (making sure it isn’t a previous update etc) – Issue a fix in dev, test thoroughly, do some real world testing, create reports and issue findings and rectifications, then release to the public. That’s not even the full cycle, but you tell me if you could do something like that in 10 days then go ahead. But like I said, I don’t think microsoft have been updating google, hence google going public.
So your argument is to have less validation? Your stupidity astounds me.
My arguement isn’t that less validation is needed, it’s that saying it needs validation is a moot point, since most of their updates break things anyway (I.E. Validation is mostly useless).
They could have just pushed out something fast and been done with it, which is apparently what they do for every other freaking update. Let people who make drivers and programs catch up with whatever updates they make without warning. That’s what they’ve been doing since W10 launched.
Microsoft recommends windows 10 and Microsoft edge. Of course they would, get everyone off of the good user interface that is easy to use and force everyone over to the new crap. Of course what Google did its just as shitty but big surprise out of them.