Two tech giants are in a verbal tussle after the public disclosure of a zero-day Windows system vulnerability that is reportedly already being exploited by hackers.
This zero-day Windows exploit is said to be a local privilege escalation in the Windows kernel that could allow an attacker to escape software security sandboxing and install a backdoor. The bad news is there is no patch issued yet.
Google discovered and reported the critical Windows flaw to Microsoft on October 21 and in accordance with Google's 7-day disclosure policy on zero-day vulnerabilities, revealed the flaw publicly 10 days later.
According to Google, although this seven-day timeframe is "too short for some vendors to update their products," it is enough time to publish details to help users protect themselves if no patch or advisory has been issued yet.
Microsoft thinks otherwise and believes that they were simply not given enough time to issue a patch before the public disclosure.
"We believe in coordinated vulnerability disclosure and today's disclosure puts customers at potential risk," a Microsoft spokesperson stated via VentureBeat.
On Tuesday, Terry Myerson, Microsoft's executive vice president of Windows and Devices group, posted on Microsoft's TechNet page that the company traced this attack campaign to the Russian hacking group Strontium. According to the post, the group also used two zero-day bugs on Adobe Flash in conjunction with the Windows flaw to execute the attacks.
While Microsoft has yet to issue a Windows patch, Adobe already released emergency patches to fix the Flash Player bugs on October 26. Google also issued a fix to mitigate the Flash bug in Chrome. These fixes should close the initial attack vector but still puts unpatched computers at risk.
Microsoft is expected to issue a patch to fix this bug on November 8.
Until then, customers are advised to use Microsoft Edge running on the Windows 10 Anniversary Update since these are believed to be protected from these attacks.
Google likewise encourages "users to verify that auto-updaters have already updated Flash and to manually update if not." The company also advises customers "to apply Windows patches from Microsoft when they become available."
If you're still using Flash, click here for the Adobe Flash Update Tool guide.
To read Microsoft's official statement, click here.
For Google's public disclosure of this bug, check their security blog.