Usually there’s a grace period, but in the latest case involving Microsoft’s Windows platform, it seems Google decided it was too important to wait, and have since published their findings much to the annoyance of Microsoft who felt that Google’s disclosure before they had a chance to fix it could potentially put users at risk.
According to Google’s post, “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”
In a statement made to VentureBeat, Microsoft said, “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
As for Windows users who are wondering what they can do to protect themselves, it seems that this flaw is linked with the Adobe Flash vulnerability, which apparently has since been patched by Adobe, meaning that for now the Windows vulnerability has been mitigated. However just to be safe, Google has recommended that users verify that their Flash has been updated to the latest version if it hasn’t already.