Google disclosed two actively exploited vulnerabilities seven days after revealing them to the relevant vendors, which in this case are Adobe and Microsoft. Google said that Adobe has already fixed its bug, but that Microsoft hasn’t released an advisory or fix yet.
Google’s Vulnerability Disclosure Policies
Back in 2010, Google adopted a general policy of revealing vulnerabilities in software tools of other vendors within 60 days of alerting the vendors themselves. The policy was a middle ground between two popular choices at the time: full disclosure and “responsible” disclosure.
Full disclosure meant that the vendor would find out about the vulnerability at the same time as everyone else, thus creating an “emergency” situation for the vendor for all bugs. Responsible disclosure, on the other hand, meant that it would not alert the public about the bug until the vendor fixed it. That could mean never in some cases, or the companies involved would fix the bugs too slowly.
Google extended its policy to 90 days in 2015, after a spat with Microsoft after the company failed to fix a bug within the time frame Google announced. Google also added a 14-day grace period for when the vendor of the vulnerable product misses the 90-day deadline but tells Google that a fix should be ready within the following 14 days. If the vendor failed to fix the bug again, then Google would reveal the vulnerability to the public.
In 2013, Google added a seven-day limit to its vulnerability disclosure policy for critical vulnerabilities that are actively under attack. Seven days may seem like a small amount of time in comparison to its more general vulnerability disclosure policy, but when it comes to a serious bug such as Heartbleed, it may even be too much. Vendors need to immediately fix critical bugs to protect users’ data, especially when it’s already known that attackers are actively taking advantage of it to hack into systems and steal data.
Adobe And Microsoft’s Actively Exploited Bugs
On October 21, Google revealed two critical bugs that attackers were actively exploiting to both Adobe and Microsoft. Five days later, on October 26, Adobe had already fixed the Flash vulnerability.
However, according to Google, Microsoft hasn’t taken any public action yet to fix the bug or announce to users that the bug exists and that attackers are actively exploiting it. If it did, users (including IT administrators) could take the necessary steps to try to defend themselves against the exploit until Microsoft releases a patch.
The vulnerability in question is a local privilege escalation in the Windows kernel that can be used to bypass security sandboxes of various software tools, such as browsers. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.
Chrome Is Safe (In Windows 10-Only)
Google said that Chrome could take advantage of the Win32k lockdown mitigation feature in Windows 10, so Chrome is not vulnerable to this bug on this version of Windows. It seems to be on the others, though, which is why Google is making this bug public (according to its seven-day policy for such bugs). If Microsoft would fix the bug faster, then Chrome users on Windows 7 and 8 wouldn’t remain vulnerable for much longer.
Google encouraged users to verify whether the auto-update tools have updated Flash and if they didn’t, the users should update Flash manually. Users should also update their Windows OS as soon as Microsoft releases a patch for its own vulnerability.
If it passes, I'd probably give it a try.
Since Microsoft has clearly demonstrated with recent policy changes that customer safety, satisfaction and sanity are the least important things to them I'd not be surprised if we don't see a patch for at least another week, maybe more...
Guys, NOT disclosing details of a vulnerability that is ACTIVELY being exploited in the wild is a far greater insanity!
Sure, you can easily argue that any sane find+patch+Quality Control cycle on such a bug would be more than 7 days, that is rather irrelevant. It is MUCH more important to get the warning out to IT and SysAdmins (of critical infrastructure and functions).
It's like complaining about how it is 'plain insanity' to expect fire-fighters to completely put out and control a fire in a 40 story hotel within 1 hour and that therefore one should not alert new and existing guests of the hotel that there is, in fact, a fire going on. "Nah, let them into the lobby man, the firefighters only had an hour to work on this, no reason to alert anyone just yet"...
Clearly, it would take longer to put out such a fire; and clearly, all the guests and prospecting guests need to be alerted ASAP.
The two actions are not mutually exclusive!
They give 90 days to lower risk and lower actively exploited vunerabilities. But for high risk and highly actively exploited attacks, they only give 7 days and light a fire under microsofts butt to fix it. Otherwise, microsoft might be relaxed and wait the full 90 days to fix it. Leaving us consumers under attack for the full 3 months.