Did Google's Threat Analysis Group kick sand in Microsoft's face by disclosing an unpatched, critical vulnerability capable of triggering a sandbox escape?
Did Google's Threat Analysis Group kick sand in Microsoft's face by disclosing an unpatched, critical vulnerability capable of triggering a sandbox escape?

Ten days after privately disclosing an actively exploited, critical Windows vulnerability to Microsoft Corporation, Google's Threat Analysis Group went public with the flaw, despite the lack of a patch.

The zero-day vulnerability consists of a local privilege escalation within the Windows kernel, which if exploited can allow hackers to execute malicious code capable of escaping secure sandbox environments.

Google's announcement, delivered via the company's security blog, drew a sharp rebuke from Microsoft. “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” said Terry Myerson, EVP of Microsoft's Windows and Devices Group, in a Microsoft guest blog post published Tuesday.

However, Google security experts Neel Mehta and Billy Leonard wrote in their own company's blog post that Google acted within the guidelines of its corporate vulnerability policy, which allows researchers to begin publicly disclosing details of actively exploited, severe vulnerabilities seven days after private disclosure.

“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information,” states a 2013 Google blog post detailing the policy.

According to Google, Microsoft was first alerted of the issue on Oct. 21, 10 days prior to public notification. For its part, Microsoft announced it plans to release patches for all affected versions of Windows in its next update on Tuesday, Nov. 8.

The Google post reported that actors can trigger the exploit “via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.” Google Chrome's sandbox remains immune to code escape, however, because it uses a Win32k lockdown mitigation to block win32k.sys system calls.

According to Myerson in his Microsoft blog post, the vulnerability in question was one of two critical flaws exploited in combination with each other to execute a “low volume spear phishing campaign” run by the Russian threat actor group Strontium – also known as Fancy Bear, Sednit and Sofacy. The other vulnerability, designated CVE-2016-7855, was a use-after-free flaw found in Adobe Flash. Google researchers separately contacted Adobe on Oct. 21 and the company issued a patch five days later. Because the Adobe flaw was remedied, Microsoft argues that its own vulnerability is no longer an imminent threat.

“We disagree with Google's characterization of a local elevation of privilege as ‘critical' and ‘particularly serious,' since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week. Additionally, our analysis indicates that this specific attack was never effective against the Windows 10 Anniversary Update due to security enhancements previously implemented,” said an unidentified Microsoft spokesperson, in comments sent to SC Media.

The Windows kernel vulnerability resides in Windows Vista through the Windows 10 November Update, although recent mitigations in the win32k kernel component have at least temporarily halted active exploits until the permanent solution is deployed, Myerson asserted in his blog post.

“Zero-day vulnerabilities can be extremely valuable, both to those engaging in offensive protection and to those looking for malicious exploitation,” said Thomas Pore, director of IT and services at malware incident response firm Plixer, in comments emailed to SC Media. “While Windows still dominates the end-user operating system experience, news of an unknown privilege escalation vulnerability is serious business as many are now exposed. Google's disclosure policy defines a reasonable notification strategy, with an upper bound at 60 days and [seven days] for actively exploited zero-day vulnerabilities.”

However, Udi Yavo, co-founder and CTO of data protection firm enSilo, was more critical of Google, and suggested its dispute with Microsoft underscores the need for legislation that regulates disclosure timetables. In comments emailed to SC Media, Yavo said that Google's rapid disclosure “doesn't ultimately help achieve everyone's goal, which should be keeping consumers and their data safe. By disclosing a vulnerability early, without allowing time for a patch, Google opened up the small pool of people who found the vulnerability and knew how to exploit it, to all."