Windows Hack Alert
An unknown flaw was in the Microsoft Windows was identified by Google recently.
“We are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” wrote Neel Mehta and Billy Leonard, two security engineers at Google. “This vulnerability is particularly serious because we know it is being actively exploited.”
Ever since 2013, Google has operated on the policy of giving the developers of the company two months to fix the bug or flaw that they have identified if it was not being exploited. However, the timeline shrinks to just one week if it was being abused. In this case, Google claims that hackers were already aware of the situation and were using it to compromise people’s machines. Microsoft was informed on the 21st of October and as per policy, Google waited a week before making a public announcement.
Microsoft was not very happy with Google’s Windows hack alert going public and a Microsoft spokesperson openly admitted this while talking to the BBC.
He said “We disagree with Google’s characterization of a local elevation of privilege as ‘critical’ and ‘particularly serious’ since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week, Additionally, our analysis indicates that this specific attack was never effective in the Windows 10 Anniversary Update due to security enhancements previously implemented.”
“We believe in co-ordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said while talking to the VentureBeat news site.
Google defended itself on the matter by issuing the statement.
“By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management,”
Google also presented a solution to the problem. It is not exactly a solution but a method that limits the exposure to the flaw. The chrome web browser is not exposed to the vulnerability and using that could keep the situation under control.
Both sides have presented their own positions on the argument around the hack alert. It can be debated which side is right and if the decision made by Google to make the flaw public was the right one or not.
“What Google has done is understandable, bearing in mind it says the bug is already being exploited,” commented Dr. Steven Murdoch from University College London. “But whether or not it was right to have made the flaw public is a matter of debate – there are reasonable arguments on both sides, and we still don’t know who are the attackers and who are the targets.”
All of that being said it is less important to argue over who is wrong and who is right. More important is the focus on finding a solution to the problem that is faced by all Microsoft Windows users.