There's a tiny scandal brewing among two of Silicon Valley's elites after Google engineers have publicly disclosed a zero-day vulnerability affecting several Windows operating system versions before Microsoft could issue a patch to address the issue.
At the heart of the problem is a series of exploitation attempts detected by Google's Threat Analysis Group, a division of Google's security team that keeps an eye out for complex and out-of-the-ordinary cyber-attacks, usually specific to state-sponsored cyber-espionage groups.
On October 21, Google's engineers say they've detected a sophisticated attack routine that combined two zero-days, one in Adobe Flash Player and the other affecting all Windows versions between Vista and Windows 10.
Google went through its normal procedure and notified both Adobe and Microsoft, asking them to provide patches. Five days later, Adobe released Flash Player version 184.108.40.206 that fixed CVE-2016-7855, a vulnerability that allowed an attacker to execute malicious code on the user's computer. At the time of this article, Microsoft has yet to release a security patch.
Google's research team works by its own set of rules. When Google engineers discover a flaw in various products, they inform companies and allow them 90 days before making the vulnerability public, so users can switch apps, or take steps to protect themselves in case the vendor doesn't secure its product.
For zero-days, which are vulnerabilities already exploited by attackers, Google gives companies only seven days. Seeing that ten days had passed since their engineers alerted Microsoft, but no patch had been prepared, on October 31 Google unceremoniously disclosed to the world the presence of a dangerous zero-day affecting all Microsoft products released in the past ten years.
Even if Google didn't release the exact technical exploitation chain, it revealed enough clues about where the zero-day could be found.
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.
As you can imagine, Microsoft engineers were not happy about Google's decision at all. In a statement published the next day, Terry Myerson, Microsoft Executive Vice President of the Windows and Devices Group, said that despite Google's rules, the search giant should have known that developing, testing, and releasing patches for ten-years-worth of Windows releases isn't a job that can be rushed.
Myerson says that Microsoft engineers have already put together the necessary patches, and are currently testing them with industry partners. A patch will be available on November 8, which is the date of the company's next Patch Tuesday release train.
Furthermore, to dispel the ominous feeling that all Windows users are under a barrage of attacks because their engineers failed to release a patch in due time, Microsoft provided more details about the attacks.
Microsoft, who also runs a security division for detecting high-level cyber-espionage campaigns, says that the attacks with the recent Flash and Windows zero-days are "low-volume" and are only aimed at a specific set of targets.
According to Microsoft, behind the attacks is a cyber-espionage group called Strontium. Other security vendors identify this group as Fancy Bear, APT28, Sednit, and Pawn Storm. You may recognize the name "Fancy Bear," who's been tied to cyber-attacks against the Democratic National Committee servers back in the summer of 2015.
The group has a history of targeting government agencies, reporters, diplomats, military organizations, and private sector entities interacting with governments. The group has been tied to cyber-attacks all over the world, and many believe to be the unofficial offensive cyber-hacking unit of Russia's secret service, the FSB, albeit nobody has provided concrete and undeniable evidence to support these claims.
In its most recent attacks, Microsoft says Strontium hackers have sent spear-phishing campaigns, luring victims to websites embedded with weaponized Flash files. When the user landed on the page, the Flash file would play, execute the Flash zero-day, and take over the user's browser process.
Since most browsers are isolated inside their own processes, the attacker couldn't reach the underlying OS. This is where the Windows zero-day came in handy, allowing the attackers to elevate the privilege of the browser's process, escape the browser sandbox and download and install a backdoor Trojan on infected computers.
Microsoft says that users of Microsoft Edge on Windows 10 Anniversary Update are protected from versions of this attack.
Furthermore, due to Adobe releasing a patch, if users have updated their Flash player, the attack is stopped in its incipient stages. This might also explain why Microsoft felt it could take its time in developing a proper patch.
Nevertheless, disclosing the Windows zero-day presence might have alerted other categories of cyber-crooks, such as exploit kit developers.
The same opinion is shared by Ilia Kolochenko, High-Tech Bridge CEO & Founder, who spoke with Bleeping Computer today.
"Taking into consideration that the vulnerability is actively exploit in the wild, and Microsoft delays a security patch, I can understand Google's motivation to urge Microsoft releasing the patch," Koloncheko says. "However, in this particular case, full disclosure may just aggravate the situation for the end-users (victims) by making more cybercriminals exploit the flaw."
But this is not the first time that Google and Microsoft clashed around security issues. Both in 2014 and 2015, Microsoft had failed to fix security bugs reported by the Google Project Zero team. That time around, Microsoft had failed to address the reported problems even 90 days after Google notified the OS maker. Following intense criticism from the infosec community, Google tweaked its bug disclosure policy, but the 90 and 7-day deadlines remained intact.