Google has just disclosed a crucial open vulnerability in Windows publicly. The move came ten days down the line when the exploit was first revealed to Microsoft.
The 0-day vulnerability, for which a patch hasn’t been released, was brought to Microsoft’s notice on October 21. Before the vulnerability could’ve been patched, Google went on and shared it publicly, stating that the vulnerability is already being exploited actively.
The blog post, which exposed the vulnerability, read,
“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.”
Google also mentioned that along with the said threat, a Flash vulnerability was also being shared with Adobe on October 21st. The vulnerability in Adobe systems existed in Flash, which it patched up releasing an updated version of the software on October 26th.
Google has publicly listed its policy on why and when a Cyber Security threat would be made public. The Google security researchers work on finding vulnerabilities, and communicate flaws with the relevant parent companies. Google follows a controversially Aggressive Time-line on sharing the details publicly. Although various companies point that a 7-day deadline isn’t sufficient for a company to work on a vulnerability, Google puts that the time is ample for publishing a public advisory.
“Seven days is an aggressive timeline and may be too short for some vendors to update their products,” Google says in a blog post, “but it should be enough time to publish advice about possible mitigation.”
Sources have also revealed the Microsoft response on the said issue,“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat.