A major, currently exploited vulnerability in the Microsoft Windows kernel has recently been disclosed by Google’s Threat Analysis Group, before Microsoft made public a patch or any mitigation advice.
The vulnerability disclosed by Google depends actually on two bugs, one in the Windows kernel and the other in Adobe Flash. While Adobe has promptly provided a security patch, Microsoft had provided no advisory or fix at the time when Google security engineers decided to disclose the vulnerability, which they deem “particularly serious” because it is actively exploited. Adobe also remarked that:
an exploit for CVE–2016–7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10.
After Google’s disclosure, Microsoft has publicly acknowledged the vulnerability and promised a patch will be available on November 8, after being “tested by many industry participants”. Microsoft’s executive vice president Terry Myerson also provided some more details about Strontium, the organization that is known to be exploiting the vulnerability:
Strontium is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. [… It] will persistently pursue specific targets for months until they are successful in compromising the victims’ computer. Once inside, STRONTIUM moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information.
According to Myerson, though:
Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.
Google’s early disclosure is in accordance with Google’s own disclosure policy, which grants 60 days for companies to fix critical vulnerabilities, but requires to take action within seven days through either a fix or mitigation advice for actively exploited vulnerabilities. Early disclosure is thought by Google as a way to grant users the possibility of protecting themselves before becoming a target.
Microsoft already criticized Google’s vulnerability disclosure timeline in the past alleging that “responding to security vulnerabilities can be a complex, extensive and time-consuming process” as a consequence of the variety of environments involved. The different positions of the two companies are echoed by the contrasting views of a number of security researchers.