Although Adobe has worked to fix flaws found by Google, Microsoft has yet to act
Google has warned that a zero-day vulnerability still exists in Windows, despite it being almost a week since Microsoft was first notified of the problem.
The critical vulnerability was reported by Google’s Threat Analysis Group on the 26th October, affecting Adobe Flash software and Windows 7, 8.1 and 10 operating systems.
Adobe has since released an emergency patch to deal with the vulnerability designated ‘CVE-2016-7855’, which allowed users to exploit a use-after-free memory flaw to gain full remote access to a user’s system.
Microsoft has yet to release an emergency patch to deal with remaining bugs that hackers are still exploiting, according to a Google security blog post.
“After seven days, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” said Neel Mehta and Billy Leonard, Google Threat Analysis Group researchers and original discoverers of the flaw.
“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. This vulnerability is particularly serious because we know it is being actively exploited,” the researchers added.
IT Pro has approached Microsoft for clarification about plans to address the vulnerability but has yet to receive a reply. However, the company does seem annoyed by the post.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk,” said Microsoft in an email to VentureBeat on Monday.
Google would typically give a company 60 days to respond to a disclosure report, but following guidelines produced in 2013, any vulnerability considered ‘under active attack’ should be resolved within seven days.
“We encourage users to verify that auto-updates have already updated Flash – and to manually update if not – and to apply Windows patches from Microsoft when they become available for the Windows vulnerability,” said Google.