Google recently disclosing an unpatched 0-day vulnerability in Windows after only giving Microsoft 7 days from notification to release a patch.
This resulted in the information about the hack being released into the wild before Microsoft could develop a patch, placing a billion Windows users at risk.
Google’s excuse was that the hole was already being actively exploited, but in a response today Microsoft’s Executive Vice President, Windows and Devices Group, Terry Myerson defended Microsoft and expressed disappointment in Google’s behaviour.
Microsoft explained that the exploits in the wild were so-called “spear-phishing” attacks ie. sent to specific people in low volume, rather than being widely distributed to the general public.
In addition Microsoft users on the latest version of Windows 10, Windows 10 Anniversary update, who are also using Edge, was already protected. Due to Microsoft’s efforts to force roll-out of updates, now clearly shown to be a good idea, already 76% of Windows 10 users are on the latest version, according to AdDuplex data.
Terry said Windows was the only platform with a commitment to investigate reported security issues and proactively update impacted devices as soon as possible and said a patch was already in testing for release on the 8th November ie Patch Tuesday.
By implication Terry of course suggested that Google did not take its responsibility to Android users equally seriously, with a large percentage of Android users on older versions of the operating system who are not having any OS updates.
In addition Windows users may note Edge offered defence in-depth by implementing code integrity measures and other security procedures clearly not practiced by Google’s Chrome browser.
Microsoft recommended that all customers upgrade to Windows 10, calling it the most secure operating system they have ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack.
Microsoft’s vision of a billion Windows users all running the very latest version of the operating system, which are all automatically up to date mean that over the next few years Windows may earn a reputation as the safest operating system to use.
Read Terry Myerson’s full post below:
Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. And we take this responsibility very seriously.
Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.
We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.
We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.
To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we’ve ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack. Customers who have enabled Windows Defender Advanced Threat Protection (ATP) will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence.
Read more about the exploit and Microsoft’s mitigation measures here.