
Google discloses Windows vulnerability just 10 days after reporting it to MSFT - flinner
http://venturebeat.com/2016/10/31/google-discloses-actively-exploited-windows-vulnerability-just-10-days-after-reporting-it-to-microsoft/
======
mtgx
It's an actively exploited critical vulnerability that allows sandbox bypasses
(Chrome, etc).

[https://security.googleblog.com/2016/10/disclosing-
vulnerabi...](https://security.googleblog.com/2016/10/disclosing-
vulnerabilities-to-protect.html)

I would certainly hope it doesn't take Microsoft 3 months to fix it.

~~~
rurban
Exactly. If it's already out in the wild, being used, it's critical.
venturebeat/microsoft have no idea what they are complaining about. users are
already at risc and the vendor has to publish at least some sort of advice.

The explanation of this policy is
[https://security.googleblog.com/2013/05/disclosure-
timeline-...](https://security.googleblog.com/2013/05/disclosure-timeline-for-
vulnerabilities.html)

I believe Microsoft should have recommended a short term recommendation to
mitigate this risk until a patch is available. Such as "Don't connect to the
internet...", but instead they recommended to use Windows 10, which does not
help at all. Windows 10 is actively exploited this way.

------
fahrradflucht
I think the notion in the article that it's the same or even worse this time
because the exploit already is found to be exploited in the wild kind of
strange. Isn't it far worse to disclose an unknown 0-day publicly then
disclosing something that gets exploited already anyway?

~~~
tweakz
That depends. Some vulnerabilities aren't easy or worth the hassle to exploit.
If this one is being exploited by someone already, you're letting attackers
know that it's worth the effort, and handing them the manual as well.

~~~
wahern
If someone is exploiting it then you _know_ the manual is already out there.
How far it has been disseminated is unknown, but arguably it's better to
assume it's being disseminated. Otherwise anybody could argue that "not
enough" attackers know about an exploit as justification for criticizing
disclosure.

