Microsoft is mad at Google because the latter published details about a dangerous security vulnerability in Windows on the Google Security Blog. The search giant says it informed Microsoft about the bug ten day in advance and claims this is enough time to either publish a patch or release details about possible mitigation techniques.
The local privilege escalation vulnerability can be used as a security sandbox escape and was actively exploited in the wild before Google publicly disclosed it. Microsoft isn't pleased because it claims Google's action put users at risk, while Google says it's sticking to its policy, which forces software firms to speed up their response time to fix security vulnerabilities. A similar incident occurred in 2015, when Google also disclosed unpatched holes in Windows.
"Seven days is an aggressive timeline and may be too short for some vendors to update their products," Google said in a blog post in 2013. "But it should be enough time to publish advice about possible mitigations."
Microsoft slammed Google's move. “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk," the company said in an email on Monday.
Google claims that on Windows 10, its Chrome browser prevents the exploit because Chrome's own sandbox is able to block the system call.