1000words - Fotolia

Risk & Repeat: Windows zero-day sparks disclosure debate

Listen to this podcast

In this Risk & Repeat podcast, SearchSecurity editors discuss the recent Windows zero-day flaw, Microsoft's criticism of Google over the vulnerability disclosure, and more.

A Windows zero-day flaw actively exploited by a Russian advanced persistent threat group has triggered a debate over vulnerability disclosure and Microsoft's response to the revelation.

The Windows-zero day vulnerability was first disclosed by Google's Threat Analysis Group and involved a Windows kernel flaw that enabled local privilege escalation, which could also be used in conjunction with an Adobe Flash bug for a security sandbox escape. Google notified both Microsoft and Adobe of the zero-day vulnerabilities last month, and Adobe issued a patch within days of the notification. Last week, however, Google disclosed the vulnerabilities after discovering the flaws were being actively exploited.

Microsoft, which had not yet issued a patch for the Windows zero-day kernel flaw, confirmed the vulnerability was being exploited -- and claimed the threat actor responsible was the Russian APT group Fancy Bear, which had been implicated in the Democratic National Committee breach. Microsoft took issue with Google's disclosure of the vulnerability and claimed the issue was "fully mitigated" because the attack required the use of the Adobe flaw, which had already been patched. The software giant's response, however, was heavily criticized by security experts who felt Microsoft should have done more to address the issue.

Was Google right to go public with the Windows zero-day flaw? Does Microsoft have a legitimate complaint about the vulnerability disclosure? How should Microsoft have responded to the disclosure? In this episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss those questions and more on the topic of the recent Windows zero-day flaw and the issues surrounding responsible disclosure of security vulnerabilities.

Next Steps

Risk & Repeat: IoT malware threats loom

Risk & Repeat: DNS DDoS attacks raise concerns over IoT devices

Risk & Repeat: Russia accused of state-sponsored cyberattacks