Microsoft has confirmed that it has included a patch for a vulnerability disclosed by Google after just one week's notice in its latest Patch Tuesday release, while Google itself has failed to patch a flaw in its own source code as part of its recent own security release.
Microsoft's latest Patch Tuesday release, made available for download on the second Tuesday of the month as is tradition, includes a patch for a security vulnerability
publicly disclosed by Google earlier this month after its security team gave Microsoft just one week's notice. The vulnerability, which Google has claimed was under active attack, allowed malicious code to escape from its sandbox and run with kernel-level privileges - including code running within a web browser, making it both relatively easy to exploit and extremely dangerous.
Microsoft's November update is detailed in full on the company's
Technet site, and also includes fixes for a further four publicly-disclosed security vulnerabilities one of which is known to be under active attack. These vulnerabilities range from flaws in Windows' font handling subsystem to holes in both the Internet Explorer and Edge web browsers, plus an Office issue which can allow for remote code execution when a user opens a specially-crafted malicious document. Naturally, there's also a security update for Adobe's much-patched Flash Player software included in the bundle, so as not to break the company's long-running streak of critical vulnerabilities.
While Microsoft has been quick to patch the flaw highlighted so publicly by Google, the advertising giant has been left with egg on its face by the discovery that its own November security update for the Android operating system does not include a patch against the Dirty COW vulnerability, which - like Microsoft's flaw - allows malicious applications to execute root-user-level privileged code, is trivially exploitable, and is under active attack. Instead, the company added a separate fix specifically for its current Nexus and Pixel branded devices, leaving older and third-party handsets vulnerable until the December update rolls around unless vendors take the decision to patch the flaw themselves.
Want to comment? Please log in.