We’ve written before about Google’s Threat Analysis Group, the team Google has tasked with looking out for security threats across all software and programs, not just those linked to Google products. The team has found a number of issues and bugs through the years with the biggest being the Internet Explorer bug we told you about back in January. It seems they’ve now found another huge vulnerability in Windows 7, which has led the team to advise all Windows 7 users to upgrade to Windows 10.
Google has discovered a new zero-day bug in Windows 7
A zero-day bug is one that is unknown to the developers behind the program it has been found in. In this instance, it is a bug that Google has discovered in a piece of software developed by Microsoft that Microsoft didn’t know about. Google found the Windows 7 vulnerability when the Threat Analysis Group discovered a similar bug in Google Chrome.
According to Clement Lecigne, who published a blog post on the discovery for the Threat Analysis Group, “On Wednesday, February 27th, we reported two 0-day vulnerabilities — previously publicly-unknown vulnerabilities — one affecting Google Chrome and another in Microsoft Windows that were being exploited together…” He went on to say of the Windows bug, “We strongly believe this vulnerability may only be exploitable on Windows 7… The unpatched Windows vulnerability can still be used to elevate privileges or combined with another browser vulnerability to evade security sandboxes.” All this means that malicious code could use the vulnerability to break out of its assigned programming and take control of other parts of the device.
Although Lecigne went on to say Microsoft is working on a patch, he also said no patch is available right now. He and his team recommend upgrading to Windows 10 as soon as possible. They claim that the vulnerability is both serious and is being actively exploited in targeted attacks. Google has already released a patch that deals with the vulnerability in Chrome. You can find more information about issues relating to the Chrome version of the bug here.
Google’s Threat Analysis Group has what it calls a vulnerability disclosure policy. This dictates when they will tell developers about zero-day issues with their code and then when they will tell users if the developers haven’t acted on the first disclosure. As Microsoft failed to release a patch for the bug in time, Google released the information to the public.
This might be cynical to assume, but there is a good chance Microsoft deliberately didn’t act in time so that Google would release their findings and recommend upgrading to Windows 10. Ever since Microsoft launched Windows 10 for free it has actively been pushing users towards its flagship operating system. With moves like charging up to $200 a year for Windows 7 support already under its belt, it wouldn’t come as too much of a surprise if it held back on a security patch just long enough for Google to urge Windows 7 users to upgrade.