Contrary to expectations of dramatic corporate rivalries, it’s not uncommon for companies to report bugs they found on other, even rival, companies’ products. Some, however, have certain policies that those other companies might disagree with. For example, Google has irked some such companies over its 0-day exploit disclosure policy but this time, it may be doing Microsoft a favor by recommending users to upgrade to Windows 10 to stay safe.
The last time Google publicly disclosed another company’s 0-day vulnerability was met by criticism. It was, after all, a vulnerability in Epic Game’s Fortnite installer. It was almost too easy to attribute it to payback on Google’s part, especially since Epic said it asked Google to hold back on the disclosure while it fixes the bug.
To be fair, Google has had a security vulnerability policy in place long before that. It cites that policy in its latest report, explaining why it’s disclosing two bugs now just seven days after informing the developers, in this case, Google itself as well as Microsoft, of the bug. That policy states that 0-day vulnerabilities, or vulnerabilities under active exploit, must be patched urgently and its early disclosure more or less pushes developers to move even more quickly.
In this particular instance, one vulnerability was found in Microsoft Windows, specifically Windows 7 only. Newer versions have already mitigated or fixed the exploit, so they’re no longer at risk. However, Windows 7 is no longer being maintained and will never get that fixed. Except, perhaps, for enterprise customer paying for extended support.
In other words, Google’s advice to Windows 7 users is to upgrade to Windows 10 and immediately apply the latest patches. That said, if such users still haven’t upgraded at this point, they likely have stronger reasons not to. Google is also encouraging Chrome users to check that they’re running on version 72.0.3626.121 or later to get the latest fix for its own 0-day exploit.