Google has publicly disclosed a leak in Windows before Microsoft was able to release a patch. The disclosure was heavily criticized but according to Google the leak is already actively exploited. Microsoft now argues that Google is putting users at risk.
The leak is a so-called zero-day in Adobe Flash that allows an attacker to escape from the sandbox environment from Flash and take over the system. Google has published information about the leak online.
The company did so 7 days days after it disclosed the leak to Adobe and Microsoft. Adobe quickly patched the leak but Microsoft didn't. Therefore Google decided to go public with the vulnerability. According to the Google the decision was made based on the fact that the zero-day was known and actively exploited, although the search giant didn't disclose by whom and in what way.
Both Google and Microsoft are heavily criticized on the way they handled the issue. Google is blamed for too quickly publicizing the vulnerability while Microsoft should have closed the leak faster, certainly because the company was aware that the vulnerability was actively abused.
Google has a responsible disclosure policy which states that it will go public with a leak after 7 days .The 7 days is seen by others as a very short timeframe to patch a vulnerability.
On the other hand, Microsoft is seen as too slow in patching the leak. The company hasn't stated within the 7 days that it is working on a fix, or even plans to roll it out to its users.
Microsoft has stated to Venturebeat, "We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk". The company has stated anything about fix in the same statement.
