Google Inc. dropped a bomb on Microsoft Corp. Monday by revealing a vulnerability in its Windows operating system that’s yet to be patched.

Google says attackers can exploit the bug to gain administrator-level access using simple malware. In a blog post, Neel Mehta and Billy Leonard of Google’s Threat Analysis Group said they’d taken decision to go public after finding exploits for the bug were already in the wild. The company has a policy of giving software developers just seven days to patch vulnerabilities it discovers, in cases when they’re already being actively exploited by cyber-criminals.

At the same time, Google also revealed a new Flash vulnerability it shared with Adobe Systems Inc. last week. Adobe was told about the bug on the same day as Microsoft, and has already issued a patch. However, Microsoft has so far failed to do the same, and all Google could recommend in mitigation is to “apply Windows patches from Microsoft when they become available.”

Not surprisingly, Microsoft wasn’t happy with Google’s decision to go public before it could issue a patch.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” the company said in a statement to the media. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

Microsoft’s argument against Google’s policy of revealing flaws is that an operating system like Windows is far more complex than a simple web plugin like Flash, and therefore issuing a patch can take much longer than a week. But Google maintains that it’s safer if the public is made aware of these flaws in cases where they’re already being actively exploited.

Photo Credit: mendhak Flickr via Compfight cc