Project Zero's disclosure policy as described in the article appears to leave little room, if any, for the bias you appear to be implying:
> In keeping with long-standing policy, Google’s vulnerability research group gave Microsoft a seven-day deadline to fix the security flaw because it’s under active exploit. Normally, Project Zero discloses vulnerabilities after 90 days or when a patch becomes available, whichever comes first.
In addition, the two bugs appear to be unrelated other than being used as part of the same attack chain. The Chrome/FreeType vulnerabilities were reported on 2020-10-19 [0, 1], while the Windows vulnerability was reported on 2020-10-22 [2]. The Chrome team released a fix for their bug the day after the it was reported [3], while Microsoft is either still working on fixing the bug or is waiting for Patch Tuesday.
The combination of Chrome sandbox escape and Windows escalation make an extremely potent and high value combination. I hope we get more information on the "targeted" attacks
The article mentions how a bug in a library Chrome uses allowed a sandbox escape. I am left wondering if forks of Chrome (such as Edge, which I'm using to type this from) are already updated. This is what really worries me about using Edge. Not to mention unstaffed forks such as Ungoogled Chromium.
Did they include a proof of concept in the disclosure even though the Google patch has only been out for a week and the Microsoft patch is not yet available?
Showing more adversaries how to make exploits right now doesn't seem like a great idea?
My understanding is that it’s not a full PoC. It’s enough to crash Windows, but not enough to do more than that. An attacker would likely need to do additional work to make it relevant to them unless they’re just a prankster. Given that the disclosure says exactly where an attacker would need to start looking, it doesn’t make much difference whether a PoC is released in this case.
This isn’t always true: sometimes knowing where to look is the easy part, and crafting a working exploit is the hard part. I don’t get the impression that’s the case here.