Google’s threat analysis group has today via an official blog post revealed a critical vulnerability in the Windows operating system. To further add to the unfortunate news, the tech behemoth notes that the vulnerability still hasn’t been patched by Microsoft and is currently being actively exploited. It has also shared sparse details about the vulnerability to make the masses aware of the exploit.
This vulnerability detailed by Google is a local privilege escalation which allows intruders to bypass the security sandbox in the Windows 32K system. It has further described the complete vulnerability in Windows as under:
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.
In addition, Google has made this disclosure public just ten days after reporting it to Microsoft on October 21st. Talking about the sudden public disclosure, the tech behemoth said it already has guidelines in place which provide the vendor with a brief 7-day period to patch the vulnerability. And it extended the same up to 10 days for Microsoft. The task of the security analysis team is to report critical zero-day vulnerabilities first to the vendor and then to the general masses to make them aware of it.
Google, however, did not miss a chance to mock Microsoft by deploying a zero-day patch for Chrome browser while the complete Windows itself still remains vulnerable to attacks. But doesn’t Google think that it is more difficult to code, test and deploy a patch for a complete operating system rather than a piece of software running on that OS.
This public disclosure, without consultation, has made the Redmond giant quite unhappy and further soured their relations as competitors. In a statement to VentureBeat, a Microsoft spokesperson says,
We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.
In the blog post, Google also added that exploiting this vulnerability in Windows depended on a separate bug within Adobe Flash. This vulnerability in Flash has been patched through an update about a week ago, so the Windows vulnerability has currently been mitigated. So make sure you update Flash to protect your system against attacks if you haven’t already. Hackers and cyber criminals will continue to look for methods to exploit this vulnerability until an update patch is released by Microsoft.