Google has exposed a 0-day vulnerability in Windows, which the company says is pretty serious. Neel Mehta and Billy Leonard, Threat Analysis Group at Google, in a blogpost said they reported the vulnerabilities to Microsoft on October 21 but no fix has been released by the company yet. Mehta and Leonard explained the Windows vulnerability is a local privilege escalation in the Windows kernel and it can be used as a security sandbox escape. “It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” they said.
Google had reported 0-day vulnerabilities to Adobe as well, which the company had fixed by updating Flash to CVE-2016-7855. The update is available via Adobe’s updater and Chrome auto-update. Mehta and Leonard have advised users to manually update Flash, if it hasn’t been auto-updated. They’ve asked users to apply Windows patch, whenever it becomes available.
Venture Beat quoted a Microsoft spokesperson who told the site that the disclosure puts users at risk. “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” the spokesperson told the site. Google, in an earlier blogpost had recommended fixing critical vulnerabilities within 60 days. It further said that companies should notify public in case a fix is not possible and offer workarounds as well.