Short Bytes: Google told Microsoft about a critical vulnerability in the Windows kernel which can be used to escape security sandbox. After waiting for around 10 days, Google finally told people about the existence of the previously unknown vulnerability. Microsoft is yet to release a fix for the same.
“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” Google explains in the post.
The company acknowledges the fact that the bug is being actively exploited and that’s why it’s a matter of concern.
Microsoft seemed displeased but was reluctant to issue a statement regarding the zero day bug. “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson later told Venture Beat.
Google also informed Adobe about the Flash vulnerability CVE-2016-7855 on October 21 and the same has been patched. Users need to simply update the Adobe Flash on their machine and it will also be available via Chrome auto-update. This is not the first time Google has disclosed a Windows bug to the public. They did it in January for Windows 8.1.
A week’s time is not enough to release a security patch before testing it thoroughly, many software companies argue. And security researchers believe that the vulnerability should be disclosed only when a patch has been released for it.
If you have something to add, tell us in the comments below.