Google reveals actively exploited Windows vulnerability, but no patch as of yet from Microsoft
Just 10 days since discovery, Google's Threat Analysis Group has released details about Windows zero-day vulnerability. This disclosure has left millions of Windows users at risk, as Microsoft has yet to patch the vulnerability.
Google had found out two actively exploited vulnerabilities in Adobe and Microsoft. According to Google’s internal policy, which states that companies should fix or publicly report flaws that are under attack after seven days, the vulnerabilities were revealed to the relevant vendors. Google said that Adobe has already fixed its bug, but that Microsoft hasn’t released an advisory or fix yet for the patch.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told Threatpost. “We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
According to Google’s disclosure policy, the vendors have 60 days to patch critical vulnerabilities, or notify users about the risk and any workarounds or temporary mitigations. Published in 2013, the policy included the seven-day deadline on critical flaws under active exploitation. “The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised,” Google said at the time.
“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information.”
This is not the first time that Google has made such information public prior to the availability of a fix. Two years ago, the company reported about an unpatched Windows 8.1 security flaw and was later criticized by Microsoft for disclosing details about another Windows 8.1 vulnerability before it was patched.
Google's data has shown that Windows 10 vulnerability is being actively exploited and it is "particularly serious.” The details of the vulnerability are as follows:
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Google’s Threat Analysis Group said they disclosed the vulnerability to Microsoft on October 21 for which Microsoft has not yet published a security advisory or a patch. It has been ten days since it was privately disclosed by Google. Hopefully, Microsoft will release a fix for this vulnerability via Windows Update soon before it becomes a big problem for the software giant.