Google has gone public and posted about a critical zero-day security flaw in Windows just 10 days after reporting the vulnerability to Microsoft, and the latter company is not best pleased to say the least.
Google posted on its security blog (opens in new tab) stating that this particular flaw was being actively exploited right now, inferring that Microsoft should really be getting its act together with a patch because users are at risk (and noting that it also reported a vulnerability in Flash to Adobe at the same time – on October 21 – which the latter company fixed after five days).
Google describes the hole in Windows as a “local privilege escalation in the Windows kernel that can be used as a security sandbox escape”. In other words, it lets an attacker dodge around the operating system’s security sandbox, allowing them to execute malicious code and inflict the usual nasty tricks on the victimised PC.
Google’s claim is that because this is already being leveraged, users need protection as soon as possible, and hence the firm is justified in shining the spotlight on this vulnerability.
- In spite of this, the Surface Pro 4 is still thriving
Levels of complexity
However, it’s all very well pointing to Adobe’s prompt fixing of its security hole, but the truth is that with a sprawling OS like Windows, any patch is bound to be a far trickier affair to implement.
As mentioned, Microsoft has certainly kicked off about this, and in an email statement to VentureBeat (opens in new tab) the company said: “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”
Do note that if you’re on Windows 10 running the Chrome browser, then Google observes: “Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”
But clearly this is something that Microsoft needs to patch quickly, particularly now knowledge of the flaw has spread across the net.