Google's Threat Analysis Group has made a serious Windows vulnerability public just 10 days after reporting the bug to Microsoft. The Search giant says the new system level bug on Windows is being actively exploited and Microsoft has not issued any active advisory or fix yet.
Google notes the newly discovered Windows bug can easily be triggered to escape security sandboxing by calling the Win32 system call. Google is categorically marking the Win32 system bug as a 0-day vulnerability, the one that is publicly disclosed for the first time. Google has patched Chrome to block the Win32 system threat calls, using the Win32k lockdown mitigation on Windows 10. However, Microsoft is yet to issue a system wide update for this critical vulnerability.
Google's description for the Windows vulnerability is as follows, "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."
In a security blog post, Google also mentions that in order to trigger the Windows flaw, criminals would need to root the Adobe Flash vulnerability, which Adobe has fixed already. While Google's seven day window before making the bug public is debatable, Microsoft is not liking Google's disclosure. In a statement to VentureBeat, the company says, "We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk."
While Google's disclosure will force Microsoft to fix the issue, the knowledge of the bug in public could allow attackers to develop new codes and exploit critical systems. The larger question here is whether a week's time would be enough for any software company to issue a fix.