Home » News » General » Google makes Windows vulnerability public before Microsoft could issue a patch

Google makes Windows vulnerability public before Microsoft could issue a patch

By Karthekayan Iyer | Updated on 04-Nov-2016
Google makes Windows vulnerability public before Microsoft could issue a patch
Karthekayan Iyer Karthekayan Iyer
01 Nov 2016 15:09
HIGHLIGHTS

Google's seven day windows for fixing the bug is debatable, but making it public will push Microsoft to fix it now.

Google's Threat Analysis Group has made a serious Windows vulnerability public just 10 days after reporting the bug to Microsoft. The Search giant says the new system level bug on Windows is being actively exploited and Microsoft has not issued any active advisory or fix yet.

Google notes the newly discovered Windows bug can easily be triggered to escape security sandboxing by calling the Win32 system call. Google is categorically marking the Win32 system bug as a 0-day vulnerability, the one that is publicly disclosed for the first time. Google has patched Chrome to block the Win32 system threat calls, using the Win32k lockdown mitigation on Windows 10. However, Microsoft is yet to issue a system wide update for this critical vulnerability.

Google's description for the Windows vulnerability is as follows, "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

In a security blog post, Google also mentions that in order to trigger the Windows flaw, criminals would need to root the Adobe Flash vulnerability, which Adobe has fixed already. While Google's seven day window before making the bug public is debatable, Microsoft is not liking Google's disclosure. In a statement to VentureBeat, the company says, "We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk."

While Google's disclosure will force Microsoft to fix the issue, the knowledge of the bug in public could allow attackers to develop new codes and exploit critical systems. The larger question here is whether a week's time would be enough for any software company to issue a fix.

Karthekayan Iyer

Karthekayan Iyer

New Mobiles
Apple IPhone 15Redmi 12 5GRealme 11 Pro+ 5GApple IPhone 15 PlusNothing Phone 2
Top-10s
Best Mobile Phones under 15,000Best Mobile Phones under 20,000Best Mobile Phones Under 10,000Best Mobile PhonesBest 5G Mobile Phones
Terms of Use Privacy Policy About Us Advertise with us Contact Us SiteMap Current / Past Issue Magazine Subscription
9.9 Group

Digit.in is one of the most trusted and popular technology media portals in India. At Digit it is our goal to help Indian technology users decide what tech products they should buy. We do this by testing thousands of products in our two test labs in Noida and Mumbai, to arrive at indepth and unbiased buying advice for millions of Indians.

We are about leadership – the 9.9 kind Building a leading media company out of India. And, grooming new leaders for this promising industry.

logo logo logo logo logo logo
Copyright © 2007-24 9.9 Group Pvt.Ltd.All Rights Reserved.
Digit.in
Logo
Digit.in
Logo