Google makes Windows vulnerability public before Microsoft could issue a patch

By Karthekayan Iyer | Published on 01 Nov 2016
Google makes Windows vulnerability public before Microsoft could issue a patch

Google's seven day windows for fixing the bug is debatable, but making it public will push Microsoft to fix it now.

Experience great storytelling anytime, anywhere on Audible

Feel the thrill of the best stories and more with Audible. Start your 30-day Free trial now to get your Free Audiobook! Monthly ₹199 thereafter.

Click here to know more

Google's Threat Analysis Group has made a serious Windows vulnerability public just 10 days after reporting the bug to Microsoft. The Search giant says the new system level bug on Windows is being actively exploited and Microsoft has not issued any active advisory or fix yet.

Google notes the newly discovered Windows bug can easily be triggered to escape security sandboxing by calling the Win32 system call. Google is categorically marking the Win32 system bug as a 0-day vulnerability, the one that is publicly disclosed for the first time. Google has patched Chrome to block the Win32 system threat calls, using the Win32k lockdown mitigation on Windows 10. However, Microsoft is yet to issue a system wide update for this critical vulnerability.

Google's description for the Windows vulnerability is as follows, "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

In a security blog post, Google also mentions that in order to trigger the Windows flaw, criminals would need to root the Adobe Flash vulnerability, which Adobe has fixed already. While Google's seven day window before making the bug public is debatable, Microsoft is not liking Google's disclosure. In a statement to VentureBeat, the company says, "We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk."

While Google's disclosure will force Microsoft to fix the issue, the knowledge of the bug in public could allow attackers to develop new codes and exploit critical systems. The larger question here is whether a week's time would be enough for any software company to issue a fix.

Karthekayan Iyer

Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit in continues the legacy of as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.

We are about leadership-the 9.9 kind! Building a leading media company out of India.And,grooming new leaders for this promising industry. Protection Status