Google reveals unpatched Windows bug that hackers are exploiting (update)
And it may have done so a bit too soon.
Google has revealed that it came across previously undiscovered Flash and Windows vulnerabilities in October, and one of them remains unpatched. The tech titan gave both Adobe and Microsoft a heads-up on October 21st -- Adobe issued a fix on October 26th through a Flash update, but Microsoft hasn't released one for its platform yet. The real problem is, according to Google, that unpatched Windows flaw is "being actively exploited."
Google describes the Windows flaw as follows:
"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."
As VentureBeat mentioned, however, it's a lot easier to come up with a fix for Flash than for a full operating system. Ten days might not have been enough time at all for Microsoft to address the problem. Redmond's statement to VB echoes the one it issued in 2015 when Google exposed another flaw a bit too soon. A spokesperson said Mountain View's move "puts customers at potential risk" since more people now know that there's a new vulnerability they can exploit:
"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
As for why the big G decided to reveal the flaw even though it could put people at risk, it's all because of the company's existing policy for actively exploited critical vulnerabilities. That policy states that Google will disclose vulnerabilities merely seven days after reporting it to the developer. Microsoft clarified to VB, though, that the Flash bug is needed in order to exploit the Windows flaw. So make sure to update Flash if you haven't done so in the past few weeks while waiting for Microsoft to release a patch.
Update (11/01/16): A Microsoft spokesperson told us that the company doesn't agree with Google's assessment and that the security enhancements brought by Windows 10 Anniversary update protected computers from the vulnerability. If you want to be very sure, though, keep an eye out for the patch the company promises to release on November 8th.
"We disagree with Google's characterization of a local Elevation of Privilege as "critical" and "particularly serious," since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week. Additionally, our analysis indicates that this specific attack was never effective against the Windows 10 Anniversary Update due to security enhancements previously implemented."
