A little over one week after first discovering a zero-day vulnerability in Microsoft, Google has revealed its own fix – though the problem remains outside of Chrome.
Microsoft doesn’t seem too pleased with Google after the latter’s revelations of a particularly concerning zero-day Adobe Flash vulnerability.
Giving both Adobe and Microsoft a seven-day grace period to find a patch and fix the flaw, Google actually waited 10 days before posting a blog on the subject yesterday.
By then Adobe updated its Flash, Google incorporated that into its latest Chrome update and all was well. As yet, though, Microsoft has not done likewise.
Neel Mehta and Billy Leonard of Google’s threat analysis group said this vulnerability is “particularly serious because we know it is being actively exploited”.
“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape,” said the duo.
“It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.
“Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”
The duo said users should check their auto-update settings and make sure the updated fixes have been applied and, for those who update manually, hurry up. Also, “apply Windows patches from Microsoft when they become available for the Windows vulnerability”.
Windows is less than pleased, though, saying the public disclosure encourages bad guys and puts good guys at risk.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat.
“Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”