Google took to its Security Blog yesterday to announce that it had recently found a couple of vulnerabilities in Flash and the Windows kernel. It’s standard practice for the search giant, except that it hardly allowed Microsoft any time to patch the issue.
The company described the Windows bug thusly:
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Win a trip to Amsterdam!
We've teamed up with Product Hunt to offer you the chance to win an all expense paid trip to TNW Conference 2017!
As per its policy, Google discloses critical security flaws seven days after notifying the concerned organizations about them. However, that’s not a lot of time for Microsoft to fix a bug that affects an entire operating system.
Microsoft said in a statement to VentureBeat that this sort of hurried disclosure could lead to trouble for users, as the security flaw is being actively exploited:
We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk.Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.
It’s worth noting that the Flash vulnerability is needed to exploit the Windows bug; if you’re worried about this issue, you can protect yourself by updating your Flash plugin to the latest version, which has already been patched.
Update: Microsoft announced that it will release a patch for this vulnerability on November 8. It also acknowledged that a hacking group known as STRONTIUM exploited the flaw to conduct a low-volume spear-phishing campaign, but didn’t identify any victims. STRONTIUM has previously been linked to Russia, following disruptive cyber attacks aimed at foiling the upcoming US election.