Printer Friendly

Google makes Windows vulnerability public before Microsoft could issue a patch.

India, Nov. 1 -- Google's Threat Analysis Group has made a serious Windows vulnerability public just 10 days after reporting the bug to Microsoft. The Search giant says the new system level bug on Windows is being actively exploited and Microsoft has not issued any active advisory or fix yet.

Google notes the newly discovered Windows bug can easily be triggered to escape security sandboxing by calling the Win32 system call. Google is categorically marking the Win32 system bug as a 0-day vulnerability, the one that is publicly disclosed for the first time. Google has patched Chrome to block the Win32 system threat calls, using the Win32k lockdown mitigation on Windows 10. However, Microsoft is yet to issue a system wide update for this critical vulnerability.

Google's description for the Windows vulnerability is as follows, "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

In a security blog post, Google also mentions that in order to trigger the Windows flaw, criminals would need to root the Adobe Flash vulnerability, which Adobe has fixed already. While Google's seven day window before making the bug public is debatable, Microsoft is not liking Google's disclosure. In a statement to VentureBeat, the company says, "We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk."

While Google's disclosure will force Microsoft to fix the issue, the knowledge of the bug in public could allow attackers to develop new codes and exploit critical systems. The larger question here is whether a week's time would be enough for any software company to issue a fix.

Published by HT Syndication with permission from Digit.

Copyright [c] HT Media Ltd. Provided by SyndiGate Media Inc. ( Syndigate.info ).

COPYRIGHT 2016 SyndiGate Media Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2016 Gale, Cengage Learning. All rights reserved.

 
Article Details
Printer friendly Cite/link Email Feedback
Publication:Digit
Date:Nov 1, 2016
Words:345
Previous Article:Apple's older 12-inch Macbooks are going to cost you more now.
Next Article:OnePlus 4 with Snapdragon 830 may launch in mid-2017.
Topics:

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters