Google’s Threat Analysis Group has revealed that it had discovered a massive zero-day vulnerability – described as “particularly serious – in Microsoft’s Windows 10 operating system, ten days after it informed Microsoft of the issue directly.
The vulnerability could potentially affect millions of computers, and Microsoft is yet to patch the issue. The same investigation that uncovered the vulnerability in Windows 10 found a similar one within Flash Player, which Adobe promptly patched.
“On Friday, October 21st, we reported 0-day vulnerabilities — previously publicly-unknown vulnerabilities — to Adobe and Microsoft,” the Threat Analysis Group writes. “Adobe updated Flash on October 26th to address CVE-2016-7855; this update is available via Adobe’s updater and Chrome auto-update.”
“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” the team reveals. “This vulnerability is particularly serious because we know it is being actively exploited.”
“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape,” the post adds. “It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”
Microsoft is yet to publicly comment on the vulnerability, but it would be best advised to issue an emergency fix quickly, rather than wait for its scheduled Windows Update monthly rollup.
