Security News Google Discloses Critical Windows Zero-Day That Makes All Users Vulnerable

O

Omnipotent

Thread author
Google has once again publicly disclosed a zero-day vulnerability in current versions of Windows operating system before Microsoft has a patch ready.

Yes, the critical zero-day is unpatched and is being used by attackers in the wild.

Google made the public disclosure of the vulnerability just 10 days after privately reporting the issue to Microsoft, giving the chocolate factory little time to patch issues and deploy a fix.

According to a blog post by Microsoft's Threat Analysis Group, the reason behind going public is that it has seen exploits for the vulnerability in the wild and according to its internal policy, companies should patch or publicly report such bugs after seven days.

Windows Zero-Day is Actively being Exploited in the Wild

The zero-day is a local privilege escalation vulnerability that exists in the Windows operating system kernel. If exploited, the flaw can be used to escape the sandbox protection and execute malicious code on the compromised system.

The flaw "can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD," Google's Neel Mehta and Billy Leonard said in a blog post.

"Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

The blog post also notes that Google reported a zero-day flaw (CVE-2016-7855) in Flash Player to Adobe at the same time as it contacted Microsoft. Adobe pushed an emergency patch for its software last Wednesday.

The Flash Player bug was also being exploited in the wild against organizations in targeted attacks. According to Adobe, the flaw affected Windows 7, 8.1 and 10 systems.

Since the Windows zero-day vulnerability is being actively exploited in the wild, Google shared only basic details about the bug on Monday.

Microsoft has yet to Rolled out a Fix

Needless to say, Microsoft is not at all happy about the disclosure.

In response, Microsoft said Google's disclosure has potentially placed customers at risk, adding that the company believes in coordinated vulnerability disclosure. "We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk," a Microsoft spokesperson said in a statement. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. "Microsoft has not provided any details as to when the company will roll out a fix for the flaw.

This is not the very first time that Google and Microsoft have been at odds over vulnerability disclosure. Microsoft has a long history of bungling patches, so the move could eventually lead the company into quickly rolling out an update.

Meanwhile, users are advised to update their Flash software now and apply Windows patches as soon as they become available.
 

soccer97

Level 11
Verified
May 22, 2014
517
Many vulnerabilities are reported to the vendor/company through responsible disclosure such as through the Zero Day Initiative. ZDI is now part of Trend Micro. It gives the vendors 4 months to create a patch and release it (they can also ask for an extension for extenuating circumstances). After that timeframe, it is released to the public. This seems to create an incentive to get things patched timely.

The person who discovered the vuln is paid for responsibly disclosing the vuln instead of publishing it otherwise.

Sometimes security doesn't take priority. Look at all of the upcoming Adobe and Foxit Advisories about to be issued: Zero Day Initiative

There are multiple channels of reporting them responsibly. ZDI is an initiative for researchers to be rewarded and for "Temporary vaccines" to be released to customers to help mitigate the attack"

Just an FYI.
 
  • Like
Reactions: Der.Reisende

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Instead Microsoft whining about the Google's action on vulnerabilities exposed; why thankful instead? That will help to improve the product and make the own move to find holes on the counterpart.
 
  • Like
Reactions: ZeroDay

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top