Google discloses Windows, Flash issues being actively exploited
MANILA, Philippines – Google on Monday, October 31, reported two zero-day vulnerabilities – previously publicly-unknown vulnerabilities – requiring attention from Adobe and Microsoft.
Google told Adobe and Microsoft about the vulnerabilities on October 21, giving both 10 days to work on a fix before publicly disclosing the issues.
While Adobe updated Flash within 5 days – the Common Vulnerabilities and Exposures (CVE) number for the Flash issue is CVE-2016-7855 – Microsoft has yet to announce availability for a patch to their vulnerability as of press time.
This is cause for concern as Google said the Windows vulnerability was already being exploited in the wild.
Google explained the Windows vulnerability as "a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."
It should be noted that updating Flash is likely to be less time-consuming than updating an operating system. Google's policy – of giving 7 days' of lead time to fix critical vulnerabilities – is also a bit of a sore spot for tech companies, as it takes time to write the code, test it, and then issue the patch to users.
A VentureBeat report pointed to a statement from a Microsoft spokesperson, which said, "We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,”
The spokesperson added, "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
Microsoft, however, has yet to issue information on a dateline for a patch to the security flaw.
According to Venturebeat, a source close to the company said the exploit Google has mentioned required the Adobe Flash vulnerability. Because of the patch of Flash, the Windows vulnerability is mitigated.
Microsoft will still have to patch the issue though, as keeping that issue active could allow it to be used in future attacks. – Rappler.com