Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Discloses Windows Zero-Day Vulnerability

Google has disclosed a Windows zero-day vulnerability after Microsoft failed to release a patch within the 7-day deadline the search giant gives vendors when it finds a flaw that is actively exploited by malicious actors.

Google has disclosed a Windows zero-day vulnerability after Microsoft failed to release a patch within the 7-day deadline the search giant gives vendors when it finds a flaw that is actively exploited by malicious actors.

Google researchers discovered recently that the Windows kernel is affected by a local privilege escalation vulnerability that allows attackers to escape the sandbox.

“[The vulnerability] can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” Google said in a blog post on Monday.

Google typically gives companies 90 days to patch vulnerabilities found by its researchers, but vendors are advised to develop fixes or at least provide workarounds within 60 days if the flaw is critical. However, if a security hole is being exploited in the wild, vendors only get 7 days to take action.

On October 21, Google informed Microsoft and Adobe of Windows and Flash Player vulnerabilities that had been actively exploited. Adobe managed to patch Flash Player a few days later, but Microsoft still hasn’t released a fix or an advisory.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection,” a Microsoft spokesperson said in an emailed statement.

In the case of Adobe, Google discovered that malicious actors had been exploiting a use-after-free vulnerability (CVE-2016-7855) in limited, targeted attacks aimed at users running Windows 7, 8.1 and 10.

The patches released by Microsoft in October addressed a total of four vulnerabilities exploited in the wild, including weaknesses leveraged by advanced persistent threat (APT) actors in cyber espionage operations and by profit-driven cybercriminals in malvertising attacks.

Advertisement. Scroll to continue reading.

This is not the first time Google has disclosed Windows vulnerabilities before Microsoft could release a patch. In late 2014 and early 2015, Google Project Zero published the details of several flaws after the 90-day deadline expired. At the time, the company made some changes to its disclosure policy after being criticized by some members of the industry.

*Updated with statement from Microsoft

Related: Zero-Day Patched by Microsoft Used for Malvertising Since 2014

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.