Google has disclosed a security flaw in Windows yesterday; just 10 days after it gave Microsoft a heads-up on October 21st. On the same day, Google also warned Adobe about a Flash vulnerability that the company resolved through a Flash update on October 26th. However, the bad news is the Windows vulnerability remains unpatched. Google just made the news worse saying that the unpatched Windows vulnerability is “being actively exploited.” It means the code for this particular security flaw has already been written by the attackers, and they are using it to breach Windows systems.
Google explained this specific Windows vulnerability as follows:
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Well, it’s a lot easier for Adobe to come up with a Flash update than for Microsoft to fix the flaw in an operating system. No doubt, ten days aren’t enough for a company to come up with an updated operating system. As VentureBeat reported, Microsoft is very upset with this decision of Google and said the company simply put the customers at potential risk with this disclosure.
“Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection,” a Microsoft spokesperson told VentureBeat.
The reason why Google revealed this vulnerability, knowing that it could put customers at risk is their policy for actively exploited critical vulnerabilities. According to that policy, Google will reveal any security flaw to public merely seven days after reporting t to the developer. However, as Microsoft clarified to VentureBeat, the Flash flaw is required in order to exploit the Windows vulnerability. And it has been mitigated with the patch of Flash flaw. So, until Microsoft isn’t releasing a patch, it would be better if you update Flash.