Google has disclosed a critical vulnerability in the Windows operating system. The very serious vulnerability, which is yet to receive a fix, is being actively exploited by attackers.
Before making it public, Google reported this zero-day vulnerability to Microsoft on 21 October. A zero-day vulnerability is a publicly disclosed security flaw that was not known before and for which the software maker is yet to release a patch. The vulnerability is in the wild and attackers have already written code to gain access to Windows systems.
"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD," explained Neel Mehta and Billy Leonard from the threat analysis group at Google.
"Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability," they said.
Google recommends that users apply the Windows patches whenever Microsoft releases them.
Microsoft, meanwhile, said it is aware of the vulnerability and suggests consumers use Windows 10 and Edge for protection against the attack.
"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection," a Microsoft spokesperson told VentureBeat in a statement.
Google reported another zero-day vulnerability to Adobe, for which the company released updates to its Flash Player on 26 October. The security updates are for Adobe Flash Player for Windows, Linux, Macintosh and Chrome OS and addresses a critical vulnerability that could allow attackers to take control of the affected system.
Adobe users are advised to verify whether auto-updater has already updated Flash. If not they can consider manually installing the updates.
"Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10", the company said in a statement.