Google makes Windows vulnerability public before Microsoft could issue a patch
Google's seven day windows for fixing the bug is debatable, but making it public will push Microsoft to fix it now.
Google's Threat Analysis Group has made a serious Windows vulnerability public just 10 days after reporting the bug to Microsoft. The Search giant says the new system level bug on Windows is being actively exploited and Microsoft has not issued any active advisory or fix yet.
Google notes the newly discovered Windows bug can easily be triggered to escape security sandboxing by calling the Win32 system call. Google is categorically marking the Win32 system bug as a 0-day vulnerability, the one that is publicly disclosed for the first time. Google has patched Chrome to block the Win32 system threat calls, using the Win32k lockdown mitigation on Windows 10. However, Microsoft is yet to issue a system wide update for this critical vulnerability.
Google's description for the Windows vulnerability is as follows, "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."
In a security blog post, Google also mentions that in order to trigger the Windows flaw, criminals would need to root the Adobe Flash vulnerability, which Adobe has fixed already. While Google's seven day window before making the bug public is debatable, Microsoft is not liking Google's disclosure. In a statement to VentureBeat, the company says, "We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk."
While Google's disclosure will force Microsoft to fix the issue, the knowledge of the bug in public could allow attackers to develop new codes and exploit critical systems. The larger question here is whether a week's time would be enough for any software company to issue a fix.
Other Popular Deals
Interesting Galleries
Top launches of the week: May 22, 2015
6 weird inventions that tried too hard
Top launches of the week: June 5, 2015
Top launches of the week: June 12, 2015
Top launches of the week: May 29, 2015
Top stories of the week: May 22, 2015
Top stories of the week: May 29, 2015
The Intel Compute Stick, in pictures
Top stories of the week : June 12, 2015
Top stories of the week: June 5, 2015
In pictures: ETI Dynamic's Solar Electric Hybrid Vehicle
17 upcoming movies of 2015 that have us excited
5 great gadget deals under Rs 10,000
Top stories of the week: May 15, 2015
Best tech you can buy on a budget
Top launches of the week: May 15, 2015
Google's Threat Analysis Group has made a serious Windows vulnerability public just 10 days after reporting the bug to Microsoft. The Search giant says the new system level bug on Windows is being...
---------------------------------------------------------------------------
Visit this link to stop these emails: http://zpr.io/PnAEp
