A Windows zero-day vulnerability is being used in an unknown number of attacks, Google disclosed today, 10 days after it privately reported the issue to Microsoft. Google’s disclosure follows its internal policy, which states that companies should fix or publicly report flaws that are under attack after seven days.
Microsoft has yet to issue an advisory—or patch—for the flaw, which Google says is a local privilege escalation vulnerability in the Windows kernel. The vulnerability can be used to escape the sandbox and execute code on the compromised machine. Microsoft said Google’s disclosure puts customers at risk.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told Threatpost. “We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
A request for additional comment from Google was not answered in time for publication. Google researchers Neel Mehta and Billy Leonard of the company’s Threat Analysis Group said they disclosed the vulnerability to Microsoft on Oct. 21, the same day Google also disclosed a separate code execution flaw in Flash Player to Adobe. Adobe rushed an emergency patch last Wednesday for CVE-2016-7855; it too was being used against organizations in targeted attacks. The Flash Player bug affected Windows 7, 8.1 and 10 systems, Adobe said.
Google shared few details on the bug, essentially sharing its existence with users and simultaneously putting pressure on Microsoft to rush a fix of its own. Google’s scant description of the bug:
“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”
Google said the vulnerability is mitigated in the Chrome browser.
“Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” Google said.
Google’s disclosure policy gives vendors 60 days to patch critical vulnerabilities, or notify users about the risk and any workarounds or temporary mitigations. The policy was published in 2013 and included the seven-day deadline on critical flaws under active exploitation.
“The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised,” Google said at the time. “Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information.”
Google has not been shy about acting on its strict deadlines. In early 2015, Google published details on three Windows bugs days ahead of Patch Tuesday, forcing a stern response from Microsoft calling for improved coordinated disclosure. Weeks later, Google disclosed details on three OS X bugs that exposed Macs to code execution. None of those vulnerabilities, however, were being publicly attacked like the vulnerability today.
“We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not — and to apply Windows patches from Microsoft when they become available for the Windows vulnerability,” Google said.