A Windows zero-day vulnerability is being used in an unknown number of attacks, Google disclosed today, 10 days after it privately reported the issue to Microsoft.

Google’s disclosure follows its internal policy, which states that companies should fix or publicly report flaws that are under attack after seven days.

Microsoft has yet to issue an advisory—or patch—for the flaw, which Google says is a local privilege escalation vulnerability in the Windows kernel. The vulnerability can be used to escape the sandbox and execute code on the compromised machine. Microsoft said Google’s disclosure puts customers at risk.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told Threatpost. “We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

A request for additional comment from Google was not answered in time for publication.

Google researchers Neel Mehta and Billy Leonard of the company’s Threat Analysis Group said they disclosed the vulnerability to Microsoft on Oct. 21, the same day Google also disclosed a separate code execution flaw in Flash Player to Adobe. Adobe rushed an emergency patch last Wednesday for CVE-2016-7855; it too was being used against organizations in targeted attacks. The Flash Player bug affected Windows 7, 8.1 and 10 systems, Adobe said.

Google shared few details on the bug, essentially sharing its existence with users and simultaneously putting pressure on Microsoft to rush a fix of its own. Google’s scant description of the bug:

“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

Google said the vulnerability is mitigated in the Chrome browser.

“Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” Google said.

Google’s disclosure policy gives vendors 60 days to patch critical vulnerabilities, or notify users about the risk and any workarounds or temporary mitigations. The policy was published in 2013 and included the seven-day deadline on critical flaws under active exploitation.

“The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised,” Google said at the time. “Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information.”

Google has not been shy about acting on its strict deadlines. In early 2015, Google published details on three Windows bugs days ahead of Patch Tuesday, forcing a stern response from Microsoft calling for improved coordinated disclosure. Weeks later, Google disclosed details on three OS X bugs that exposed Macs to code execution. None of those vulnerabilities, however, were being publicly attacked like the vulnerability today.

“We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not — and to apply Windows patches from Microsoft when they become available for the Windows vulnerability,” Google said.

Categories: Vulnerabilities

Comments (6)

  1. Joel Zrolka
    2

    If the “Sandbox” stops applications from making changes (confines the application,) How can there be a “local privilege escalation vulnerability in the Windows kernel” from the application that is in the sandbox to begin with?

    Escalation is in permissions, how does the application vulnerability allow for “escape” from the sandbox to make changes to the kernel or permissions?

  2. Drew
    4

    Not sure how Microsoft’s refusal to issue a security patch in a timely fashion is Google’s fault. Google is blowing the whistle to get Microsoft moving on a fix, after giving them several days to do so in private.

    All this corporate BS about Microsoft being the only platform with a security commitment and so on. A commitment does not mean your system is secure, and clearly it doesn’t mean you take reported threats seriously.

    “Use Windows 10 and the Edge browser for the best protection.”

    No thanks. I’ll keep Ubuntu and Firefox.

    • S
      5

      Where did you read of a “Microsoft refusal to issue a security patch”?

      Everything I’ve read indicates that Microsoft has been working on a patch since Google’s initial reporting to Microsoft. We can criticize Microsoft if that’s not the case, but there is no benefit to demonize them for things that aren’t true.

  3. Anonymous
    6

    “use Windows 10 and the Microsoft Edge browser for the best protection” We should use the browser tied to the OS, less isolated from the vulnerability? I’d argue that this is exactly why we shouldn’t use IE/Edge/Safari.

Comments are closed.