Google’s Thread Analysis Group has just publicly disclosed a critical vulnerability found in Windows after fixing it on their end in Chrome. Clear to understand, the exploit can be triggered via win32k system allows attackers to escape from security sandbox and escalate local privileges in Windows kernel. By blocking the win32k system calls, Google fixes the issue within Chrome browser.
Google actually had reported the bug to Microsoft first but went public after 10 days before Microsoft could have patched the exploit and roll out to customers’ machines. This leads to a fact the Google preferred to fix its application protecting Chrome users before going public. Hence Windows vulnerability is intact which, due to Google’s public disclosure, is more sever than before.
Another part of the bug involves Adobe Flash player which has already been patched and released to users. After such a critical vulnerability goes public before a patch, evil minds may try to find ways out of it which is why it’s even more sever than before and Microsoft now has nothing but to patch the exploit as soon as possible and roll it out to the customers. Remember that it’s not a quick phase to complete that involves as much testing as actual code to patch and unfortunately 10 days shouldn’t have been considered as enough and Google could have waited a little more. Google described this particular Windows vulnerability as follows:
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Also note that Google has its own 7 day policy for actively exploited critical vulnerabilities and considering that Google has given additional 3 days to Microsoft before going public with it. Google claims that the said vulnerability was actively exploited that led Google to follow its policies. However according to reports Google’s 7 day policy before going public has been in controversies only due to the nature of such exploits that had to be patched in the whole operating system.
Later responding to Venture Beats, Microsoft issued a statement “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” Microsoft also added “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
According to history, Google intentionally like to disclose Windows vulnerabilities as previously the company did the same for Windows 8.1 twice.
Update: Terry Myerson, executive vice president of Microsoft’s Windows and Devices group, has also reported that Windows 10 Anniversary Update users are not affected by the vulnerability. Myerson also criticized Google for being not so responsible towards users. He also noted that the patch will be applied to all versions of Windows which is being test by many industry participants. If all goes according to plans, Microsoft will release the patches publicly on the next Update Tuesday, November 8th.