October 31, 2016
Google has once again publicly disclosed a zero-day vulnerability in current versions of Windows operating system before Microsoft has a patch ready.
Yes, the critical zero-day is unpatched and is being used by attackers in the wild.
Google made the public disclosure of the vulnerability just 10 days after privately reporting the issue to Microsoft, giving the chocolate factory little time to patch issues and deploy a fix.
According to a blog post by Google’s Threat Analysis Group, the reason behind going public is that it has seen exploits for the vulnerability in the wild and according to its internal policy, companies should patch or publicly report such bugs after seven days.
Windows Zero-Day is Actively being Exploited in the Wild
The zero-day is a local privilege escalation vulnerability that exists in the Windows operating system kernel. If exploited, the flaw can be used to escape the sandbox protection and execute malicious code on the compromised system.
The flaw “can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD,” Google’s Neel Mehta and Billy Leonard said in a blog post.
“Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”
The blog post also notes that Google reported a zero-day flaw (CVE-2016-7855) in Flash Player to Adobe at the same time as it contacted Microsoft. Adobe pushed an emergency patch for its software last Wednesday.
The Flash Player bug was also being exploited in the wild against organizations in targeted attacks. According to Adobe, the flaw affected Windows 7, 8.1 and 10 systems.