Google has gone public, disclosing a pair of critical software vulnerabilities, that are being actively exploited in the wild, "to protect users". Via the Google Security Blog the Mountain View tech firm revealed that it had reported zero-day vulnerabilities to Microsoft and Adobe on Friday 21st October. While Adobe updated Flash on 26th October, Microsoft has yet to act to patch its Windows local privilege escalation vulnerability.
In Google's words "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."
We haven't been given any further information about how the above described Microsoft vulnerability is being exploited in the wild. However, it could be said that Adobe has managed to update its software in a much more timely manner, as its Flash plugin is a much less complex piece of software than the Windows OS.
Microsoft admittedly hasn't released any fix or detailed advisory as yet but a few hours ago it told VentureBeat "We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk." The Microsoft spokesperson added that "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection".
Further indications from VentureBeat's source suggest that the Windows vulnerability piggybacked off the vulnerable Flash plugin so is mitigated by Adobe's swift action.
The above news has echoes of a spat between Google and Microsoft in January 2015. At that time Microsoft criticised Google Project Zero's inflexibility.