Google reveals actively exploited unpatched Windows flaw

by Mark Tyson on 1 November 2016, 10:01

Tags: Google (NASDAQ:GOOG), Microsoft (NASDAQ:MSFT), Adobe (NASDAQ:ADBE)

Quick Link: HEXUS.net/qadamk

Add to My Vault: x

Google has gone public, disclosing a pair of critical software vulnerabilities, that are being actively exploited in the wild, "to protect users". Via the Google Security Blog the Mountain View tech firm revealed that it had reported zero-day vulnerabilities to Microsoft and Adobe on Friday 21st October. While Adobe updated Flash on 26th October, Microsoft has yet to act to patch its Windows local privilege escalation vulnerability.

In Google's words "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

We haven't been given any further information about how the above described Microsoft vulnerability is being exploited in the wild. However, it could be said that Adobe has managed to update its software in a much more timely manner, as its Flash plugin is a much less complex piece of software than the Windows OS.

Microsoft admittedly hasn't released any fix or detailed advisory as yet but a few hours ago it told VentureBeat "We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk." The Microsoft spokesperson added that "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection".

Further indications from VentureBeat's source suggest that the Windows vulnerability piggybacked off the vulnerable Flash plugin so is mitigated by Adobe's swift action.

The above news has echoes of a spat between Google and Microsoft in January 2015. At that time Microsoft criticised Google Project Zero's inflexibility.

HEXUS Forums :: 5 Comments

Login with Forum Account

Don't have an account? Register today!
Posted by Ttaskmaster - Tue 01 Nov 2016 12:14
“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”

Can someone put that in simple English please?
I tried it in Google Translate, but got nothing… :D
Posted by qasdfdsaq - Tue 01 Nov 2016 12:55
Ttaskmaster
“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”

Can someone put that in simple English please?
I tried it in Google Translate, but got nothing… :D
A program running in a protected/sandboxed environment can escape and run code as the user or as an administrator by exploiting a bug in the way Windows handles window settings.

It doesn't work in Chrome because Chrome blocks the method and subsystem used to set window settings.
Posted by Ttaskmaster - Tue 01 Nov 2016 16:29
OK, yeah, that's a little concerning.
Posted by LSG501 - Tue 01 Nov 2016 22:59
While obviously the issue with Windows does need fixing I'd actually say what Google is doing announcing it after 7 days is worse because we all know it will take more than that to fix an os problem.

It's also a bit hypocritical to be announcing Windows issues when there's plenty of unpatched versions of their own OS out in the wild with just as serious consequences.
Posted by HollyDOL - Wed 02 Nov 2016 07:50
LSG501
While obviously the issue with Windows does need fixing I'd actually say what Google is doing announcing it after 7 days is worse because we all know it will take more than that to fix an os problem.

It's also a bit hypocritical to be announcing Windows issues when there's plenty of unpatched versions of their own OS out in the wild with just as serious consequences.

I have to agree. While the bug in Windows is serious, you still need malware to be downloaded and executed on victim computer. I _guess_ decent antivirus will be able to detect such a malware quite soon. Having a week to alter kernel, run all tests, validate on multitude of environments Windows run on, sign and publish… There is no chance to do that in a week… And the very people screaming about ‘end-of-world’ security hole would be screaming about ‘broken-and-ever-bugged’ system. Kernel is not a ms paint where if you screw something out, it's no biggy, it really needs time to be done properly and it's way too critical component to haste it.