Google reveals actively exploited Windows vulnerability

Redmond was given only ten days to fix the issue before Google went public with its notice.
Written by Chris Duckett, Contributor

Google's Threat Analysis Group has disclosed an exploit for Windows that the company says is being actively exploited. The vulnerability in question was discovered alongside yet another Flash exploit.

"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape," Google's Neel Mehta and Billy Leonard said in a blog post.

"It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

The pair of researchers said they were releasing the unpatched vulnerability due to the rules set by the company's disclosure timeline.

"Based on our experience, however, we believe that more urgent action -- within seven days -- is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day, an actively exploited vulnerability remains undisclosed to the public, and unpatched, more computers will be compromised," the company states.

"Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information."

Last week, Google's Project Zero released the details of a use-after-free kernel vulnerability within XNU, the open-source foundation that is used for iOS and MacOS.

"This bug could be leveraged for kernel memory corruption, and is reachable from interesting sandboxes including Safari and Chrome," Project Zero's Ian Beer wrote in a bug report.

To address the issue, Apple needed to undertake a large amount of refactoring work, with the issue fixed in last week's MacOS 10.12.1 release and iOS 10 having a mitigation put in place in September.

On its disclosure timeline, Google revealed that it was set to disclose the XNU vulnerability on September 21 despite multiple requests from Cupertino to hold off, but following a discussion between "senior leadership" at both Google and Apple, Google granted Apple a "five-week flexible disclosure extension".

Editorial standards