Skip to main content

Google publicly discloses critical Windows vulnerability

After informing Microsoft about a critical Windows vulnerability on 21 October, Google has now publicly disclosed the security flaw despite the fact that Microsoft has yet to release a patch to fix it.

Cyber attackers are currently exploiting the zero-day vulnerability as a result of the public disclosure, which has put Windows users at a higher risk of being attacked than they were before Google decided to openly share its discovery of the security flaw.

The 10 day window offered by the company was not nearly long enough for Microsoft to develop and release a patch to fix the vulnerability. Generally, Google's policy is to wait seven days before publicly disclosing any security flaws it finds. This practice is quite controversial as it means that companies and their developers have an extremely short window of time in which to update their software before the company informs both users and potential attackers.

Google offered more details regarding the vulnerability and how it can be used to take over a users' system, saying: “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowsLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”

Though Microsoft has not yet released a patch for this newly discovered vulnerability, it has released a statement in which it responded to how Google has endangered Windows users by publicly disclosing details about the security flaw, saying: “We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

Around the same time that it discovered the Windows security flaw, Google also discovered a vulnerability in Adobe's web plugin Flash. However, in that case it was much easier for Adobe to develop and release a timely patch than it would be for Microsoft to do so now. 

Image Credit: Ken Wolter / Shutterstock

Anthony Spadafora
After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal.