Google discloses Critical Windows Zero-Day that makes all Windows Users Vulnerable

Yes, the critical zero-day is unpatched and is being used by attackers in the wild.
Google made the public disclosure of the vulnerability just 10 days after privately reporting the issue to Microsoft, giving the chocolate factory little time to patch issues and deploy a fix.
According to a blog post by Google’s Threat Analysis Group, the reason behind going public is that it has seen exploits for the vulnerability in the wild and according to its internal policy, companies should patch or publicly report such bugs after seven days.
Windows Zero-Day is Actively being Exploited in the Wild
The zero-day is a local privilege escalation vulnerability that exists in the Windows operating system kernel. If exploited, the flaw can be used to escape the sandbox protection and execute malicious code on the compromised system.
The flaw “can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD,” Google’s Neel Mehta and Billy Leonard said in a blog post.
“Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdownmitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”
The blog post also notes that Google reported a zero-day flaw (CVE-2016-7855) in Flash Player to Adobe at the same time as it contacted Microsoft. Adobe pushed an emergency patch for its software last Wednesday.
The Flash Player bug was also being exploited in the wild against organizations in targeted attacks. According to Adobe, the flaw affected Windows 7, 8.1 and 10 systems.
Since the Windows zero-day vulnerability is being actively exploited in the wild, Google shared only basic details about the bug on Monday.
Microsoft has yet to Rolled out a Fix

Needless to say, Microsoft is not at all happy about the disclosure.
In response, Microsoft said Google’s disclosure has potentially placed customers at risk, adding that the company believes in coordinated vulnerability disclosure.
 
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said in a statement. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”Microsoft has not provided any details as to when the company will roll out a fix for the flaw.

This is not the very first time that Google and Microsoft have been at odds over vulnerability disclosure. Microsoft has a long history of bungling patches, so the move could eventually lead the company into quickly rolling out an update.
Meanwhile, users are advised to update their Flash software now and apply Windows patches as soon as they become available.

Google researchers discovered recently that the Windows kernel is affected by a local privilege escalation vulnerability that allows attackers to escape the sandbox.
“[The vulnerability] can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” Google said in a blog post on Monday.
Google typically gives companies 90 days to patch vulnerabilities found by its researchers, but vendors are advised to develop fixes or at least provide workarounds within 60 days if the flaw is critical. However, if a security hole is being exploited in the wild, vendors only get 7 days to take action.
On October 21, Google informed Microsoft and Adobe of Windows and Flash Player vulnerabilities that had been actively exploited. Adobe managed to patch Flash Player a few days later, but Microsoft still hasn’t released a fix or an advisory.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection,” a Microsoft spokesperson said in an emailed statement.
In the case of Adobe, Google discovered that malicious actors had been exploiting a use-after-free vulnerability (CVE-2016-7855) in limited, targeted attacks aimed at users running Windows 7, 8.1 and 10.
The patches released by Microsoft in October addressed a total of four vulnerabilities exploited in the wild, including weaknesses leveraged by advanced persistent threat (APT) actors in cyber espionage operations and by profit-driven cybercriminals in malvertising attacks.
This is not the first time Google has disclosed Windows vulnerabilities before Microsoft could release a patch. In late 2014 and early 2015, Google Project Zero published the details of several flaws after the 90-day deadline expired. At the time, the company made some changes to its disclosure policy after being criticized by some members of the industry.

Comments

Post a Comment

Popular posts from this blog

iPhone 8, iPhone 8 Plus, iPhone X: Here Is How Much They Will Cost

Image
After months and months of waiting, with all the rumours and speculation, the new iPhones are here. Let’s get straight to it, shall we! Live from the new Apple Park campus in Cupertino, California, three phones have been announced so far: the iPhone 8, iPhone 8 plus and the special iPhone X (pronounced ten). Apple has also announced Apple Watch Series 3 with cellular, Apple TV 4k. Inset:   iPhone Prices The iPhone 8 starts at $699 for a 64GB model, while the iPhone 8 Plus starts at $799 for a 64GB model. Pre-orders start September 15 and they will be available from September 22. The iPhone X starts at $999. Pre-orders start October 27 and shipping will begin on November 3. Inset:   iPhone 8 & 8 Plus Inset:   iPhone X Check out the various specs for the new iPhones below: Inset:   iPhone comparison. Credit: Tech Crunch
Read»

Things You Should Know About The iPhone X

Image
After every one of the holes and bits of gossip, Apple at long last propelled the very foreseen IPhone X (articulated IPhone Ten) yesterday. Presently we realize that even with an official discharge, there are still a ton of gossipy tidbits about what the telephone is and isn't, that is the reason we are here to give you ten things you should think about the most recent expansion to the IPhone family. 1. It Was Launched At Apple Park spaceship apple event For those of you none Apple fans who don't comprehend what Apple Park is, it is Apple's fresh out of the plastic new "spaceship" central command found 1 Apple Park Way Cupertino, California, U.S. It was authoritatively opened to Apple workers April this year. The new iPhone was propelled inside Steve Jobs Theater in Apple Park. 2. Say Goodbye To The Home B.utton iphone x The IPhone X was made to appear to be radically unique from its antecedents and one of the highlights that will influenc...
Read»

How to Recover a Deleted WhatsApp Message

Image
This was one of WhatsApp’s most anticipated feature rolled out few weeks ago… unfortunately, the recall feature isn’t as reliable as it looks. Last month, WhatsApp introduced a ‘delete for everyone’ feature, allowing users to unsend an embarrassing message within seven minutes of sending it. The message once deleted from the senders end’ automatically delete the message from the receivers end too. But a new report from a  Spanish blog  claims that WhatsApp messages that are deleted are actually still on the device, and can easily be accessed through Settings by the recipient. The recipient can easily access the deleted messages regardless whether it has been deleted from sender’s end. Whenever a notification comes in to an Android devices, it is stored in the notification log – whether or not it is subsequently deleted by the sender.  While the bulk of the data in the log is technical information, the first 100 characters of the notification message is als...
Read»