Google warns of critical vulnerability in latest version of Windows


Google has warned users about a critical vulnerability in the most current version of Windows that Microsoft is yet to patch and which is being exploited by hackers.

Engineers from Google’s Threat Analysis Group said that they had originally reported the vulnerability to Microsoft on October 21.

However, as per Google’s policy on security threats, the Threat Analysis Group were forced to publicly disclose the vulnerability as Microsoft is yet to issue an advisory or patch for the problem within 10 days of it being reported.

“This vulnerability is particularly serious because we know it is being actively exploited,” wrote Neel Mehta and Billy Leonard on Google’s official security blog.

According to Google, the security vulnerability, dubbed CVE-2016-7855, exists in Windows win32k system kernel and can allow hackers to bypass Windows security sandbox.

Google describes the vulnerability as:

A local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.

Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.

Google has already issued a fix to protect Chrome users from the exploit but Windows users remain at risk.

While Google didn’t go into specific great detail about the vulnerability, Microsoft has criticised the search giant for going public, over fears that it will spur hackers into actively trying to find ways to exploit vulnerability.

“Today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat.

“We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

The news comes after Google also publicly disclosed another vulnerability in Adobe Flash Player, which the company patched on October 26.

However, issuing a patch for Flash Player is one thing but issuing a patch for Windows is likely to be more complex and as of yet, users are still waiting on Microsoft to issue a fix.


Comments are closed.