Google goes public with unpatched Windows zero-day flaw

Microsoft not best pleased

Google has made public a zero-day flaw in Windows 10 days after it first notified Microsoft of the vulnerability.

Google says it has gone public in this case because it has seen the vulnerability exploited in the wild.

"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape," says a post in Google's Security blog.

"It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD."

Google goes on to say that the Chrome browser's sandbox feature blocks such system calls.

"Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

Google has a policy of notifying the public of unpatched vulnerabilities in software belonging to other companies seven days after reporting them to the company concerned if it sees them being exploited. In this case it said it had notified Microsoft on 21 October, before going public 10 days later. For unexploited glitches Google generally goes public after 90 days.

"We always report these cases to the affected vendor immediately, and we work closely with them to drive the issue to resolution. Over the years, we've reported dozens of actively exploited zero-day vulnerabilities to affected vendors," the company says in a post explaining this policy.

Google says that only basic information about the present Windows bug has been shared. However, Microsoft did not welcome Google's intervention.

"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," a Microsoft spokesperson said.

"Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

Microsoft has not disclosed when a patch will be made available to fix the vulnerability. However, it did say that a bug in Adobe Flash Player (CVE-2016-7855) is needed to exploit the Windows vulnerability so users with up-to-date Flash Player applications should be safe.

Adobe released an emergency patch for this flaw, to which it was also alerted by Google, on 27 October.

Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.