A display for the Windows 10 operating system is seen in a store window at the Microsoft store at Roosevelt Field in Garden City, New York July 29, 2015. PHOTO: REUTERS
The security bug allows hackers to escape from a security sandbox using the win32k system and is serious enough to be characterised as critical.
Microsoft announces "creators update" for Windows 10
The bug explained on Google’s blog provides a general overview of what the security flaw is and does not give enough information for hackers to exploit it. However, the fact that a security flaw does exists without a patch will get hackers searching viable ways to exploit it.
While Adobe has updated the Flash, addressing the vulnerability, Google claimed that Microsoft has failed to address the issue forcing it to go public. “We are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.”
According to Google, the Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD, adding that Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Microsoft does not seem happy with Google’s move to disclose the information and issued a harsh statement: “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat.
Blaming Google for putting customers at risk, he said, “Today’s disclosure by Google puts customers at potential risk.”
The spokesperson went on to say, “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection,” he added.
Microsoft to show code in Brazil to calm fears about spy 'back doors'
A source close to the company also said that the security vulnerability on Windows requires the Adobe vulnerability to be exploited. Since Adobe created a patch for Flash, hacker won’t be able to exploit the Windows security flaw.
This article originally appeared on VentureBeat.
1732347751-0/Express-Tribune-(1)1732347751-0-270x192.webp "hyundai recalls over 145 000 electric vehicles in us")
COMMENTS
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ