Google unveiled security flaw in Windows 10 and Microsoft isn't happy about it
Microsoft says Google's decision to go public has put customers at potential risk
Google disclosed on Monday information on security flaws in Windows 10 and Flash on its security blog. The tech giant decided to share the news 10 days after it reported the Window vulnerability to Microsoft.
The security bug allows hackers to escape from a security sandbox using the win32k system and is serious enough to be characterised as critical.
Microsoft announces "creators update" for Windows 10
The bug explained on Google’s blog provides a general overview of what the security flaw is and does not give enough information for hackers to exploit it. However, the fact that a security flaw does exists without a patch will get hackers searching viable ways to exploit it.
While Adobe has updated the Flash, addressing the vulnerability, Google claimed that Microsoft has failed to address the issue forcing it to go public. “We are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.”
According to Google, the Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD, adding that Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Microsoft does not seem happy with Google’s move to disclose the information and issued a harsh statement: “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat.
Blaming Google for putting customers at risk, he said, “Today’s disclosure by Google puts customers at potential risk.”
The spokesperson went on to say, “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection,” he added.
Microsoft to show code in Brazil to calm fears about spy 'back doors'
A source close to the company also said that the security vulnerability on Windows requires the Adobe vulnerability to be exploited. Since Adobe created a patch for Flash, hacker won’t be able to exploit the Windows security flaw.
This article originally appeared on VentureBeat.
The security bug allows hackers to escape from a security sandbox using the win32k system and is serious enough to be characterised as critical.
Microsoft announces "creators update" for Windows 10
The bug explained on Google’s blog provides a general overview of what the security flaw is and does not give enough information for hackers to exploit it. However, the fact that a security flaw does exists without a patch will get hackers searching viable ways to exploit it.
While Adobe has updated the Flash, addressing the vulnerability, Google claimed that Microsoft has failed to address the issue forcing it to go public. “We are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.”
According to Google, the Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD, adding that Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Microsoft does not seem happy with Google’s move to disclose the information and issued a harsh statement: “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson told VentureBeat.
Blaming Google for putting customers at risk, he said, “Today’s disclosure by Google puts customers at potential risk.”
The spokesperson went on to say, “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection,” he added.
Microsoft to show code in Brazil to calm fears about spy 'back doors'
A source close to the company also said that the security vulnerability on Windows requires the Adobe vulnerability to be exploited. Since Adobe created a patch for Flash, hacker won’t be able to exploit the Windows security flaw.
This article originally appeared on VentureBeat.