Share This Post

Windows 10

Google Gave Microsoft 10 Days to Respond to a Critical Security Flaw in Windows 10

Google identified a severe flaw in how Microsoft sandboxes Adobe Flash web requests. On October 21st, 2016, Google reported the vulnerability to both Microsoft and Adobe.

Google explains the flaw this way…

The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.

Microsoft has yet to respond with a patch to protect customers, but instead took time to deliver statements to various news organizations suggesting that its Google’s disclosure practices that put Windows customers at risk. Google defended its position by stating that…

After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.

Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!

IT/Dev Connections

Share This Post

Leave a Reply