After 10 days of published policy for actively exploited critical vulnerabilities by Google, Adobe already issued a fix on October 26th through a Flash update, but Microsoft hasn’t released that unpatched Windows flaw that is being actively exploited by hackers.
Google describes the Windows flaw as follows:
“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
As for why the big G decided to reveal the flaw even though it could put people at risk, it’s all because of the company’s existing policy for actively exploited critical vulnerabilities. That policy states that Google will disclose vulnerabilities merely seven days after reporting it to the developer.
Google encouraging users to verify that auto-updaters have already updated Flash — and to manually update if not — and to apply Windows patches from Microsoft when they become available for the Windows vulnerability.