Google researchers today disclosed that they had found and reported to Microsoft a critical vulnerability in Windows that Microsoft has not yet fixed - and is being used by attackers in the wild.
This Halloween Day revelation by Google threat analysis group members Neel Mehta and Billy Leonard falls under Google's policy for reporting active exploits of critical vulnerabilities. Google says it first reported the bug to Microsoft on October 21.
"After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited," the Google team said in a post today.
The Windows vulnerability is a local privilege-escalation flaw in the Windows kernel that can be used to bypass a security sandbox. "It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability," the Google team wrote.
"We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not — and to apply Windows patches from Microsoft when they become available for the Windows vulnerability."