Google drops a zero-day on Microsoft: Web giant goes public with bug exploited by hackers
Even Adobe pushed its patch faster than Windows giant
Google has slung a grenade at Microsoft by disclosing a Windows vulnerability before Redmond has a patch ready. The bug can be exploited by malware on a machine to gain administrator-level access.
According to this blog post by Neel Mehta and Billy Leonard of the Chocolate Factory's Threat Analysis Group, the reason for going public is simple: they've seen exploits for the bug in the wild so something has to be done now, like right now.
Google describes the vulnerability, CVE-2016-7855, as:
A local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.
Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
The post notes that Adobe pushed its patch last week, after it (and Microsoft) were told about the hole on October 21.
Adobe worked fast on its patch because Flash malware was already in the wild.
On the one hand, you can appreciate Google's frustration with Microsoft, a multibillion-dollar business with an army of developers who can't get a patch out fast for a vulnerability under active attack. On the other hand, Microsoft has a long history of bungling patches, so maybe panicking Redmond into rushing out an update isn't a great idea.
Maybe the last thing Microsoft engineers need right now, while untangling Windows code, is Google breathing down their necks. ®