Revealing a critical vulnerability in the Windows operating system, Google on Monday said in blog post that a bug could allow the attackers to escape the security sandbox. The vulnerability is particularly serious because it is being actively exploited and Microsoft hasn’t fixed it so far, Google said.
"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” the post said.
Google regularly looked for vulnerabilities that were unknown (“zero-day”) to public and report it to the affected vendors and worked closely with them to find a solution, Google said.
According to Google, these vulnerabilities are more dangerous because the attackers target a limited subset of people, such as political activists. Google usually gives vendors 60 days to fix the issue and, in case of critical bugs, it notifies in seven days. But according to Venturebeat, a technology website, Microsoft spokesperson said: “We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk.”