PINDROP BLOG

Google Identifies Unpatched Windows Bug Being Used in Attacks

Ten days after informing Microsoft of a serious privilege of escalation vulnerability in Windows, Google researchers have disclosed some limited information about the bug because it is under active attack.

The Google researchers discovered the vulnerability earlier this month and sent the details to Microsoft on Oct. 21. The team at Google knew that attackers were using the vulnerability in active attacks. Though it’s a locally exploitable vulnerability, Google’s researchers said the bug is quite dangerous and so when Microsoft hadn’t released a patch for it within seven days, Google published some details about the flaw.

“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” Neel Mehta and Billy Leonard of Google said in a post.

Google’s research team, which looks for vulnerabilities in outside applications as well as the company’s own software, has a policy that it adheres to for vulnerability disclosure. For most bugs, the group will keep details private for up to 60 days, but the policy changes for vulnerabilities that are being used by attackers.

“Based on our experience, however, we believe that more urgent action — within 7 days — is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised,” Google engineers said in 2013.

Google’s team didn’t disclose how it detected the attacks on the vulnerability or any more specific details about the bug. Microsoft’s security response team hasn’t released any information on when the bug might be patched.

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed