Google discloses actively-exploited Windows vulnerability

Google has disclosed an actively-exploited 0-day Windows vulnerability less than 10 days after notifying the software maker about the flaw.

On 21 October, Google reported the 0-day vulnerability to Adobe and Microsoft.

Adobe updated Flash on 26 October to address CVE-2016-7855. This update is available via Adobe’s updater and Chrome auto-update.

“After 7 days, per our published policy for actively-exploited critical vulnerabilities, we are disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” said Google.

“This vulnerability is particularly serious because we know it is being actively exploited.”

The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape.

It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.

Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.

“We encourage users to verify that auto-updaters have already updated Flash – and to manually update if not – and to apply Windows patches from Microsoft when they become available.”
 
Google showing to mercy to Microsoft - Two evils battling it out.
 
Thor187 said:
Google showing to mercy to Microsoft - Two evils battling it out.
Click to expand...

On 21 October, Google reported the 0-day vulnerability to Adobe and Microsoft.
Click to expand...

“This vulnerability is particularly serious because we know it is being actively exploited.”
Click to expand...

To give 7 days to Microsoft before disclosing a 0-day is not unreasonable. So no evils battling each other or not showing mercy.
 
backstreetboy said:
? it's being actively exploited...
Click to expand...

Did you even read the link I posted?
I am leaning towards Google's motto of not being evil.

Now a days, it feels that Google is knowing where I work, live and spend time.
They know all my personal emails and know how I search, what my favorite websites are and what time I spend on a website.


Again. Did you read the link?
 
McGuywer said:
Did you even read the link I posted?
I am leaning towards Google's motto of not being evil.

Now a days, it feels that Google is knowing where I work, live and spend time.
They know all my personal emails and know how I search, what my favorite websites are and what time I spend on a website.


Again. Did you read the link?
Click to expand...
Not sure what disclosing a vuln have to do with don't be evil is what I'm getting at. For those things you mentioned there's incognito mode anyway...
 
backstreetboy said:
Not sure what disclosing a vuln have to do with don't be evil is what I'm getting at. For those things you mentioned there's incognito mode anyway...
Click to expand...

For me the issue is security through obscurity. Closed sourced stuff you have to rely on the company to come clean and fix the issue. With opensource it's out in the wild and if something is found and reported it's usually fixed very quickly. Commercial entities have sued & obtained gag orders before for people publishing exploits, that's not right.
 
Win 10 version 1607 updates released on 27 October 2016, included this update.

Security Update for Adobe Flash Player for Windows 10 Version 1607 (for x64-based Systems) (KB3201860)

which addressed this issue.

This security update resolves vulnerabilities in Adobe Flash Player if it is installed on any supported edition of Windows Server 2012, Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 10, Windows 10 version 1511, Windows 10 Version 1607, or Windows Server 2016.*
Click to expand...
 
Last edited:
ponder said:
For me the issue is security through obscurity. Closed sourced stuff you have to rely on the company to come clean and fix the issue. With opensource it's out in the wild and if something is found and reported it's usually fixed very quickly. Commercial entities have sued & obtained gag orders before for people publishing exploits, that's not right.
Click to expand...

I agree.

daniellgr said:
Win 10 version 1607 updates released on 27 October 2016, included this update.

Security Update for Adobe Flash Player for Windows 10 Version 1607 (for x64-based Systems) (KB3201860)

which addressed this issue.
Click to expand...

:rolleyes:

http://www.theverge.com/2016/10/31/...erability-sandbox-google-microsoft-disclosure

On Tuesday, Microsoft followed up with more detail in*a post by Executive VP Terry Myerson. Myerson attributed the exploitation of the bug to a group called Strontium, a Russia-linked group also called Fancy Bear. Myerson emphasized that Windows 10 users browsing with Edge would be protected from the attack, and promised a system-wide patch to be shipped on November 8th.
Click to expand...
 
Swa said:
Great, get people to use Edge. Then after the patch is released people stay with it.
Click to expand...

And why not? Chrome released their own update claiming to fix the issue. MS is showing a new face here of attending to issues when they arise.
 
ponder said:
For me the issue is security through obscurity. Closed sourced stuff you have to rely on the company to come clean and fix the issue. With opensource it's out in the wild and if something is found and reported it's usually fixed very quickly. Commercial entities have sued & obtained gag orders before for people publishing exploits, that's not right.
Click to expand...
I agree, something is wrong with current legislation.

If exploits are published immediately without giving company a notice, it can harm company reputation or users. However if a company has a time to issue court orders, but fixes are still not coming up, it is somehow dodgy.

In this case there are still no fixes from Microsoft. Google wrote something half tighted that exploits are currently in use. Do they mean Microsoft software use them? It would explain why there are no fixes. It is easy to close a hole, but if they have to replace it with other exploits, it will take weeks or even months.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X