Sharing is caring!

On October 21, Google let Microsoft know about security vulnerabilities with Adobe Flash and Windows. On the 26th, Flash released an updated but Microsoft has yet to do their part. Although Google let Microsoft know of the problem on the 21st, they informed the public on the 31st. Happy Halloween, everyone!

Google classified the issues they found as zero-day vulnerabilities. Meaning, these are vulnerabilities that are not known to the public. The search engine giant has a policy in place to disclose critical vulnerabilities that are actively being exploited after seven days. In a post on the Google Security blog, Neel Mehta and Billy Leonard of the Threat Analysis Group called the vulnerability a serious one because they know it is being exploited and actively at that.

As of this writing, Microsoft has addressed the issue but hasn’t given an exact date for a patch. In their statement, Microsoft encourages users to use Windows 10 as well as the Microsoft Edge browser as these offer the best protection.

Google says that the issue is with the Windows kernel. In particular, it’s a local privilege escalation that according to Mehta and Leonard “can be used as a security sandbox escape.” They added that triggering the vulnerability can be done through NtSetWindowLongPtr(), a win32k.sys system call. Both also added that users of the Chrome browser won’t be able to see this issue because its sandbox capability automatically blocks calls to core components of the Windows system like the win32k.sys.

This isn’t the only time Google has revealed vulnerabilities with the Microsoft system before they were able to release a patch. Google did it two times for Windows 8.1 on January 2015.

Microsoft is one of the most used systems in the world today, and any threat to security is a big issue. Although they released a patch in October, rolling out one for this issue is equally important.