October 31, 2016
Google Reveals Actively Exploited Windows Kernel Vulnerability
Google disclosed two actively exploited vulnerabilities seven days after revealing them to the relevant vendors, which in this case are Adobe and Microsoft. Google said that Adobe has already fixed its bug, but that Microsoft hasn’t released an advisory or fix yet.
Google’s Vulnerability Disclosure Policies
Back in 2010, Google adopted a general policy of revealing vulnerabilities in software tools of other vendors within 60 days of alerting the vendors themselves. The policy was a middle ground between two popular choices at the time: full disclosure and “responsible” disclosure.
Full disclosure meant that the vendor would find out about the vulnerability at the same time as everyone else, thus creating an “emergency” situation for the vendor for all bugs. Responsible disclosure, on the other hand, meant that it would not alert the public about the bug until the vendor fixed it. That could mean never in some cases, or the companies involved would fix the bugs too slowly.
Google extended its policy to 90 days in 2015, after a spat with Microsoft after the company failed to fix a bug within the time frame Google announced. Google also added a 14-day grace period for when the vendor of the vulnerable product misses the 90-day deadline but tells Google that a fix should be ready within the following 14 days. If the vendor failed to fix the bug again, then Google would reveal the vulnerability to the public.
In 2013, Google added a seven-day limit to its vulnerability disclosure policy for critical vulnerabilities that are actively under attack. Seven days may seem like a small amount of time in comparison to its more general vulnerability disclosure policy, but when it comes to a serious bug such as Heartbleed, it may even be too much. Vendors need to immediately fix critical bugs to protect users’ data, especially when it’s already known that attackers are actively taking advantage of it to hack into systems and steal data.
Adobe And Microsoft’s Actively Exploited Bugs
On October 21, Google revealed two critical bugs that attackers were actively exploiting to both Adobe and Microsoft. Five days later, on October 26, Adobe had already fixed the Flash vulnerability.
However, according to Google, Microsoft hasn’t taken any public action yet to fix the bug or announce to users that the bug exists and that attackers are actively exploiting it. If it did, users (including IT administrators) could take the necessary steps to try to defend themselves against the exploit until Microsoft releases a patch.
The vulnerability in question is a local privilege escalation in the Windows kernel that can be used to bypass security sandboxes of various software tools, such as browsers. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.
Chrome Is Safe (In Windows 10-Only)
Google said that Chrome could take advantage of the Win32k lockdown mitigation feature in Windows 10, so Chrome is not vulnerable to this bug on this version of Windows. It seems to be on the others, though, which is why Google is making this bug public (according to its seven-day policy for such bugs). If Microsoft would fix the bug faster, then Chrome users on Windows 7 and 8 wouldn’t remain vulnerable for much longer.
Google encouraged users to verify whether the auto-update tools have updated Flash and if they didn’t, the users should update Flash manually. Users should also update their Windows OS as soon as Microsoft releases a patch for its own vulnerability.