Google’s Threat Analysis Group has released some details about a Windows 10 Vulnerability which leaves million of Windows 10 users at risk. This is not the first time that Google has given such information public after informing the company one week earlier to give time to release a patch by Microsoft.
Two years ago also Google had revealed similar Security threat to Windows 8.1 users earlier which was later fixed by Microsoft.
According to today’s report, The details of the vulnerability are as follows:
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Till yesterday Microsoft has not published any security advisory even after 10 days of disclosure by Google. But today Microsoft responded with a blog post by Executive Vice President of WDG Terry Myerson.
Below is the detailed response from Microsoft via Terry Myerson regards to the security patch:
“He said that the group called STRONTIUM performed a spear-phishing attack, but before we go any further, users on the Windows 10 Anniversary Update using the Edge browser should already be protected from it. It used two zero-day vulnerabilities in Flash and the Windows kernel to do the following:
- Exploit Flash to gain control of the browser process
- Elevate privileges in order to escape the browser sandbox
- Install a backdoor to provide access to the victim’s computer
Perhaps the most troublesome issue is that all versions of Windows from Vista through the Windows 10 November Update are vulnerable to these exploits. Microsoft says that it will be offering patches on November 8, which is this month’s Patch Tuesday.
Businesses that have Windows Defender Advanced Threat Protection (ATP) should be safe as well. The company says that Defender ATP can “generically detect, without any signature, multiple stages of the attack such as the creation of uncommon DLL libraries on disk from the browser process, unexpected changes of process token and integrity levels (EoP), and the loading of recently created DLL libraries under abnormal process conditions”.
Myerson also wrote that Microsoft attributes more zero-day vulnerabilities to STRONTIUM than to any other organization this year. The group will often compromise a person’s email address, and use it to send malicious content to a second victim, often pursuing them for months.
Microsoft said that Google reporting the vulnerability was “disappointing”, and that it needlessly puts consumers at risk. Nevertheless, be sure to check for updates next Tuesday at 10 AM PT.