Google Discloses Exploited Windows Vulnerability 10 Days After Telling Microsoft

An anonymous reader writes: Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild. That means attackers have already written code for this specific security hole and are using it to break into Windows systems.In a blog post, security researchers at Google write, "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

Re:Neel Mehta is a real crumbum

[XparXnoiaX]

Not only that, the arguably ethical thing to do is to always disclose. In most cases the exploits are being actively used (see previous link).

Re:Different from the Kid Gloves They Used for App

[bigdady92]

Apple Market Share: 3-5%
Windows Market Share: 90%
Everything else: Math%

Google wants to put as much pressure on MS to get them to fix the problem as quickly as possible as this vulnerability affects the largest market share of Google's Product.

We all know all those windows users will blame Chrome for infecting their machine Because Reasons(TM) so let Google force MS into fixing this issue ASAP.

Apple's vulnerability? Who cares, it affects a microcosm of Google's user base.

Re:So Windows 10 is not affected?

[squiggleslash]

I think it's "If you're using Chrome under Windows 10, and someone tries to hack you using, say, a hacked plugin, Chrome will be able to sandbox this. In any other configuration, you're screwed."