Google notified Microsoft of a zero-day vulnerability in Windows and just 10 days later, the information was given to the public. A zero-day attack is essentially an undisclosed computing issue which can be used by hackers to exploit which can affect computers and networks. Incidentally, hackers were already aware of the issue and were making full use of it to tamper with people’s computers. Google said, as of now there is no fix. Neel Mehta and Billy Leonard, Threat Analysis Group at Google, wrote in a blog, “We are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.”
Microsoft was notified by Google about the problem on October 21. Generally, it has been seen that Google waits around 2 months before making bugs a public knowledge. Google said according to bug disclosure policy, software vendors are granted 7 days of lead time to develop and push patches, and now since the vulnerability is being actively exploited, Google said that the disclosure is to ‘protect users’. The problem directly affects the Windows Kernel, which is the strongest and the most important part of an operating system. The flaw can be used to skip tools which are designed to isolate malicious coding as well as security sandboxes. Google explains the technical repercussions in its blog, and wrote, “It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”
Google said that its web browser Google Chrome can prevent hackers from exploiting the issue of computers which run Windows 10, by blocking specific system calls. For the technically inclined, the details can be found in google docs with the name ‘Chromium Win32k system call lockdown’. Incidentally, there is also a 0-day security issue in Adobe Flash software which adobe had resolved when updated on October 26. Google said that it is planning to use HTML5 instead of Flash support. HTML5 is a markup language which allows multimedia on the web. Microsoft, in turn, informed that it is working towards resolving the issue. It wrote in a blog, “We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, November 8.”
Although Microsoft was not happy with the sudden public disclosure by Google and said that such a thing can put customers at risk. It also said, “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.” Meanwhile, the biggest threat right now is an activity group known as Strontium. It is a group which targets government agencies, military organisations, public policy research institutes, defence contractors among many others. Strontium sends malicious e-mails, which moves laterally through contacts by sending out more e-mails. This puts sensitive data at risk for more and more consumers. As a matter of fact, Microsoft attributes more zero-day attacks to this group than any other in 2016. Strontium right now can exploit Flash to gain control of the browser process, elevate privileges in order to escape the browser sandbox, and install a backdoor to provide access to the victim’s computer.