Google discloses Windows zero-day that has been exploited in the wild

Google has disclosed a Windows zero-day vulnerability after 7-day deadline it gives vendors when the flaw is actively exploited in the wild by hackers.

Google has once again publicly disclosed a zero-day vulnerability affecting current versions of Windows operating system  and Microsoft still hasn’t issued a patch.

Yes, you’ve got it right! There is a critical zero-day unpatched and attackers are already exploiting it in the wild.

The vulnerability is a local privilege escalation flaw that affects the Windows operating system kernel.

The zero-day could be exploited by attackers to gain administrator-level access by escaping the sandbox protection and execute malicious code.

Google has chosen to public disclose the flaw just 10 days after privately reporting it to Microsoft, giving the company a very little time to issue security updates.

According to Google, the reason for going public without waiting for a patch is that its experts have observed exploits for the flaw in the wild.

According to Google disclosure timeline for vulnerability, when a flaw is exploited in the wild Google public disclosed the flaw after seven days.

“On Friday, October 21st, we reported 0-day vulnerabilities — previously publicly-unknown vulnerabilities — to Adobe and Microsoft. Adobe updated Flash on October 26th to address CVE-2016-7855; this update is available via Adobe’s updater and Chrome auto-update.” reads a blog post published by Google.

“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.”

According to Google’s Neel Mehta and Billy Leonard, the Windows zero-day “can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

The Google security team also disclosed a zero-day flaw (CVE-2016-7855) in Flash Player that was reported to Adobe with the same timeline. Adobe promptly issued an emergency patch to fix the problem.

According to the security advisory issued by Adobe, the CVE-2016-7855 has been exploited in targeted attacks. The vulnerability is a use-after-free issue that can be triggered by attackers for arbitrary code execution.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS.  These updates address a critical vulnerability that could potentially allow an attacker to take control of the affected system.” states the summary published by Adobe.

“Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10.”

The CVE-2016-7855 flaw affects Windows, Macintosh, Linux and Chrome OS, Flash Player 23.0.0.185 and earlier, and 11.2.202.637 and earlier for Linux.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Windows zero-day, hacking)