Once again Google did it! Disclosing of a zero-day vulnerability in current versions of Microsoft Operating System, and the interesting part is MS still not came out with a patch!Google made the disclosure of the vulnerability, which is being seen in the wild now, exploited by hackers to compromise systems across the world. Microsoft got privately intimation about the vulnerability 10 days before Google releasing the details to the public. However, MS might have ignored it completely, and Google’s exposure keeps them red-faced.Although Google claims that it disclosed a vulnerability in Adobe also at the same time, they have come out with an emergency patch.The particular zero-day is a local escalation vulnerability that exists in the Windows Operating System kernel. If exploited, the defect can be used to escape the sandbox protection and execute malicious code on the compromised system. Exploitation is through the win32k.Sys system call NtSetWindowLongPtr() for the index GWLP_ID on Windows handle with GWL_STYLE set to WS_CHILD, “Chrome’s sandbox blocks win32k.Sys system calls using the Wind32k lockdown mitigation on Windows10, which prevents exploitation of this sandbox escape vulnerability.”Google shared only primary details about the bug since it is exploited in the wild these days. Microsoft obviously is not happy with the disclosure and blamed Google to potentially place all the customers at risk, adding that the company favors a coordinated vulnerability disclosure.
