Google warns of actively exploited Windows zero-day

Google has disclosed to the public the existence of a Windows zero-day vulnerability (CVE-2016-7255) that is being actively exploited in the wild.

According to Neel Mehta and Billy Leonard, of the Google Threat Analysis Group, it’s a local privilege escalation in the Windows kernel that can be used as a security sandbox escape, and can be triggered “via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

The existence of this vulnerability and another zero-day affecting Flash Player (CVE-2016-7855) has been shared with Microsoft and Adobe on October 21st. But while Adobe has already pushed out an update with the patch, Microsoft has not been so quick.

“Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10,” Adobe said in the security bulletin accompanying the release.

Google has made public the flaw before Microsoft has had the chance to fix it because it is a critical vulnerability that could lead to system compromise, and it is being actively exploited.

They have advised users to update Flash and implement the Microsoft patch as soon as it is made available.

In the meantime, Windows 10 users can use Google Chrome to protect themselves against possible attacks leveraging the flaw.

“Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” they explained.