Google's security division has released details of a zero-day vulnerability in Microsoft's Windows operating system which, it claims, is under active attack in-the-wild.
Members of Google's threat analysis group have published disclosures for vulnerabilities affecting Adobe's Flash - just for a change - and Microsoft's Windows software packages, following private disclosure of the flaws on October 21st. While Adobe has issued an update to resolve the Flash flaw, which has also been made available to users of the Chrome browser, Microsoft has failed to address the Windows vulnerability which its discoverers claim is 'particularly serious because we know it is being actively exploited.'
The vulnerability takes the form of a local privilege escalation within the Windows kernel, allowing malicious processes to escape the sandbox which would ordinarily limit the damage they can do. The vulnerability can be exploited through a browser - though Google claims that Chrome is immune thanks to its use of a tool known as win32k lockdown mitigation - simply by visiting an affected website.
Google, however, is likely to come under fire for the rapid nature of its disclosure, giving Microsoft just over a week between the private notification and the vulnerability being publicly posted. The company's treatment of Microsoft stands in stark contrast to its recent behaviour regarding a similar security issue in Apple's macOS operating system, in which Google kept details of the vulnerability private for just under five months as Apple worked on multiple fixes only the most recent of which actually resolved the flaw.
Microsoft has decried Google's public disclosure, but has not yet provided a timescale for patching the flaw and securing its customers.