Google has disclosed a Windows zero-day vulnerability after Microsoft failed to release a patch within the 7-day deadline the search giant gives vendors when it finds a flaw that is actively exploited by malicious actors.

Google researchers discovered recently that the Windows kernel is affected by a local privilege escalation vulnerability that allows attackers to escape the sandbox.

“[The vulnerability] can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” Google said in a blog poston Monday.

Google typically gives companies 90 days to patch vulnerabilities found by its researchers, but vendors are advised to develop fixes or at least provide workarounds within 60 days if the flaw is critical. However, if a security hole is being exploited in the wild, vendors only get 7 days to take action.

On October 21, Google informed Microsoft and Adobe of Windows and Flash Player vulnerabilities that had been actively exploited. Adobe managed to patch Flash Player a few days later, but Microsoft still hasn’t released a fix or an advisory.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection,” a Microsoft spokesperson said in an emailed statement.

In the case of Adobe, Google discovered that malicious actors had been exploiting a use-after-free vulnerability (CVE-2016-7855) in limited, targeted attacks aimed at users running Windows 7, 8.1 and 10.

The patches released by Microsoft in October addressed a total of four vulnerabilities exploited in the wild, including weaknesses leveraged by advanced persistent threat (APT) actors in cyber espionage operations and by profit-driven cybercriminals in malvertising attacks.

Russian cyber-espionage group behind recent Flash and Windows zero-days

Furthermore, to dispel the ominous feeling that all Windows users are under a barrage of attacks because their engineers failed to release a patch in due time, Microsoft provided more details about the attacks.

Microsoft, who also runs a security division for detecting high-level cyber-espionage campaigns, says that the attacks with the recent Flash and Windows zero-days are "low-volume" and are only aimed at a specific set of targets.

According to Microsoft, behind the attacks is a cyber-espionage group called Strontium. Other security vendors identify this group as Fancy Bear, APT28, Sednit, and Pawn Storm. You may recognize the name "Fancy Bear," who's been tied to cyber-attacks against the Democratic National Committee servers back in the summer of 2015.

The group has a history of targeting government agencies, reporters, diplomats, military organizations, and private sector entities interacting with governments. The group has been tied to cyber-attacks all over the world, and many believe to be the unofficial offensive cyber-hacking unit of Russia's secret service, the FSB, albeit nobody has provided concrete and undeniable evidence to support these claims.

In its most recent attacks, Microsoft says Strontium hackers have sent spear-phishing campaigns, luring victims to websites embedded with weaponized Flash files. When the user landed on the page, the Flash file would play, execute the Flash zero-day, and take over the user's browser process.

Since most browsers are isolated inside their own processes, the attacker couldn't reach the underlying OS. This is where the Windows zero-day came in handy, allowing the attackers to elevate the privilege of the browser's process, escape the browser sandbox and download and install a backdoor Trojan on infected computers.

Microsoft says that users of Microsoft Edge on Windows 10 Anniversary Update are protected from versions of this attack.

This is not the first time Google has disclosed Windows vulnerabilities before Microsoft could release a patch. In late 2014 and early 2015, Google Project Zero published the details of several flaws after the 90-day deadline expired. At the time, the company made some changes to its disclosure policy after being criticized by some members of the industry.

#Windowsvulnerability #Google