Security Tech News Windows

Google Just Outed an Unpatched Windows Vulnerability

Dave Parrack 01-11-2016

Google has disclosed a zero-day vulnerability in Windows which is currently unpatched and being actively exploited in the wild. It’s far to say Microsoft is none too happy with this situation, claiming Google’s actions “puts customers at potential risk”.


Sometime in early October, Google discovered serious vulnerabilities in both Windows and Flash. On October 21st, Google informed Microsoft and Adobe of the critical security issues 5 Ways to Protect Yourself from a Zero-Day Exploit Zero-day exploits, software vulnerabilities that are are exploited by hackers before a patch becomes available, pose a genuine threat to your data and privacy. Here is how you can keep hackers at bay. Read More in both products. On October 26th, Adobe updated Flash to fix the issue. But Microsoft still hasn’t fixed the issue lurking in the Windows kernel.

Despite this, Google disclosed details of the vulnerabilities in a post published on the Google Security Blog on October 31st. This adheres to the company’s policy of publicly revealing such issues exist seven days after informing the vendor of the affected product(s).

Microsoft Gets Upset With Google

Google describes the Windows vulnerability as follows:

“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”

Which likely offers enough information for hackers to figure out how to use the vulnerability to their advantage. This has obviously upset Microsoft, which told VentureBeat:

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

This Is Bad For Everyone Involved

Adobe was able to patch the vulnerability quickly, but then it’s a lot easier to patch Flash than it is to patch Windows. So Microsoft may have a valid argument that such a speedy public disclosure is bad for everyone involved. That is apart from criminals trying to exploit the security holes.


It should be noted that the Flash vulnerability is required to take advantage of the Windows vulnerability. At least in its current form. So, as long as you make sure you have the latest version of Adobe Flash Why Flash Needs to Die (And How You Can Get Rid of It) The Internet's relationship with Flash has been rocky for a while. Once, it was a universal standard on the web. Now, it looks like it may be headed to the chopping block. What changed? Read More , you should be safe from harm for the time being. However, Microsoft still needs to patch the Windows vulnerability sooner rather than later.

Did Google do the right thing disclosing this vulnerability so quickly? Does Microsoft have a valid argument that seven days isn’t long enough to patch such problems? Have you checked to make sure Adobe Flash is up to date? Please let us know in the comments below!

Image Credit: Pirátská Strana via Flickr

Related topics: Adobe Flash, Google, Hacking, Microsoft, Windows.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Kyrido
    November 9, 2016 at 9:03 am

    Bye bye windows I'm moving to Mac ;)
    After so many years and windows were ions nothing changes. Windows will be windows.

  2. Logan
    November 3, 2016 at 2:06 pm

    For the love of God... can we please get rid of Adobe Flash already?

  3. David Bumpus
    November 2, 2016 at 12:51 pm

    It seems as if Microsoft was too busy preparing for all the events they had/have scheduled for the end of October and beginning of November to allocate the proper resources to fixing this issue in a timely manner.
    I also think that when another big player in the tech industry gives you a heads up about a security issue you should take that seriously and get on it right away.

  4. Andreas
    November 1, 2016 at 8:56 pm

    I understand why Google did that. Adobe took it seriously. Microsoft should take these things seriously, but seems more happy with just collecting our personal data.

    That Adobe took something serious and Microsoft didn't is quite a paradox.

  5. phillw
    November 1, 2016 at 2:30 pm

    Yup, Google told them gave them 7 days in that time savvy criminals could exploit it with 'Joe Public' totally unaware. So, M$... get your asses into gear, your finger out of the collective bum hole and get such issues fixed in hours... not days!!!

  6. rhinkthank
    November 1, 2016 at 1:56 pm

    MS should get its shit together before blaming others of transparency.