Google disclosing an unpatched 0-day vulnerability in Windows is not really a new thing, they have been doing it since last year. Microsoft even criticized their behavior for putting millions of Windows users at risk. Google today published a new 0-day vulnerability in Windows which is still unpatched. Google reported it to Microsoft on Friday, October 21st, and as per their 7 day policy, they have disclosed it today. I think their policy for actively exploited critical vulnerabilities is not good for both the software makers and end users. Even after knowing that this vulnerability is particularly serious and it is being actively exploited, they want to publicize it. I don’t understand how a software company can fix a security bug in a software which has millions of lines of code and runs on hundreds of millions of machines of different configurations within 7 days.
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Hopefully, Microsoft will release a fix for this vulnerability via Windows Update soon.