Google is warning of a critical vulnerability in current versions of Windows that is unpatched and under active exploit by attackers.
Threat Analysis Group engineers Neel Mehta and Billy Leonard said Google had reported the flaw to Microsoft on October 22 (Australian time).
As Microsoft has not issued an advisory or fix for the vulnerability, Mehta and Leonard disclosed its existence as per Google's policy.
"This vulnerability is particularly serious because we know it is being actively exploited," the pair wrote.
The flaw exists in the Windows operating system kernel, and comprises a local privilege escalation that allows attackers to escape the security sandboxn.
Google's Chrome browser mitigates against the exploit by blocking win32k.sys system calls, which prevents the flaw being used to escape the sandbox.
Mehta and Leonard also reported a zero-day vulnerability to Adobe at the same time as they contacted Microsoft. Adobe issued an emergency patch for the CVE-2016-7855 on October 27 (Australian time).
_(36).jpg&h=140&w=231&c=1&s=0)
_(37).jpg&h=140&w=231&c=1&s=0)
Cyber Resilience Summit
iTnews Executive Retreat - Security Leaders Edition
Huntress + Eftsure Virtual Event -Fighting A New Frontier of Cyber-Fraud: How Leaders Can Work Together
iTnews Cloud Covered Breakfast Summit
Live & Hands On Demo: Navigating the BMC AMI DevX Platform to Understand Code Faster Using AI
_(1).jpg&h=140&w=231&c=1&s=0)
