Two Google employees working for the Threat Analysis Group have publicly disclosed a critical Microsoft Windows vulnerability. The privilege escalation bug can allow malicious attackers to bypass security sandboxes and gain control of a system. Google has information that the vulnerability is being actively used by miscreants, and have announced the vulnerability so that users can take measures to protect themselves.
The vulnerability was reported to Adobe and Microsoft engineers on 21 October. On 26 October, Adobe released a security update after working closely with the Google Threat Analysis Group. Adobe Flash Player was affected by the vulnerability, and the security patchprevents attackers from gaining control of the system. However, Microsoft has neither released a security patch, nor issued an advisory to its users.
This is a class of exploits known as zero day exploits. These are previously unknown vulnerabilities, that have not been identified yet as an issue, and which the company is not currently patching. Google allows itself and other companies seven days to either patch or notify users of a critically vulnerable zero day exploits. These are vulnerabilities which leaves a large number of users exposed, with the chances of exploitation increasing on a daily basis. Google is publicly announcing the vulnerability, according to the guidelines laid down in the critical vulnerability policy of Google.
To avoid being affected by the vulnerability, users are advised to upgrade to the latest version of Adobe Flash player, if automatic updates are not enabled. Users of Microsoft Windows have to wait till Microsoft itself releases a security patch. Users are advised to install the Windows update and the Microsoft update when they come available.