Google has uncovered a new zero day vulnerability in Windows 10. The flaw was first communicated to the company 10 days ago though a fix has still not arrived.
The bug, which is being termed critical, is already being exploited by hackers. The hacking group Strontium, more commonly known as “Fancy Bear”, has already utilized the vulnerability in Adobe Flash and the Windows kernel in its recent hack of the Democratic National Committee.
But while the exploit has been fixed on Flash, Windows 10 users will have to wait for a fix which is set to arrive this Tuesday, on the 8th of November. According to Microsoft, users of Microsoft Edge on Windows 10 Anniversary Update are protected from an attack.
Earlier, Google reported the vulnerability to be present in win32k.sys, which allows malicious code to escape from the security sandboxes in place. With the Flash vulnerability now fixed, users are reportedly safe from such an exploit, however, Microsoft still needs to make sure it plugs down the vulnerability for the future. Google has also fixed Chrome so it doesn’t allow such a hack.
Microsoft is understandably not too pleased with Google so publicly disclosing a critical bug, though. While for someone like Adobe fixing Flash is a task sufficient enough to be completed in seven days, an operating system is a decidedly more complex offering.
By airing the issue, Google may have further put millions of users at risk of a phishing attack and opened further debates on its oft-criticized seven-day policy on vulnerabilities.