On Monday, Google disclosed a zero-day vulnerability in Windows, which if exploited will enable an attacker to use it as a security sandbox escape. In response, Microsoft didn’t offer details on a fix, instead choosing to promote Windows 10 and argue for coordinated disclosure.

Google says the flaw was discovered on October 21, along with a vulnerability in Adobe’s Flash. Adobe fixed their software last Wednesday, but since the Windows vulnerability is being actively exploited online, Google disclosed basic details about the flaw on Monday.

“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” a Google blog post explains.

To read this article in full or to leave a comment, please click here

Source: csoonline

The recent massive DDoS attack against DNS provider Dyn has jolted (some of) the general public and legislators, and has opened their eyes to the danger of insecure IoT devices. It is clear by now that it will take joint action by all stakeholders – users, manufacturers, the security industry, ISPs, law enforcement and legislators – to put an end to this particular problem, but it will take quite some time. Theoretical stopgap solutions In … More
Source: helpnetsecurity

Google today disclosed the existence of a Windows zero-day vulnerability under attack. The flaw was reported to Microsoft 10 days ago; Microsoft says the disclosure puts users at risk.
Source: Threatpost