This can be achieved by allowing less than honest developers to escape from Windows’ security sandbox that executes only user-level apps without needing admin access. Diving a little deeper into the technicalities, the win32k.sys, a legacy support Windows system library used mainly for graphics, is issued a specific call that grants full access to the Windows environment. Google Chrome already has a defense mechanism in place for this kind of flaw and blocks this attack on Windows 10 using a modification to the Chromium sandbox called “Win32k lockdown“. Google described this particular Windows vulnerability as follows: Though this is not Google’s first encounter with a Windows security flaw, they released a public statement regarding a vulnerability and was later bashed my Microsoft for releasing a public note before the official seven-day limit that is granted to software manufacturers to issue a fix. A zero-day vulnerability is a publicly disclosed security flaw new to users. And now that the seven-day time period has passed, there is still no patch fix available regarding this bug from Microsoft. The Flash vulnerability (also disclosed on October 21) that Google shared with Adobe was patched on October 26. So users can simply update to the latest version of Flash. But then again, Microsoft has actively pointed out that for a simple web plugin like Flash, issuing a patch within seven days isn’t a challenging target, but for a complex OS like Windows, it is nearly impossible to code, test, and issue a patch for a security flaw within a week. Not just Microsoft but many other major software entities have actively opposed this controversial policy of Google of revealing flaws within a week’s limit, but Google has maintained that it is safer for public security to create awareness about a persisting bug that may compromise user safety.
Name *
Email *
Commenting as . Not you?
Save information for future comments
Comment
Δ
