Google discloses zero-day in Windows kernel

News by Roi Perez

Google has disclosed a zero-day vulnerability in the Windows kernel that is currently being exploited in the wild.

CVE-2016-7855 is a local privilege escalation vulnerability in the Windows kernel that can be used as a security sandbox escape.

Researchers Neel Mehta and Billy Leonard of the Google Threat Analysis Group said it can be triggered, “via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

The same vulnerability was found by Adobe on 21st October as it was found in Flash Player. Adobe has released a patch, Microsoft is yet to follow suit.

Adobe said in the security bulletin accompanying the release, “Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10.”

Google has said it broke the news of the flaw before Microsoft had the chance to fix it because it is a critical vulnerability that could lead to system compromise, and it is being actively exploited.

Google has advised users to update Flash and install the Microsoft patch as soon as it is made available.

Google said that Windows 10 users can use Google Chrome to protect themselves against possible attacks which use the flaw explaining that, “Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,”

Ilia Kolochenko, CEO of High-Tech Bridge told “I think Google shall finally find a way to cooperate with Microsoft in a straightforward and rapid manner, instead of scaring them with full disclosure. In this particular case, motivation behind the full disclosure tactics is clear, however I think it will only aggravate the situation by attracting more cyber-criminals to exploit the flaw in the wild.”


Alex Mathews, EMEA technical manager at Positive Technologies said: “The vulnerability is LPE (Local Privilege Escalation) but it's not RCE (Remote Code Execution). It looks like it allows, under certain conditions, to rewrite some bits in Windows kernel's address space. Theoretically, it's possible to get higher privileges on a local computer, using this vulnerability. However, it will be hard to exploit this vulnerability and achieve stable operation of the system for considerable time, when Patch Guard and ASLR protection technologies are used (since 2007 in Windows)."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews