Yesterday, Google revealed to the world that there is a vulnerability in both Flash and Windows that was deemed critical. According to Google, this vulnerability is classified as a local privilege escalation located in the Windows kernal that can be used as a security sandbox escape.
Google has stated that they’ve informed both Adobe and Microsoft about this vulnerability on the 21st of October, which has resulted in a fix being issued by Adobe to fix the vulnerability in Flash on the 26th of October. Unfortunately, Seeing as Microsoft has yet to release a fix for this exploit, Google has decided to announce the existence of the flaw to the general public due to an existing company policy regarding actively exploited critical vulnerabilities.
Microsoft is understandably upset over Google’s actions as it believes that Google’s decision to announce the flaw “puts customers at potential risk” since more people would now know of the flaw. Microsoft has since rebuked Google’s characterization of the exploit, claiming that the exploit has been fully mitigated by the Adobe Flash update. The exploit is further proven ineffective when it is used against a copy of Windows 10 with the Anniversary update installed.
Whatever the case, Microsoft is currently developing a patch that would fix this exploit that is scheduled to be delivered on the 8th of November. In the meantime, Microsoft recommends installing the Anniversary Update and using an up-to-date browser for now to prevent the risk of being attacked by this exploit.
Source: VentureBeat, Microsoft, Google
