Google toady disclosed a major exploit in Windows 10 operating system, which according to Google is already being actively exploited. According to Google they reported 0-day vulnerabilities which were previously publicly-unknown vulnerabilities to Adobe and Microsoft on 21 October 2016.
Acting on which Adobe released a patch on 26 October 2016 but Microsoft is yet to release an update for the exploit. So as per policy of Google, it has made this vulnerability public after 10 days, forcing Microsoft to act fast on this issue. The exploit is marked as “Critical” by Google. The Vulnerability is found in win32k system which enables hackers to escape from security sandboxes.
According to Google
The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.
Microsoft has reacted sharply on the disclosure of the vulnerability to public by Google. According to statement issued by Microsoft “the disclosure has put customer at risk”. Microsoft has recommended to use Windows 10 and Microsoft Edge browser for the best protection.