Google has made public a zero-day flaw in Windows 10 days after it first notified Microsoft of the vulnerability.

Google says it has gone public in this case because it has seen the vulnerability exploited in the wild.

 “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape,” says a post in Google’s Security blog.

“It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

Google goes on to say that the Chrome browser’s sandbox feature blocks such system calls.

“Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”

 

For more information click here