Google's Threat Analysis Group revealed an actively exploited Windows zero-day vulnerability just 10 days after the search giant notified Microsoft, which has simultaneously downplayed the severity of the flaw and claimed the Russian state actors behind the DNC hack are actively exploiting the bug.

Google reported zero-day vulnerabilities to Microsoft and Adobe on Oct. 21, and Adobe responded by pushing a fix out for its flaw in Adobe Flash on Oct. 26. Exploits in the wild were found chaining the Adobe and Windows zero-days where the Flash bug was used to escape the application sandbox and the Windows kernel flaw was then used to escalate to administrator privileges.

Ordinarily, Google's policy is to wait 60 days from the time of disclosure to the software vendor before publicly reporting vulnerabilities, but when the vulnerability is being actively exploited Google may publish as soon as seven days after reporting it to the vendor. In this case, Google waited 10 days.

"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape," wrote Neel Mehta and Billy Leonard of Google's Threat Analysis Group, on the Google Security blog. "It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

Microsoft did not agree with Google's contention that public disclosure of the unpatched vulnerability was in its customers' best interests. "We believe in coordinated vulnerability disclosure, and yesterday's disclosure by Google could put customers at potential risk," a Microsoft spokesperson told SearchSecurity by email.

"We disagree with Google's characterization of a local elevation of privilege as 'critical' and 'particularly serious,' since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week. Additionally, our analysis indicates that this specific attack was never effective in the Windows 10 Anniversary Update due to security enhancements previously implemented."

Microsoft appeared to be calling foul over Google's disclosure because they believe the vulnerability in Windows is fully mitigated by the already-released Adobe Flash update -- and that the attack described by the Google researchers was not possible against a patched version of Flash.

Although users of the Windows 10 Anniversary Update should be protected, Microsoft said it worked with both Google and Adobe to fix the vulnerability in older versions of Windows, and "patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next update, Tuesday, Nov. 8."

John Bambenek, manager of threat systems at Fidelis Cybersecurity in Waltham, Mass., told SearchSecurity by email that the disclosure of an actively exploited vulnerability could indeed be an important step to protect users. "Once attackers start abusing vulnerabilities the risk shifts. The temptation to not discuss weaknesses is to avoid giving attackers ideas," he said. "In this case, they not only have the idea but a fully weaponized exploit. Now we need something to protect our constituencies."

The vulnerability Google reported "is a local privilege escalation, which means that if a user is able to execute compromised code (for instance a Flash game or ad), that code could be used to run commands as the administrator and more deeply embed itself into a system," Bambenek said. "In a typical infection chain, privilege escalation is the second step beyond exploiting something with 'user' permissions. Malware embedded with enhanced permissions is more dangerous as a rule."

The Microsoft spokesperson offered this advice for Windows users: "We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

An Adobe spokesperson referred SearchSecurity to its own Security Bulletin and Microsoft's Security Bulletin. Google did not respond to requests for comment.