The vulnerability is called Strontium, found in Windows code. Google stumbled across the flaw, and wrote a blog post in late October stating the affects on Adobe’s Flash media player. Google’s policy concerning such critical vulnerabilities is to publish them actively seven days after Google has reported them to the software’s creator.
According to Google, the flaw exists in the Windows kernel and can be used as a “security sandbox escape”. Sandboxes are use in software in order to stop malicious or malfunctioning programs from reaching or otherwise damaging other parts of the machine.
Microsoft has acknowledged the flaw, but also criticized Google for releasing it before a fix was available, stating to a member of VentureBeat,
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” said a Microsoft spokesperson. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”
Microsoft Executive Vice President Terry Myerson, explained the vulnerability in more detail in his blog post on Tuesday. In order for the computer to be affected with the malware, it must first infiltrate Adobe;s Flash to gain control of the web browser. After which privileges are elevated in order to escape the browser’s sandbox. Finally the malware would be able to install a backdoor to provide access to the victim’s computer.
Those that are using Microsoft Edge browser are protected, as the browser prevents the installing of the backdoor. Everyone else is left to wait for the next available patch to solve the issue, which should be November 8th.
If you would like to educate yourself in more detail about the information presented in this blog post please visit: www.pcmag.com