A zero-day flaw in Microsoft Windows has been made public by Google even though a patch has not yet been released.
Google said that it reported the vulnerability to Microsoft on 21 October, but had gone public with limited information because it had seen it being exploited in the wild.
Google has a policy of notifying the public of unpatched vulnerabilities in third-party software seven days after reporting them to the company concerned if it sees them being actively exploited.
The firm claims to have notified Microsoft 10 days earlier, before going public on Monday. Google generally goes public after 90 days for unexploited glitches.
"We always report these cases to the affected vendor immediately, and we work closely with them to drive the issue to resolution. Over the years, we've reported dozens of actively exploited zero-day vulnerabilities to affected vendors," the company explained in a Google Security Blog post.
Google has provided only basic information about the vulnerability, which is a privilege escalation bug, so as not to give hackers ammunition.
"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape," said a post on Google's Security blog.
"It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD."
Google goes on to say that the Chrome browser's sandbox feature blocks such system calls.
"Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability," the firm said.
Microsoft did not welcome Google's intervention, saying that it increased the risk of a successful exploit.
"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk," said a Microsoft spokesperson.
"Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
Microsoft has not said when a patch will be made available to fix the vulnerability but did point out that a bug in Adobe Flash Player (CVE-2016-7855) is needed to exploit the Windows vulnerability so users with up-to-date Flash Player applications should be safe.
Adobe released an emergency patch for this flaw which Google told the company about on 27 October.
V3's sister site Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.
AlphaBay users had flocked to Hansa after it was closed down - not realising it had already been taken over by Dutch police
Microsoft closes in on $100bn annual revenues with sales weighing-in at $23.3bn
Moves to take down cyber-squatted domains reveals Fancy Bear hacking network, claims Microsoft
Intel claims 'world first' in artificial intelligence that can be plugged-in almost anywhere