Google has revealed a Windows bug that it communicated to Microsoft in October. However, the bug remains unpatched, allowing hackers to exploit the vulnerability.

The bug belongs to a local privilege escalation in the Windows kernel. The bug can potentially be used as a security sandbox escape.

Like Us on Facebook

Google's Threat Analysis Group reported that it detected the Flash and Windows bugs last month. These vulnerabilities were promptly reported to Adobe and Microsoft. While Adobe has already patched the bug, Microsoft is yet to take any step to safeguard its platform. The Google group said that the bug is being actively exploited.

Google provided details about the flaw stating that it can be triggered using the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Google researchers explained that they are required to make public disclosure of the vulnerabilities found in the timeline provided by the company guidelines. Google requires that all bugs should be disclosed seven days after their communication to the developer.

According to Venture Beat, Microsoft has responded by claiming that Google disclosure "puts customers at potential risk." The company also said that it believes in "coordinated vulnerability disclosure." The bug was communicated to Microsoft on October 21. However, no patch has been released so far by Microsoft. The company also did not provide any probable date for the release of the patch.

In 2015, Google similarly disclosed Windows bugs before the patch for them was released. However, unlike this time, the earlier bugs were not getting actively exploited.