Skip navigation

Critical Windows 10 and Flash Zero-Days Reported by Google

Update 11/2: Microsoft has published a blog post citing Nov. 8 as the date they will release a fix for the Windows 10 zero-day vulnerability.

On October 21, Google reported two critical zero-day vulnerabilities being exploited in the wild to Adobe and Microsoft. That means attackers are already using the vulnerabilities against victims to compromise Windows systems.

The previously unknown software flaws affect Adobe Flash Player and Microsoft’s Windows 10 operating system. CVE-2016-7855 could potentially allow an attacker to take control of the affected system, and is being used in targeted attacks against users with devices running Windows version 7, 8.1 and 10, according to an Adobe Security Bulletin.

Adobe released security updates for several different operating system platforms last week, five days after Google initially reported the critical vulnerability. However, there is currently no advisory or fix yet available for the Windows vulnerability, which is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape.

According to Google’s security blog, Chrome’s sandbox can prevent exploitation of this sandbox escape vulnerability. Earlier this year, we collaborated with Google to test Verified Access, bringing greater security to the enterprise for Chrome OS devices.

Per Google’s security policy, they disclosed the unpatched Windows vulnerability on Monday, 10 days after reporting it. Microsoft issued a media statement regarding their disclosure:

We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.

Update Your Devices

Trusted Access Report - Windows 7 The recent zero-days call attention to why updating is more important than ever to reduce exposing your devices to a potential compromise.

In our latest report, The 2016 Duo Trusted Access Report: Microsoft Edition, we found that 65 percent of all Windows devices are running Windows 7, which has about 600 known security vulnerabilities.

However, the latest unpatched zero-day affects Windows 10, which 24 percent of our Windows dataset are running.

Trusted Access Report - Windows Versions

Another 62 percent of devices running IE have an old version of Flash installed, compared to 33 percent of those on the latest Microsoft browser, Edge, meaning they are susceptible to the latest reported vulnerability that could potentially allow an attacker to take control of their computer.

Trusted Access Report - Flash

Only 11 percent of devices running Chrome have an out-of-date Flash plugin, making them more secure against the latest vulnerabilities. Part of the reason may be that Chrome sends security updates frequently and automatically to users, silently updating after each browser relaunch.

Trusted Access Report: Microsoft Edition

Want more statistics like those ^? You can find them in the latest Trusted Access report just released yesterday.

It’s a 28-page data analysis providing a closer look at the security health of millions of devices running Microsoft software and accessing Microsoft applications.

Trusted Access Report - Microsoft Applications

In this report, we cover:

  • How out-of-date software can increase the likelihood of a potential data breach
  • An analysis of Duo’s dataset of enterprise Window devices and Microsoft applications, including how many are out-of-date and insecure
  • Duo’s security recommendations on securing your organization with Trusted Access, a holistic security platform

Get a full list of our security recommendations and see more data and findings from our analysis.

Download Report

Thu Pham

Information Security Journalist

@Thu_Duo

Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo, Thu covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.