Google Project Zero is a team of security analysts employed by Google that is constantly analyzing the security level of all types of software in order to find vulnerabilities before hackers and allow developers to solve those vulnerabilities to make their apps safer. This team of analysts works with any type of software. However, Microsoft’s software are undoubtedly part of the team’s favorites given how it reveals the security flaws of the brand’s OS and Microsoft Edge.
A few days ago, Google Project Zero exposed a vulnerability in Microsoft Edge, the company’s new browser that will take over Internet Explorer sooner or later. The vulnerability allows an attacker to avoid the Arbitrary Code Guarantee (ACG) security module to put the OS’ security at risk.
Just a week later, Google would charge at Microsoft’s security once again. This time, the team of security analysts revealed a new vulnerability that affects Microsoft’s OS, Windows 10. The vulnerability is found on the Advanced Local Procedure Call (ALPC) module, and it can be exploited by any of the computer’s local users to get administrator permissions, being able to even take control of the entire affected system.
Microsoft is not only aware of this security flaw but also of Microsoft Edge’s security flaw that came up earlier that week. According to the company, both security flaws would be fixed with Microsoft’s upcoming security patches being released on March 13. Windows users will be exposed to the vulnerabilities until then.
According to Google Project Zero, the vulnerability in Windows 10 has been proven to affect the Windows 10 Fall Creators Update. Although it is highly likely that this vulnerability would affect previous versions of the OS, it has not been proven yet.
At least this vulnerability cannot be exploited remotely, so we can rest assured that hackers will not put us at risk through the Internet. Since this is a vulnerability that can only be exploited locally, we have to be aware of the users that have physical access (or remote access through tools like RDP or TeamViewer) to the computer in order to prevent them from jeopardizing our security through accounts with limited permissions.
As for the abovementioned vulnerability in Microsoft Edge, the best option is to use a different browser, like Google Chrome or Firefox, to prevent it from being exploited.
Lastly, we have to wait until March 13, 2018, which is the day patches are being released, so we can update our system as soon as possible to protect ourselves against the two security flaws and avoid any problems.