Google, however, is likely to come under fire for the rapid nature of its disclosure, giving Microsoft just over a week between the private notification and the vulnerability being publicly posted.
The search company regularly releases bug reports through its controversial security programe, which has a policy to disclose flaws on a set schedule whether they have been fixed or not. According to the policy, a critical vulnerability can be disclosed publicly only after seven days have elapsed since the information is given to the concerned vendor.
Google said that on Windows 10, its Chrome browser will prevent the problem from occurring.
Yesterday, Threat Analysis, a Google group, revealed an important vulnerability present in Windows, through its public posting on the security blog of the company. In this case, Google waited 10 days before disclosing the vulnerability on Halloween.
Sandbox is a computer security term used to refer to the limits placed on users of applications and processes.
Mehta and Leonard said they notified Adobe and Microsoft about the attacks on October 21.
Google discovered the flaw, which also affects Adobe's Flash media player, on October 21. However, it did say that a bug in Adobe Flash Player (CVE-2016-7855) is needed to exploit the Windows vulnerability so users with up-to-date Flash Player applications should be safe.
Meanwhile, Google's initial blog post makes a number of recommendations to users.
It lets hackers exploit a bug in the Windows kernel, via a win32k.sys system call, to bypass the security sandbox.
It can be triggered using a particular win32k.sys system call, detailed by Google in its advisory. Users need to simply update the Adobe Flash on their machine and it will also be available via Chrome auto-update.
This is cause for concern as Google said the Windows vulnerability was already being exploited in the wild.
To avoid being at risk, update Flash as soon as possible and keep an eye out for Windows patches. "We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection", the company said in a statement emailed to Salted Hash.
Microsoft did not welcome Google's intervention, saying that it increased the risk of a successful exploit. Microsoft is not particularly welcoming of the disclosure.