Google earlier this week disclosed a Windows kernel zero-day vulnerability that was actively being exploited as part of an attack chain, along with an Adobe Flash zero-day, which Adobe patched on Oct. 26. Microsoft hasn’t issued a patch for the Windows kernel flaw, and experts think the company’s response may have downplayed the severity of the issue too much.
Paul Calatayud, CTO at FireMon, based in Overland Park, Kan., said it can be dangerous to assess the risk of a vulnerability based on mitigating factors.
“Microsoft states this exploit is mitigated with updates to Flash. This assumes the computer in question has properly updated Flash,” Calatayud told SearchSecurity. “Focusing on the attack scenario is important, but it’s dangerous, as you have to make assumptions across the threat modeling being conducted. Is the system fully patched? Are third-party applications fully patched, etc.?”