“We are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” wrote Neel Mehta and Billy Leonard, two security engineers at Google. “This vulnerability is particularly serious because we know it is being actively exploited.”
Get Data Sheet, Fortune’s technology newsletter.
Google notified Microsoft
of the problem on Oct. 21, Mehta and Leonard said. Citing Google’s bug disclosure policy, which grants software vendors seven days of lead-time to develop and push patches, the pair said they were disclosing the vulnerability “to protect users.”
Normally, Google would wait 60 days before making such bugs public. But when attackers are actively exploiting a vulnerability, that timeframe drops to a week.
The bug affects the Windows kernel, the deepest and most privileged part of the operating system, and can be used to escape security sandboxes, or tools designed to isolate malicious code. For the technically inclined: “It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD,” Google said.
For more on computer bugs, watch Fortune’s video:
Google Chrome, the company’s popular web browser, prevents attackers from exploiting the issue on machines running Windows 10 by blocking certain system calls, the company noted. (You can read more about that here.)
Google plans to nix support for Adobe Flash from Chrome this year. In its place, Google said it plans to use HTML5, a markup language that enables multimedia to display online.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk,” Microsoft said in a statement. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”