Google on Monday revealed a critical flaw in Windows after it gave Microsoft a ten-day window to warn the public about it, but Microsoft argues that Google isn't cooperating on vulnerability disclosure. After 7 days, per Google's published policy for actively exploited critical vulnerabilities, the search giant disclosed the existence of a remaining critical vulnerability in Windows for which no advisory or fix had been released.

Obviously, seven days is an aggressive timeline and may be too short for some vendors to update their products.

Microsoft slammed Google's move. "We believe in coordinated vulnerability disclosure, and today’s disclosure by Google could put customers at potential risk," the company said in an email on Monday.

Regarding the vulnerability itself, it is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.

Google says that Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.