Google security engineers have once again made details of a vulnerability in Microsoft’s software public, before Microsoft has been able to roll out a patch.
Windows users and system administrators around the world have become accustomed to Microsoft releasing important security patches for its wide variety of products on the second Tuesday of every month, regular as clockwork.
This month, however, something went wrong.
At the “last minute” Microsoft announced last week that it would not be releasing security updates on this month’s Patch Tuesday (February 14th) due to an issue that it discovered at the eleventh hour would impact customers.
Which is a shame – not least because it’s possible that Microsoft’s planned update might have addressed a security flaw in its code that Google’s Project Zero team went public about on Tuesday February 14th.
Google first informed Microsoft of the flaw in March 2016, warning that a hacker could exploit it to elevate their privileges. Microsoft responded by rolling out a patch in June (MS16-074).
However, now it appears that Microsoft’s fix was not as complete as we might have hoped, and Google’s team has found other ways to exploit the flaw and – to prove their point – released proof-of-concept code.
Which wouldn’t have been so bad if Microsoft had released a fix on February’s Patch Tuesday, but of course that never happened…
Although it’s great that Google finds flaws in other company’s software, flaws that might otherwise have never been patched, I’m less of a fan of it making details public when users are unable to roll out patches to protect against them.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
8 comments on “Google goes public about unpatched Windows vulnerability”
"I'm less of a fan of it making details public…"
Apart from the original fix released in three months it's taken Microsoft over a year to repair. I'm not at all sympathetic towards them.
I've known other easily resolvable bugs be dragged out for far too long. Releasing details to the public encourages the vendor to pull their finger out. Microsoft refused to patch another SMB bug for over 20 years – it's still not been patched and is being actively exploited.
The February patch Tuesday has been deferred until March because of problems with the new update management system and another, yet undisclosed, issue.
While I broadly agree with your position, I think making these details public can be a risky approach as the vulnerability could be much more widely exploited. I also do not believe that Google is doing this for entirely altruistic reasons either – commercial considerations will always be involved.
Of course, Google does all of this for users' love, certainly not to destroy Microsoft. Bob, please, take a vacation, hate microsoft takes away energy LOL
Google are fine ones to talk about Security – they insist on us us supplying details
of our credit cards just to enrol on some of their most pitiful, cheesy dating sites
in Playstore – I have no respect for these companies who become 'too big for their boots'
Is that Google requiring credit card information or the app developer and operator? A quick play store scan suggests the latter, and that criticizing Google misses the mark.
Who owns Play Store – I rest my case
This appears to be a local privilege escalation about which there is quite a lot less to worry than those with remote exploits that do not require a preliminary remotely exploitable vulnerability or careless action by the user.
As the first poster noted, Google notified Microsoft of the vulnerability nearly a year ago, and of the partial correction and remaining issues over three months ago. Calling them out publicly now might have been an oversight occasioned by the Microsoft's cancellation of February patch issue, but may not be entirely out of order in view of the time since notification.
Microsoft or the software vendor would roll out the patches, users would apply them.