Google goes public about unpatched Windows vulnerability

Not the first time Google has made details of a Microsoft flaw public…

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Google goes public about unpatched Windows vulnerability

Google security engineers have once again made details of a vulnerability in Microsoft’s software public, before Microsoft has been able to roll out a patch.

Windows users and system administrators around the world have become accustomed to Microsoft releasing important security patches for its wide variety of products on the second Tuesday of every month, regular as clockwork.

This month, however, something went wrong.

Sign up to our free newsletter.
Security news, advice, and tips.

At the “last minute” Microsoft announced last week that it would not be releasing security updates on this month’s Patch Tuesday (February 14th) due to an issue that it discovered at the eleventh hour would impact customers.

Which is a shame – not least because it’s possible that Microsoft’s planned update might have addressed a security flaw in its code that Google’s Project Zero team went public about on Tuesday February 14th.

Google discloses

Google first informed Microsoft of the flaw in March 2016, warning that a hacker could exploit it to elevate their privileges. Microsoft responded by rolling out a patch in June (MS16-074).

However, now it appears that Microsoft’s fix was not as complete as we might have hoped, and Google’s team has found other ways to exploit the flaw and – to prove their point – released proof-of-concept code.

Which wouldn’t have been so bad if Microsoft had released a fix on February’s Patch Tuesday, but of course that never happened…

Although it’s great that Google finds flaws in other company’s software, flaws that might otherwise have never been patched, I’m less of a fan of it making details public when users are unable to roll out patches to protect against them.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

8 comments on “Google goes public about unpatched Windows vulnerability”

  1. Bob

    "I'm less of a fan of it making details public…"

    Apart from the original fix released in three months it's taken Microsoft over a year to repair. I'm not at all sympathetic towards them.

    I've known other easily resolvable bugs be dragged out for far too long. Releasing details to the public encourages the vendor to pull their finger out. Microsoft refused to patch another SMB bug for over 20 years – it's still not been patched and is being actively exploited.

    The February patch Tuesday has been deferred until March because of problems with the new update management system and another, yet undisclosed, issue.

    1. Chris · in reply to Bob

      While I broadly agree with your position, I think making these details public can be a risky approach as the vulnerability could be much more widely exploited. I also do not believe that Google is doing this for entirely altruistic reasons either – commercial considerations will always be involved.

    2. Geena · in reply to Bob

      Of course, Google does all of this for users' love, certainly not to destroy Microsoft. Bob, please, take a vacation, hate microsoft takes away energy LOL

  2. BaliRob

    Google are fine ones to talk about Security – they insist on us us supplying details
    of our credit cards just to enrol on some of their most pitiful, cheesy dating sites
    in Playstore – I have no respect for these companies who become 'too big for their boots'

    1. Thomas D Dial · in reply to BaliRob

      Is that Google requiring credit card information or the app developer and operator? A quick play store scan suggests the latter, and that criticizing Google misses the mark.

      1. BaliRob · in reply to Thomas D Dial

        Who owns Play Store – I rest my case

  3. Thomas D Dial

    This appears to be a local privilege escalation about which there is quite a lot less to worry than those with remote exploits that do not require a preliminary remotely exploitable vulnerability or careless action by the user.

    As the first poster noted, Google notified Microsoft of the vulnerability nearly a year ago, and of the partial correction and remaining issues over three months ago. Calling them out publicly now might have been an oversight occasioned by the Microsoft's cancellation of February patch issue, but may not be entirely out of order in view of the time since notification.

  4. Michael

    Microsoft or the software vendor would roll out the patches, users would apply them.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.