Wednesday 21 February 2018

Google Discloses Another Windows 10 Security Flaw Before A Patch Is Ready


Google revealed a flaw in Microsoft Edge earlier this week, after Microsoft failed to fix the error in time. Now, Google's Project Zero security researchers team is uncovering another Windows 10 security flaw Microsoft did not patch again before the 90-day period imposed by Google. Neowin detected that Google reported two errors to Microsoft in November, but the company only addressed one of them with its recent patch Tuesday fixes.

The last unpatched problem is Elevation of Privilege, which allows a normal user to gain administrator privileges on a system. Microsoft has described the flaw as "important", but not "critical", since it can not be exploited remotely. It's still a major problem to fix, since an attacker could combine this with an unknown remote code execution to gain administrator access, although that is an unlikely scenario unless Microsoft does not fix it immediately.

It is unclear when Microsoft intends to address the latest security flaw in Windows 10, and the company still needs to resolve the Edge vulnerability that was revealed by Google earlier this week. Google and Microsoft have a history of disagreements over Google's approach to disclosure of vulnerabilities. Microsoft resumed Google's focus on security patches last year, after discovering a Chrome flaw and reporting it "responsibly" to Google so that the company had enough time to patch.

Google's policy of disclosing after 90 days without a patch is often criticized and applauded in equal measure. There is much evidence to suggest that security vulnerabilities are increasing in Windows and across the industry, and Microsoft has clearly had trouble solving these two problems well in advance. It can also be argued that Google is making rival software more secure with its efforts, making everyone's software safe. However, Google also has competitive commercial interests, and Project Zero has been unusually aggressive in the search and publication of new vulnerabilities.

Reports suggest that Google's Project Zero security team originated from the aftermath of Google's 2009 hack, an intrusion attributed to an unrepaired failure in Microsoft's Internet Explorer 6 browser.

Google makes exceptions to its strict rules, with grace periods, and can even spread much faster if the vulnerability is being exploited actively. Google revealed a major Windows flaw in 2016 only 10 days after reporting it to Microsoft, and the company revealed zero-day errors in Windows in the past before the patches are available.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.