Google goes public about unpatched Windows vulnerability

Not the first time Google has made details of a Microsoft flaw public…

Google goes public about unpatched Windows vulnerability

Google security engineers have once again made details of a vulnerability in Microsoft's software public, before Microsoft has been able to roll out a patch.

Windows users and system administrators around the world have become accustomed to Microsoft releasing important security patches for its wide variety of products on the second Tuesday of every month, regular as clockwork.

This month, however, something went wrong.

At the "last minute" Microsoft announced last week that it would not be releasing security updates on this month's Patch Tuesday (February 14th) due to an issue that it discovered at the eleventh hour would impact customers.

Which is a shame - not least because it's possible that Microsoft's planned update might have addressed a security flaw in its code that Google's Project Zero team went public about on Tuesday February 14th.

Google discloses

Google first informed Microsoft of the flaw in March 2016, warning that a hacker could exploit it to elevate their privileges. Microsoft responded by rolling out a patch in June (MS16-074).

However, now it appears that Microsoft's fix was not as complete as we might have hoped, and Google's team has found other ways to exploit the flaw and - to prove their point - released proof-of-concept code.

Which wouldn't have been so bad if Microsoft had released a fix on February's Patch Tuesday, but of course that never happened...

Although it's great that Google finds flaws in other company's software, flaws that might otherwise have never been patched, I'm less of a fan of it making details public when users are unable to roll out patches to protect against them.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

8 Responses

  1. Bob

    February 20, 2017 at 9:24 am #

    "I'm less of a fan of it making details public…"

    Apart from the original fix released in three months it's taken Microsoft over a year to repair. I'm not at all sympathetic towards them.

    I've known other easily resolvable bugs be dragged out for far too long. Releasing details to the public encourages the vendor to pull their finger out. Microsoft refused to patch another SMB bug for over 20 years – it's still not been patched and is being actively exploited.

    The February patch Tuesday has been deferred until March because of problems with the new update management system and another, yet undisclosed, issue.

    • Chris in reply to Bob.

      February 20, 2017 at 10:56 am #

      While I broadly agree with your position, I think making these details public can be a risky approach as the vulnerability could be much more widely exploited. I also do not believe that Google is doing this for entirely altruistic reasons either – commercial considerations will always be involved.

    • Geena in reply to Bob.

      February 20, 2017 at 11:21 am #

      Of course, Google does all of this for users' love, certainly not to destroy Microsoft. Bob, please, take a vacation, hate microsoft takes away energy LOL

  2. BaliRob

    February 20, 2017 at 11:38 am #

    Google are fine ones to talk about Security – they insist on us us supplying details
    of our credit cards just to enrol on some of their most pitiful, cheesy dating sites
    in Playstore – I have no respect for these companies who become 'too big for their boots'

    • Thomas D Dial in reply to BaliRob.

      February 20, 2017 at 5:19 pm #

      Is that Google requiring credit card information or the app developer and operator? A quick play store scan suggests the latter, and that criticizing Google misses the mark.

      • BaliRob in reply to Thomas D Dial.

        February 20, 2017 at 5:45 pm #

        Who owns Play Store – I rest my case

  3. Thomas D Dial

    February 20, 2017 at 5:54 pm #

    This appears to be a local privilege escalation about which there is quite a lot less to worry than those with remote exploits that do not require a preliminary remotely exploitable vulnerability or careless action by the user.

    As the first poster noted, Google notified Microsoft of the vulnerability nearly a year ago, and of the partial correction and remaining issues over three months ago. Calling them out publicly now might have been an oversight occasioned by the Microsoft's cancellation of February patch issue, but may not be entirely out of order in view of the time since notification.

  4. Michael

    February 21, 2017 at 1:56 am #

    Microsoft or the software vendor would roll out the patches, users would apply them.

Leave a Reply