Google security engineers have once again made details of a vulnerability in Microsoft’s software public, before Microsoft has been able to roll out a patch.
Windows users and system administrators around the world have become accustomed to Microsoft releasing important security patches for its wide variety of products on the second Tuesday of every month, regular as clockwork.
This month, however, something went wrong.
At the “last minute” Microsoft announced last week that it would not be releasing security updates on this month’s Patch Tuesday (February 14th) due to an issue that it discovered at the eleventh hour would impact customers.
Which is a shame - not least because it’s possible that Microsoft’s planned update might have addressed a security flaw in its code that Google’s Project Zero team went public about on Tuesday February 14th.
Google first informed Microsoft of the flaw in March 2016, warning that a hacker could exploit it to elevate their privileges. Microsoft responded by rolling out a patch in June (MS16-074).
However, now it appears that Microsoft’s fix was not as complete as we might have hoped, and Google’s team has found other ways to exploit the flaw and - to prove their point - released proof-of-concept code.
Which wouldn’t have been so bad if Microsoft had released a fix on February’s Patch Tuesday, but of course that never happened…
Although it’s great that Google finds flaws in other company’s software, flaws that might otherwise have never been patched, I’m less of a fan of it making details public when users are unable to roll out patches to protect against them.