Skip to main content

Google publishes Windows vulnerability despite no fix from Microsoft

Google publishes Windows vulnerability despite no fix from Microsoft

Share this story

Google has openly published a Windows 8.1 vulnerability that allows low-level users to gain administrator privileges. The security flaw was revealed earlier this week despite one big problem: there's still no fix from Microsoft. As such, the elevated privileges vulnerability remains a legitimate threat to some Windows customers. Google says it gave Redmond plenty of time to address the problem before the code went public on December 29th. It's been 90 days since the security hole was filed as part of Google's Project Zero initiative, which is dedicated to uncovering weaknesses in software before hackers can exploit them. Microsoft was told about the issue on September 30th, but so far hasn't managed to resolve it with a Windows software update.

Disclosure timing is a topic of great debate among security experts

For its part, Google maintains that 90 days should be enough for Microsoft or anyone else in the industry to fix what's broken. "On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security — it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face," the company told Engadget.

But in the same breath, Google made sure to note that it will be "monitoring the affects of this policy very closely," noting that "initial results have shown that the majority of the bugs that we have reported under the disclosure deadline get fixed under deadline, which is a testament to the hard work of the vendors."

And while Microsoft's "hard work" may be a bit sluggish, the company says a fix for the now-public vulnerability is on the way. As its own statement notes, most users probably don't need to worry about this threat since would-be attackers must have valid login credentials and access to the very machine they're targeting. So it's not really a high priority concern for home users, though enterprise IT workers may want to be on the lookout until a fix is delivered.