Google discloses another Windows 10 security flaw before a patch is ready

Google disclosed a flaw in Microsoft Edge earlier this week, after Microsoft failed to patch the bug in time. Now Google’s Project Zero team of security researchers are disclosing yet another Windows 10 security flaw that Microsoft has again failed to patch before Google’s imposed 90-day period. Neowin spotted that Google reported two bugs to Microsoft in November, but the company only addressed one of them with its recent Patch Tuesday fixes.

The latest unpatched issue is an Elevation of Privilege which allows a normal user to gain administrator privileges on a system. Microsoft has rated the flaw as “important,” but not “critical” as it can’t be exploited remotely. It’s still an important issue to fix, as an attacker could potentially combine this with a separate unknown remote code execution to gain administrator access, although that’s an unlikely scenario unless Microsoft doesn’t address it promptly.

It’s not clear when Microsoft intends to address the latest security flaw in Windows 10, and the company still needs to solve the Edge vulnerability that was disclosed by Google earlier this week. Google and Microsoft have a history of disagreements over Google’s approach to vulnerability disclosures. Microsoft hit back at Google’s approach to security patches last year, after discovering a Chrome flaw and “responsibly” disclosed it to Google so the company had enough time to patch.

Google’s policy to disclose after 90 days without a patch is often criticized and applauded in equal measure. There’s plenty of evidence to suggest security vulnerabilities are increasing in Windows and across the industry, and Microsoft has clearly struggled to fix these two issues with plenty of notice. It can also be argued that Google is making rival software more secure with its efforts, making everyone’s software secure. However, Google also has competitive commercial interests, and Project Zero has been unusually aggressive in finding and publishing new vulnerabilities.

Reports suggest Google’s Project Zero security team originated from the fallout around the 2009 Google hack, an intrusion blamed on an unpatched flaw in Microsoft’s Internet Explorer 6 browser.

Google makes exceptions to its strict rules, with grace periods, and can even disclose much sooner if the vulnerability is being actively exploited. Google disclosed a major Windows bug back in 2016 just 10 days after reporting it to Microsoft, and the company has revealed zero-day bugs in Windows in the past before patches are available.


Don’t be evil…

google is actually worse than other companies. they try to seem nice and screw you when you not looking

For the cheap seats:
a) security is hard, patches are hard (just ask Intel and everyone who hasn’t thought of that exploit for basically ever until recently), and I’m sure MS is actively working on it
b) Google is not really patching all vulnerabilities THEY have in 90 days
c) THE ONLY PEOPLE THEY ARE HURTING ARE USERS. Publicizing a vulnerability before a patch exposes USERS. Especially with something like Windows because guess what – noone is going to stop using it. And OSX is worse. And ChromeOS is um. a non-entity for true OS workloads.

This is a standard responsible disclosure. 90 days has become the standard for fixing a security issue.

What public disclosures of security issues have there been for Google products? Microsoft is free to do the same responsible disclosure against Google, but Google actually updates their products.

This is a standard responsible disclosure. 90 days has become the standard for fixing a security issue

Really?! Standard? Did you pull that straight out of your ass?

only 59% of high severity flaws were fixed within 90 days in that survey. How about we agree that you do not talk of things you don’t understand.

To be fair, announcing exploits isn’t just about pressuring the developer / vendor for a patch release ASAP (although that’s part of it). It’s additionally to provide enterprises with enough information to assess the vulnerability internally and scan for threats known or suspected of exploiting the said vulnerability. It’s only a matter of time before a vulnerability is discovered and then exploited by a bad actor, but as I am sure you know, networks can be configured to look out for code trying to exploit the security flaw.

I agree that security is very tricky, but in today’s cyber-risk sensitive environment, transparency (even if seemingly too early) isn’t the biggest problem.

I think I disagree, in that public disclosure probably exposes more to harm than allows for mitigation. Especially if the mitigation must come from the vendor. In the real world, no enterprise will stop using an OS because a vulnerability is known. That’s just not possible.

Are you only talking about OS-level vulnerabilities? If so maybe. For example, if it’s in a web browser, however, corporate do have the power to force its users to use an alternative that isn’t impacted by the known vulnerability. Different parts of the Windows can also be disabled depending on the specific vulnerability.

It’s not cut and dry impossible to mitigate these kind of things before a vendor patch is released. It does depend a lot on the exact bug.

Well browser-vulnerabilities and especially productivity software vulnerabilities may even be harder to move from. This is why for instance some corps still use IE (in fairness, I don’t know of anyone that uses Edge, but some that use Chrome – the irony there is rich because Chrome does so non-standards rendering – at least with respect to published standards and it’s come down to relying on that sometimes, and this is what got IE in trouble in the first place).
But like Office – there is literally NOTHING that offers like functionality in corporate environments that utilize it fully. Nothing. Zilch. And the show must go on.

I’m not yet very annoyed at this cherry picking but I think my point is proven. I disagree that a majority of corporations would have that kind of hang up you described about browsers. (You also mentioned Office, which is also ironic.)

Wait, were you asking about software MS makes that can be exposed to vulnerabilities (then OS, browsers, and productivity), or are you just talking for funsies?

For example, if it’s in a web browser, however, corporate do have the power to force its users to use an alternative that isn’t impacted by the known vulnerability. Different parts of the Windows can also be disabled depending on the specific vulnerability.

Utter nonsense.

The enterprise nether has the time, resources, nor the inclination to be swapping components in and out in some ridiculous dance in response to the changing threats against those given components.

Its abundantly clear you have never had to manage these kinds of systems in an enterprise environment.

I’m not suggesting an enterprise would stop using the OS, but they can configure their networks / firewalls to scan for known exploits of vulnerabilities. Of course, if there are no known exploits, that can’t be done, but generally that’s the first action.

Even if the vendor issues a patch, unlike users, most large enterprises can’t simply apply it immediately – they need to test it for compatibility with their current environment, which in some cases can take months – so there is always going to be a gap between these vulnerabilities being known and patches being applied (as opposed to issued).

I’m not being pedantic (I happen to work in this field) and I know this is not the point you were originally making as I agree with the sentiment of it, but practically speaking this isn’t as damaging as it appears for the reasons above.

Yes, the 90 day responsible disclosure has been around since 2013.

Microsoft should really consider restructuring if they’re unable to patch their OS.

OR Microsoft can start doing more proactive security, and they can hang on to their own private vulnerabilities for as long as they’d like.

Clearly something isn’t working right at Microsoft.

Really?! Where do you find this industry wide agreement signed on by (whom?) of a 90-day disclosure?

90 days is generous. CERT’s is at 45 days, Cisco was at 60 days until they just bumped it up to 90 days.

There doesn’t need to be an industry standard, but there does need to be some deadline.

So with full understanding that nothing will sway you because you a) are not well informed and potentially b) not very capable of appreciating nuance based on your absolutist views expressed here and elsewhere, but with hope it may inform others, here is a link, for instance, that has quotes from serious security researches (the second part of the post) that discuss the various (read: NOT 90 days firm) timelines suggested as reasonable in the field:

  • Our Dell servers get their updates on time
  • Our Cisco and Dell switches get their updates on time
  • Our Fortigate, Sophos, and Sonicwall firewalls get their updates on time
  • Our VMware clusters get their host updates on time

But a behemoth like Microsoft can’t update a browser after 14 weeks.

I already removed Edge via group policy from all 1400 of our devices. No regrets.

Dell servers – like firmware? Because I don’t want to alarm you, but Dell doesn’t make an OS. So it might be gasp Windows.

Also – you go girl. You show them.

Yes, like firmware.

Dell is able to distribute unique firmware to hundreds of chassis, and even more internal components. I’m sure it’s no easy feat but Dell at least gets it done even though there are greater consequences of a mistake.

The irony of the fact that MS software runs and interfaces on ALL THOSE configs and tons more while you are equating the two is very clearly lost on you.

Well in our case the legwork is actually done by the ESXi hypervisors, Windows doesn’t know what it’s running on.

Sorry to nit pick, but Dell does make an OS. It’s called Wyse Thin OS.

I already removed Edge via group policy from all 1400 of our devices. No regrets.

Oh god, you’re one of the people that make corporate machines such a poor experience in the name of "security". Did you lift all of your macbooks when the admin vulnerability was discovered last year?

View All Comments
Back to top ↑