Google angers Microsoft by disclosing third unpatched Windows 7 and Windows 8.1 vulnerability

For the third time Google has disclosed a security issue in Windows for which Microsoft hasn't released a patch yet. The vulnerability was discovered by Google's "Project Zero Team" that specifically searches for vulnerabilities in widely used software.

myce-microsoft-logo

ADVERTISEMENT

As soon as the team finds a vulnerability the affected developer is notified and gets a 90 deadline to patch the issue. If the deadline isn't met, details of the vulnerability are automatically disclosed. At the end of December last year and last Sunday the search giant disclosed two vulnerabilities in Windows 8.1, to the fury of Microsoft. One of the leaks was patched two days later and Microsoft had asked Google to move the deadline to two days later, which Google didn't.

After "Issue 118" and "Issue 123" Google now disclosed an unpatched Windows vulnerability for the third time. "Issue 128" is about a vulnerability in Windows 7 and Windows 8.1 which makes it possible for an user to impersonate someone else and then can decrypt or encrypt data for the login session. This is a potential issue with vulnerable services.

"This behaviour of course might be design, however not having been party to the design it's hard to tell. The documentation states that the user must impersonate the client, which I read to mean it should be able to act on behalf of the client rather than identify as the client", security researcher Ben Forshaw writes in his report.

ADVERTISEMENT

Microsoft informed Google it will likely patch the vulnerability in February. The company planned to release the patch in January but withdrew it due to a compatability issue.

No posts to display