Google researcher: Microsoft didn’t patch vulnerability, despite it saying it did

Posted 22 February 2018 18:20 CET by Jan Willem Aldershoff

A vulnerability in Windows 10, discovered by a Google security researcher, hasn’t been patched, despite Microsoft stating that it did release a fix for it. Google researcher James Forshaw, who discovered the vulnerability, reports that the issue still persists. He warned Microsoft on the 10th of November last year for two vulnerabilities (1,2) that allow an attacker to easily elevate privileges on a Windows 10 system.

In order to exploit the vulnerabilities, an attacker needs to have access to the system. Because both vulnerabilities reside in the same function of the Windows Storage Service, Microsoft requested a single CVE number; CVE-2018-0826. Through a CVE number the vulnerability can be tracked and identified.

Microsoft told Forshaw that they would solve both Windows 10 vulnerabilities this month. Also, Microsoft’s Security Bulletin also states CVE-2018-0826 has been fixed. However, according to Forshaw, one of the two vulnerabilities hasn’t been patched yet, and still allows an attacker to elevate his privileges on a Windows 10 system.

Google allows companies to respond to vulnerabilities within 90 days, after which the vulnerability is publicly disclosed. In this case, the deadline was extended on request of Microsoft. This way the software giant had time to roll-out the security update with February’s Patch Tuesday. This would also mean the vulnerability was patched before it was publicly disclosed.

Because the extended deadline now also expired, the vulnerability has become public, even though there is no patch for one of the vulnerabilities. Recently Google also disclosed a vulnerability in Microsoft’s Edge browser. That vulnerability also hasn’t been patched yet, which means Edge is currently a security risk.

Related content

Comment on this news item