This site uses cookies to improve your experience and to provide services and advertising. By continuing to browse, you agree to the use of cookies described in our Cookies Policy. You may change your settings at any time but this may impact on the functionality of the site. To learn more see our Cookies Policy.
OK
Dublin: 7 °C Tuesday 21 January, 2020
Advertisement

Google publishes a Windows 8.1 vulnerability before Microsoft could fix it

Google’s Project Zero, which identifies bugs and informs the relevant parties about them, published the bug after giving Microsoft 90 days to fix it.

Image: AP Photo/Ron Harris

A VULNERABILITY RELATING to Windows 8.1 was published by Google 90 days after it originally informed Microsoft about it.

Google made the vulnerability public as part of Project Zero, a service that tracks software flaws and reports them to the relevant parties before they can be exploited. They are then given 90 days to fix the problem before Project Zero publishes the details.

Google originally informed Microsoft about the issue, which allows low-level users to gain administrator privileges, on 30 September, but the company hasn’t provided a fix for it yet. Google then made the exploit public on 29 December.

However, a fix is currently on the way. A statement from Microsoft to Engadget said that while it’s working on a fix, the bug requires people to log on locally to exploit it.

We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.

A member of Google’s Project Zero defended its decision to publish the exploit saying that the disclosure deadline policy was “the result of many years of careful consideration and industry-wide discussions about vulnerability remediation.”

On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.

The group said it would continue to monitor the effects of this policy “very closely,” but said the majority of bugs it has reported under the disclosure deadline get fixed within the 90 days.

Read: 5 apps worth downloading this week >

Read: YouTube will have another rival soon as Twitter’s video plans take shape >

  • Share on Facebook
  • Email this article
  •  

About the author:

Quinton O'Reilly

Read next:

COMMENTS (10)

This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
write a comment

    Leave a commentcancel