Advertisement

Readers like you keep news free for everyone.

More than 5,000 readers have already pitched in to keep free access to The Journal.

For the price of one cup of coffee each week you can help keep paywalls away.

Support us today
Not now
Wednesday 6 December 2023 Dublin: 8°C
AP Photo/Ron Harris
deadlines

Google publishes a Windows 8.1 vulnerability before Microsoft could fix it

Google’s Project Zero, which identifies bugs and informs the relevant parties about them, published the bug after giving Microsoft 90 days to fix it.
10
11.6k
Jan 3rd 2015, 4:34 PM

A VULNERABILITY RELATING to Windows 8.1 was published by Google 90 days after it originally informed Microsoft about it.

Google made the vulnerability public as part of Project Zero, a service that tracks software flaws and reports them to the relevant parties before they can be exploited. They are then given 90 days to fix the problem before Project Zero publishes the details.

Google originally informed Microsoft about the issue, which allows low-level users to gain administrator privileges, on 30 September, but the company hasn’t provided a fix for it yet. Google then made the exploit public on 29 December.

However, a fix is currently on the way. A statement from Microsoft to Engadget said that while it’s working on a fix, the bug requires people to log on locally to exploit it.

We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.

A member of Google’s Project Zero defended its decision to publish the exploit saying that the disclosure deadline policy was “the result of many years of careful consideration and industry-wide discussions about vulnerability remediation.”

On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.

The group said it would continue to monitor the effects of this policy “very closely,” but said the majority of bugs it has reported under the disclosure deadline get fixed within the 90 days.

Read: 5 apps worth downloading this week >

Read: YouTube will have another rival soon as Twitter’s video plans take shape >

Making a difference

A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

For the price of one cup of coffee each week you can make sure we can keep reliable, meaningful news open to everyone regardless of their ability to pay.

Support us Learn More

Author
Quinton O'Reilly
quinton@thejournal.ie
@qoreilly
Send Tip or Correction
Read Next
More Stories
Related Tags
Your Voice
Readers Comments
10
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.