We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

AP Photo/Ron Harris

Google publishes a Windows 8.1 vulnerability before Microsoft could fix it

Google’s Project Zero, which identifies bugs and informs the relevant parties about them, published the bug after giving Microsoft 90 days to fix it.

A VULNERABILITY RELATING to Windows 8.1 was published by Google 90 days after it originally informed Microsoft about it.

Google made the vulnerability public as part of Project Zero, a service that tracks software flaws and reports them to the relevant parties before they can be exploited. They are then given 90 days to fix the problem before Project Zero publishes the details.

Google originally informed Microsoft about the issue, which allows low-level users to gain administrator privileges, on 30 September, but the company hasn’t provided a fix for it yet. Google then made the exploit public on 29 December.

However, a fix is currently on the way. A statement from Microsoft to Engadget said that while it’s working on a fix, the bug requires people to log on locally to exploit it.

We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.

A member of Google’s Project Zero defended its decision to publish the exploit saying that the disclosure deadline policy was “the result of many years of careful consideration and industry-wide discussions about vulnerability remediation.”

On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face. By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.

The group said it would continue to monitor the effects of this policy “very closely,” but said the majority of bugs it has reported under the disclosure deadline get fixed within the 90 days.

Read: 5 apps worth downloading this week >

Read: YouTube will have another rival soon as Twitter’s video plans take shape >

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Your Voice
Readers Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.