Google Discloses Another Unpatched Microsoft Bug

Google and Microsoft are at odds again after the former’s Project Zero researchers disclosed a Windows bug last week despite no patch being made available by Redmond.

The vulnerability in question affects Windows Graphics Device Interface (GDI) and is part of a group of flaws “related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF records,” according to Google engineer, Mateusz Jurczyk.

They were supposed to be fixed with the release of MS16-074 back in March last year, but Jurczyk discovered some issues persisted, and informed Microsoft on 16 November.

It’s unclear if the bug was due to be fixed in Microsoft’s cancelled February Patch Tuesday update round last week, but this coincided with the date Google publicly revealed the flaw, putting users at risk.

The flaw is not thought to be critical but could result in “memory disclosure.”

This isn’t the first time the two tech giants have clashed over bug disclosure. In October last year, Google published details of a critical Windows vulnerability only seven days after notifying Redmond, after spotting it being actively exploited in the wild.

At that time, Microsoft warned that Google was putting users at risk because a patch wasn’t ready, but the latter argued a week should be enough time for vendors to release mitigation steps users can take.

Even that spat is nothing compared to the January 2015 war of words that broke out after a similar incident.

Gavin Millard, technical director of Tenable Network Security, said some software vendors share Microsoft’s concerns.

“But for many, the 90-day window is seen to drive the right behavior, focusing software companies to address flaws that could be used by an attacker to gain access,” he added.

“Microsoft fought hard against the 90-day disclosure window when Project Zero announced a privilege escalation bug affecting all versions of Windows last year, but with the Google team unaffected by the pressure, I find it highly doubtful that they’ll change the policy for future bugs they unearth.”

What’s Hot on Infosecurity Magazine?