Google Reveals Microsoft Flaws Redmond Says Aren’t Worth Patching

Google’s Project Zero team has threatened to reignite the spat between it and Microsoft again by releasing details of more vulnerabilities in the latter’s products.

Redmond has apparently responded by saying the flaws are not worth patching.

One of the issues, reported first on 27 October, is with a local file vulnerability on Windows 7 and 8.1 (32 and 64-bit) systems and is rated ‘high’ severity by Google researcher James Forshaw.

He claimed the flaw allows “a malicious SMBv2 server to force a client to open arbitrary local files,” leading to potential information disclosure.

In a comment on the disclosure, Forshaw revealed the reason why Google had gone public before the expiration of the 90-day window:

“Microsoft have concluded that the issue does not meet the bar of a security bulletin. They state that it would require too much control from the part of the attacker and they do not consider group policy settings as a security feature.”

The incident calls to mind last week’s very public dispute between Microsoft and Google after the latter made public a flaw just two days before it was due to be fixed in Patch Tuesday.

Google claimed its 90-day disclosure window had expired while Microsoft hit back, claiming its rival was being irresponsible and could put PC users at unnecessary risk.

However, this time it’s slightly different in that Microsoft has deemed the flaws discovered by Google not worth patching.  

F-Secure security advisor Sean Sullivan seemed to agree.

“I think the comments attached to this disclosure are revealing. Google seems to be pointing out a flaw that can only really be abused if the attacker already has control of the victim's computer. Thus, why bother?” he told Infosecurity by email.

“So Microsoft has decided it isn't worth a fix. It's kind of like when folks complain that Chrome stores browser passwords in unencrypted form without a master password – and Google says it isn't a problem because in order to view the passwords, you have to have control of the computer.”

The other two issues, numbered 156 an 160 and reported on 5 and 10 November respectively, got the same treatment from Microsoft.

Issue 156 is a ‘high severity’ elevation of privilege flaw while 160 relates to a “low severity” information disclosure issue, according to Forshaw.

What’s Hot on Infosecurity Magazine?