Google discloses unpatched Windows vulnerability

Microsoft didn't fix the bug within a 90-day deadline Google imposed

A Google researcher has disclosed an unpatched vulnerability in Windows 8.1 after Microsoft didn't fix the problem within a 90-day window Google gave its competitor.

The disclosure of the bug on Google's security research website early this week stirred up a debate about whether outing the vulnerability was appropriate.

The bug allows low-level Windows users to become administrators in some cases, but some posters on the Google site said the company should have kept its mouth shut. Google said it was unclear if versions of the Windows OS earlier than 8.1 were affected by the bug.

"Automatically disclosing this vulnerability when a deadline is reached with absolutely zero context strikes me as incredibly irresponsible and I'd have expected a greater degree of care and maturity from a company like Google," one poster at the Google site wrote.

The vulnerability is "your average" local privilege escalation vulnerability, the same poster wrote. "That's bad and unfortunate, but it's also a fairly typical class of vulnerability, and not in the same class as those that keep people like me up at night patching servers," the poster said. "The sad reality is that these sort of vulnerabilities are a dime a dozen on Windows."

Another poster, in what may be a slight overstatement, suggested the versions of Windows affected are run by "billions" of computer users. "Exposing vulnerabilities like this has far reaching consequences," the poster wrote. "People could get hurt by this and it doesn't bring anyone closer to a solution. When an organization is as big and powerful as [Google], people working there need to think of themselves as stewards of a great power and work to be fair and regulate the harm that can come of misusing this great power when possible."

Other posters praised Google for sticking to a deadline it's had in place since it launched its Project Zero bug-tracking team last July. "No one is done any good by keeping it secret," one poster wrote. "By exposing the [vulnerability] they allow those billions who may be running vulnerable systems to be aware of the threat to their own security and take countermeasures. A patch isn't the only way to mitigate the issue. Given the nature of this vulnerability, there are other steps administrators can take to start protecting their vulnerable systems while they await a patch."

Microsoft said in a statement it is working to release a security update to the reported vulnerability. "It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine," a spokesman said by email. "We encourage customers to keep their anti-virus software up to date, install all available security updates and enable the firewall on their computer."

Google, in a statement published on Engadget, defended the release of the vulnerability information.

Google's 90-day deadline for fixing bug is "the result of many years of careful consideration and industry-wide discussions about vulnerability remediation," the company said. "Security researchers have been using roughly the same disclosure principles for the past 13 years ... and we think that our disclosure principles need to evolve with the changing infosec ecosystem. In other words, as threats change, so should our disclosure policy."

Google will monitor the effects of its policy closely, the company added. "We want our decisions here to be data driven, and we're constantly seeking improvements that will benefit user security," the company added. "We're happy to say that initial results have shown that the majority of the bugs that we have reported under the disclosure deadline get fixed under deadline, which is a testament to the hard work of the vendors."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags GooglesecuritymicorsoftExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?