Google discloses 'medium-severity' security flaw in Windows 10 S

By Dan Thorp-Lancaster
published

The security flaw can't be exploited remotely and is expected to be corrected in the Redstone 4 update.

Best Microsoft Surface Laptop Accessories
Best Microsoft Surface Laptop Accessories (Image credit: Windows Central)

Google's Project Zero team has outed another Microsoft security flaw, this time in Windows 10 S.

The flaw, which is rated as "medium" in terms of severity, impacts systems with Device Guard enabled and it can't be executed remotely, so it's not easily exploited. Google explains:

This issue only affects systems with Device Guard enabled (such as Windows 10S) and only serves as a way of getting persistent code execution on such a machine. It's not an issue which can be exploited remotely, nor is it a privilege escalation. An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through an RCE such as a vulnerability in Edge. There's at least two know DG bypasses in the .NET framework that are not fixed, and are still usable even on Windows 10S so this issue isn't as serious as it might have been if all known avenues for bypass were fixed.

Google's standard disclosure guidelines state that it will publicly disclose vulnerabilities after 90 days if they haven't been addressed. Microsoft was alerted to the issue in January, but had told Google in February that it would not be fixed in time for the April Patch Tuesday rollout. Microsoft requested extensions in early April, explaining that the issue will be fixed with the release of the Redstone 4 (spring) update. However, because there is no firm release date for Redstone 4, Google turned down the request.

This isn't the first time Google's disclosure policy has been a source of contention between the two companies. The two companies butted heads over the disclosure of a zero-day vulnerability in 2016, leading to an expression of frustration (opens in new tab) from Microsoft. That followed a similar clash between the two in 2015 over a Windows 8.1 vulnerability. More recently, Google disclosed flaws in Windows 10 and Microsoft Edge in February.

Dan Thorp-Lancaster
Dan Thorp-Lancaster

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

26 Comments
  • It is interesting that MS has spotted vulnerabilities in Chrome recently, but instead of detailing them to hackers they released a plug in for Chrome so Defender could mitigate them. If Google were as keen on customers' security as MS they should take the same proactive approach instead of just passing on info to hackers. If someone loses data because of this, Google looks to be 'aiding and abetting' to me, and with a financial interest too. I think there is the risk of a case there.
  • And how exactly do you expect Google to patch Windows 10S?
  • There is no case, Microsoft was given the info first as is industry practice and they didn't fix the vulnerability. Would you rather have people be in the dark just to protect one company?
  • Exactly. It's not "aiding and abetting", it's naming and shaming...
  • They asked for an extension due to issues patching but scroogle being scroogle, said no just to be dicks. My guess is you are one of those lagdroid central trolls that comes over here to protect the scroogle hive.
  • Where as you are the voice of the unbiased, rational person? lol. It says in this very article that the reason they were refused the extension is because they couldn't give any concrete date range that it would be patched. If you missed a payment on something and your bank gave you 3 months to pay, then at the end of those 3 months you asked for an extension telling them that "I'll pay you back, probably someone in the next few months... Maybe", would they be unreasonable to tell you to shove it? To not reveal this information would be to go against there own guidelines, I bet your righteous indignation will be nowhere to be found in the case of Google finding an issue with Apple or their own software.
  • Someone out there does have more brain than MS fanboys here...they were not able to fix something in their own code in 90 days!! 90 days!! The great Microsoft. I do not wonder they could not...I guess that bald CEO fired experienced developers also, besides testers...pathetic quality, pathetic company: Microsoon
  • This is normal procedure for the industry. Google holds themselves to the same standards. https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-...
  • Bull, you are such a fandrdoid
  • Did you read it? I guess not.
  • You're going to quote google about their own practises? 😶
  • Yeah. I would quote Google when it comes to their policy. Who else would you wrote? I would also quote Microsoft when it comes to Microsoft policy.
  • I completely agree, and with the state of IT security in the world today, even bitter tech rivals should be working together to mitigate threats
  • [comment removed by Google flaw]
  • I think MS should be as agressive with Google and Chrome flaws as Google is with the rest of the industry. This is not an attempt to help, but a means of bullying rivals
  • If it bullies them into fixing their ****, then Google can bully MS,, Apple can bully Google, and they can all bully each other into secure software.
  • Google would encourage them and even pays for vulnerabilities. Here is a list of Android vulnerabilities they paid out for: https://source.android.com/security/overview/acknowledgements#2018
  • Scroogle being dickish as usual.
  • Poor Microsoft, can't get their "secure" Windows version patched within 90 days.
  • Here's a hypothetical question, what if another company did the samething to Google and their security vulnerabilities. How would they feel lol.
  • Who's stopping them?
  • Again, Google ask for others to find vulnerabilities and then pays them for their discovery. Here is a list of payouts for Android: https://source.android.com/security/overview/acknowledgements#2018
  • :)) They, Google, even pay the ones that find security breaches...MS on the other hand, doesn't look to even bother fixing when given for free...90 days :)))) pathetic Microcrap!
  • When it comes to security flaws , I believe screwgle is the all time winner
  • The thing that amazes me the most is that Windows 10S was supposed to be the more secure version.
  • Another proof MS does not give a damn about fixing stuff...or they don't have anyone to properly test their OS, besides the guinea pig insiders...PATHETIC..90 days and no fix :))