Google's Project Zero discloses 'important' security vulnerability in Windows 10

By Dan Thorp-Lancaster
published

The flaw in question is the second to be reported in a Microsoft product in the past week.

Google's Project Zero team has disclosed another Windows 10 security flaw after Microsoft failed to patch it within the standard timeframe of 90 days. As first spotted by Neowin, the bug is one of a pair that was initially reported to Microsoft in November. The company apparently fixed one of the bugs (opens in new tab) with its February Patch Tuesday fixes, but left the other untouched.

According to the Project Zero report, the flaw could allow an attacker to gain administrator privileges if exploited. The issue is listed as high severity by Google because of its ease of exploitation. However, it can't be exploited remotely, which caused Microsoft to categorize it as "important" rather than "critical." James Forshaw, the Google security researcher who reported the vulnerability, notes that it only affects Windows 10 and hasn't been verified to work on earlier versions, like Windows 7 or 8.1. It's unclear when Microsoft may release a fix for the issue in question.

This is the second flaw in a Microsoft product that Google's Project Zero team has made public in the past week. Last week, the team disclosed a vulnerability in Microsoft Edge after initially alerting Microsoft to the issue in November. According to the issue tracker, Microsoft stressed that a fix for that issue would be ready to ship in time for the March 13 Patch Tuesday.

Microsoft and Google have butted heads in the past over public disclosures of vulnerabilities. In November of 2016, Microsoft expressed frustration (opens in new tab) over Google's public disclosure of a zero-day vulnerability 10 days after reporting it to Microsoft, before the company had a chance to release a patch. That followed a similar war of words between the two companies in 2015, when Google made a Windows 8.1 vulnerability public two days before a patch was to be released. The two bugs disclosed this week followed Project Zero's standard protocol of publicly disclosing vulnerabilities after 90 days.

Dan Thorp-Lancaster
Dan Thorp-Lancaster

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

28 Comments
  • What about the flaw in MS Edge?
    Was it patched?
  • Read?
  • Headline only
  • Lol wtf :D read first will ya.
  • The answer is, no it will be patched March 13, on Patch Tuesday.....how difficult of a reply!
  • I love how Google loves pointing out all flaws in Windows and makes them public almost immediately, whereas it takes Google months to patch Android (not mentioning that it takes OEMs even more). Silly.
  • What is even better is that Edge, Firefox and Opera were patched extremely quickly to mitigate the Spectre/Meltdown flaws, Chrome has yet to receive a patch for them.
  • Chrome 64 patched it. It was released on January 23rd.
  • Doesn't change the fact that Google were the LAST to patch it, I suppose you'll defend them though!!!
  • Oh, the Irony of Google reporting on Windows 10. #Golden.
  • Fire and motion. They are just trying to keep Microsoft busy while they attempt to marginalize Windows and fool users into their platform.
  • Actually they are great in doing the job for free for Microsoft, and keeping it up-to-date in security. Even more than their own system. I don't see this as a problem. :)
  • You won't think that when your own system is compromised using a flaw that Google published.
  • I wonder if Google could be sued over that? Probably not, but in the US you never know. I also wonder why MS hasn't spotted any security bugs in Google software. They would never be able to patch Android in 90 days because of the number of legacy versions under control of manufacturers getting no support. A few of those announcements and Google would likely become much more considerate with their time limits.
  • I posted a comment on Neowin that disclosing this sort of vulnerability regardless of timeframe puts machines and data at risk. Google is NOT a division of Microsoft, so I fail to see why they think that it's responsible for other companies software. Especially when Chrome has fixes implemented by Microsoft at the OS level, all of which have gone unpatched by Google and lets not even get started on vulnerabilities in Android. Before people mention CERT and their 45 day deadline, they will extend that and in some cases they won't disclose details of particular vulnerabilities under certain circumstances.
  • Maybe Microsoft should form its own version of Project Zero and start disclosing all of Google's security flaws.
  • you mean "*** for tat"??
  • No, Microsoft should stay on the high road. Google is a joke.
  • I used to think like that, I now think that Microsoft should give as good as they get and start publicly publishing ALL the flaws in Googles products that are older than the CERT allowed 45 days.
  • Naa, Google is actually building a lot of resentment from its policies in a few areas. This type of stuff doesn't go unnoticed by tech enthousists and average people never really hear about it. 
  • No. Let the evil evaporate alone.
  • Google are a bunch of unsmart ones. Pointing out flaws and fingers to others while staying late in patching their own things. Yaawn google yaawn.
  • Well ChromeOS is just a web browser, isn't it? Not that complex to patch. :-D Maybe the time has come for Microsoft to remove the database that adds OS level fixes for Chrome on Windows, give Google 45 days to patch ALL of them or they will block Chrome from installing on Windows and publish details of the vulnerabilities.
  • Why would microsoft block chrome downloads a lot of people prefer using it opposed to Edge and Explorer
  • Chrome has vulnerabilities that are patched by Microsoft at the OS level, if Google are expecting Microsoft to patch their software then why shouldn't Microsoft expect Google to do the same thing.
  • Because that wouldn't backfire.
  • Might be time to start a database of which Android handsets going back 5 years have what levels of flaws unresolved and publish methods of exploit on them. Think that might change the game a bit?
  • F... Google!!!!!! I try my best to not use any of their services/products ever! I use youtube a lot but that's about it. Maps...sometimes. A few years ago that was the go to but now there is more choices. This is just plain and simple total evil corporate BS!! Anyone that knows anything about tech knows that google is = to the NSA! hahahahahaha