Google keeps up pressure, reveals three more Windows bugs

Microsoft won't patch the newest trio because they "offer no serious security implications."

Google's security team on Friday disclosed three new bugs in Windows, keeping up the pressure on Microsoft to fix flaws within 90 days.

However, Microsoft said that none would be patched with a security update.

Since Dec. 29, Google's Project Zero has revealed several bugs in Windows before Microsoft was able to patch them. Project Zero is composed of several Google security engineers who investigate not only the company's own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically publicly posts details and sample attack code if the vulnerability has not been patched.

One of the earlier disclosures prompted Microsoft to lash out at Google for putting Windows customers at risk.

Google lifted the viewing restrictions of the three newest bugs on Friday, making details public on the Project Zero bug tracker after Microsoft said it did not intend to patch them.

"Microsoft have concluded that the issue does not meet the bar of a security bulletin," the tracker for one of the bugs read. "They state that it would require too much control from the part of the attacker."

Google reported the three bugs to Microsoft on Oct. 27, Nov. 5 and Nov. 10, and classified them as either information disclosure flaws or possible elevation of privilege vulnerabilities.

Under Microsoft's usual threat rating system, none of the trio would have been ranked higher than "Important," its second-from-the-top rating.

In all three cases, however, Microsoft will not be patching the Google-found bugs. "The cases publicly disclosed offer no serious security implications, and we do not plan to address them with security updates," a Microsoft spokesman said late Sunday in an email reply to questions.

All of the Windows bugs revealed so far by Project Zero have been uncovered by James Forshaw, who joined the team last August. Forshaw is a noted Windows vulnerability researcher who, while with U.K.-based firm Context Information Security, was handed $100,000 by Microsoft for demonstrating a new way to circumvent Windows' defensive technologies.

Forshaw received an additional $9,400 from Microsoft in 2013 for digging up four bugs in Internet Explorer 11 (IE11) during a short-term bounty program the Redmond, Wash. company ran that summer. He has also earned prize money at the annual Pwn2Own hacking contest, including $20,000 in March 2013 for exploiting Oracle's Java.

Although it's impossible to view bugs that have been reported but have not reached the 90-day deadline, it's clear that Google will not retreat from its policy to go public if vulnerabilities have not been patched, Microsoft's complaint notwithstanding.

On Dec. 31, in response to a debate over the first vulnerability Google disclosed before Microsoft patched it, Ben Hawkes, also on the Project Zero team, defended the 90-day policy, but left the door open to changes.

"On balance, Project Zero believes that disclosure deadlines are currently the optimal approach ... it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face," Hawkes wrote. "With that said, we're going to be monitoring the effects of this policy very closely -- we want our decisions here to be data driven, and we're constantly seeking improvements that will benefit user security."

Join the CSO newsletter!

Error: Please check your email address.

Tags GoogleMicrosoftsecurity

More about GoogleMicrosoftOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts