Google again publishes details of Windows leak without existing patch
Googles Project Zero Security Team once again exposed details of a vulnerability in Windows without Microsoft developing a patch for it. Google has estimated the severity of the leak “average.”
Google researcher James Forshaw writes in a post to the bug tracker that the .Net vulnerability applies to versions of Windows 10 that use of the Device Guard technique for protection against malware, for example Windows 10 S. He reports that the vulnerability allows the execution of code, but that is not possible remotely and that it is also not a technique is going to obtain higher rights on a system. An attacker should already be able to run code on the system to exploit the leak. Forshaw cites the example of a rce leak in the Edge browser.
He reported the leak on January 19 to Microsoft, which informed him on February 12 that no patch would come in the monthly patchronde in April. Then it asked for postponement and said later that it would issue a patch with the release of Redstone 4. The researcher said that for that release no exact date is known and that the problem is not particularly serious because there are also other techniques that goal, which would not yet have been solved by Microsoft. Google has a deadline of 90 days.
This has previously led to the publication of Microsoft vulnerabilities without a patch. For example, last year and at the end of 2016 the same phenomenon occurred, Microsoft in the latter case with criticism responded . Google would have created a risk for users with the decision to publish.
He reported the leak on January 19 to Microsoft, which informed him on February 12 that no patch would come in the monthly patchronde in April. Then it asked for postponement and said later that it would issue a patch with the release of Redstone 4. The researcher said that for that release no exact date is known and that the problem is not particularly serious because there are also other techniques that goal, which would not yet have been solved by Microsoft. Google has a deadline of 90 days.
This has previously led to the publication of Microsoft vulnerabilities without a patch. For example, last year and at the end of 2016 the same phenomenon occurred, Microsoft in the latter case with criticism responded . Google would have created a risk for users with the decision to publish.