Google publishes Windows vulnerabilities again
Despite strong criticism from Microsoft, Google has again revealed unpatched vulnerabilities in Windows. The first leak is not really noteworthy, but the second is more critical and involves a vulnerability in the encryption.
The first vulnerability concerns the way Windows 7 checks certain administrator rights before being allowed to use certain power functions. The feature is called NtPowerInformation and affects Windows 7, but both Google and Microsoft think the vulnerability is too small for a fix. Google has therefore changed the status to ‘closed’.
Another bug that came to light exposes that data is interceptable in Windows. This is because the operating system does not properly verify the user’s identity when using encrypted data. Microsoft knows the problem and, according to Ars Technica, wanted to release a fix this week, but pulled it back in a hurry when it became apparent that there were compatibility issues. The fix is now scheduled for next month.
The bugs were discovered by a team of security researchers operating under the name Project Zero. The researchers aim with the project to reduce the number of ‘zero day’ security problems. They also take a close look at the software of other companies.
In the first week of this year, Google first published a leak in Windows. Google’s researchers discovered the vulnerability in late September, and gave Microsoft 90 days to fix the vulnerability. Microsoft did not meet that deadline.
Microsoft was not happy with the publication. The company stated that security vulnerabilities should not be released until the issue has been resolved. However, with the publication of the new vulnerabilities, Google does not seem to fully agree with this.