Google security team publishes Windows leak after lack of full patch

Google’s Project Zero security team has released details of a Windows leak after Microsoft took too long to release a patch. Microsoft postponed its monthly patch Tuesday last week.

In a post, Google researcher Mateusz Jurczyk explains that the leak was part of a collection of vulnerabilities that he previously reported to Microsoft. The company released a patch for the vulnerabilities in June, but it doesn’t appear to have fixed all the issues. The vulnerability CVE-2017-0038 allows an attacker to read out of memory through emf files. This can be done via Internet Explorer and other applications that use the Graphics Device Interface.

The researcher wonders whether the patch should have been released last week as part of patch Tuesday. Microsoft said it had postponed the patch round because of a last-minute issue. It gave no further details on the nature of the problem. Because Microsoft is now bundling patches, other patches were also delayed due to the delay. The release of the updates is now scheduled for March 14, the company announced.

It is not the first time that the Google team has published a vulnerability before Microsoft has released a patch. The same phenomenon occurred at the end of last year, to which Microsoft responded with criticism. Google would have created a risk for users with the decision to publish. The team has a 90-day deadline, after which it will publish a leak.