A few weeks ago, a Google security researcher released the details of a vulnerability in Windows and refused to wait a couple moredays until 'Patch Tuesday' to release the information pertaining to the exploit. In that case, Microsoft had a patch ready to be released a couple days after the 90-day waiting period elapsed but in this latest release, that is not the case.
The latest vulnerability to be detailed by Google is titled an "Impersonation Check Bypass With CryptProtectMemory and CRYPTPROTECTMEMORY_SAME_LOGON flag"; this vulnerability is said to impact Windows 7, 8.1 Update and both the 32/64bit flavors. The exploit allows an attacker to impersonate another ID at the identification level and decrypt or encrypt data during that login session.
As with the other exploit that was released by Google, you can download a file to execute the flaw.
Microsoft was informed of this issue and a comment on the post states that as of October 29th, Microsoft confirmed that they were able to reproduce the issue. Per the same Google employee, he states that Microsoft initially planned to release a fix for the flaw with January's 'Patch Tuesday' but a last minute compatibility issue has pushed the patch back until February.
Because the patch has been delayed, the details of the exploit have been posted and can now be viewed at the source link below.
Windows vulnerabilities are nothing new, with billions of users around the world using various versions of the platform; it is likely the most targeted piece of software on the planet because of its massive install base. With Google taking up their own agenda and deciding that 90 days is 'reasonable' for Microsoft to patch a bug that impacts this large of an install-base, it puts a lot of users at risk for no apparent reason.
More so, with Google being anxious to release flaws in Windows software, it appears that they have no intention of fixing their own flaws in Android, which impacts over 900 million users.
It's clear that Microsoft and Google are like oil and water as Google will not build apps for Microsoft's eco system and regularly points out security vulnerabilities, and Microsoft consistently points out how Google only wants to harvest your data and not protect your personal information.
Source: Google Security Research
168 Comments - Add comment