Google's Project Zero to Microsoft: 90 Days Are up to Fix Windows 10 Bug
In January 2018, a researcher at Google’s Project Zero reported a bug in Windows 10's lockdown policy that would allow an attacker to bypass a Windows 10 security feature. The 90-day window to patch the flaw has passed, and despite Microsoft’s multiple pleas to prolong the inevitable public disclosure, the deadline for patching the issue will not be extended.
According to the bug report issued by researcher James Forshaw, the medium-severity bug could allow an attacker to add register keys that “would load an arbitrary COM visible class under one of the allowed CLSIDs.” Forshaw provided two files as proof-of-concept code using a DotNetToJscript tool that enabled arbitrary code execution, something that Windows 10 S was specifically designed to prevent.
“This issue was not fixed in April patch Tuesday therefore it's going over deadline,” Forshaw wrote. “This issue only affects systems with Device Guard enabled (such as Windows 10S) and only serves as a way of getting persistent code execution on such a machine. It's not an issue which can be exploited remotely, nor is it a privilege escalation.”
Because the vulnerability only affects systems with Device Guard enabled, it's ranked as a medium severity. In order to exploit the issue, an attacker would have to already have code running on the machine. Still, an attacker could get around that by exploiting another remote code execution bug in Microsoft Edge.
The two tech giants have a long history of rivalry when it comes to responsible disclosures. This is not the first time that Google has denied Microsoft a request for extension. In 2016 Microsoft criticized Google for putting customers at risk after publicly disclosing a bug only 10 days after reporting the Windows vulnerability.
Then in February of this year, the 90 days had lapsed before Microsoft was able to patch a security flaw in Microsoft Edge. Though Google awarded a 14-day grace period, the fix was more difficult than Microsoft had anticipated. After the grace period ended, Google went public with the disclosure.
While Project Zero's customary time frame for a developer to resolve an issue is 90 days, there are some special cases when a grace period is granted, which happens most often when a flaw is difficult to fix.
Source: Information Security Magazine