Google Pegs Microsoft The Bird, Discloses More 0-Day Vulnerabilities

It's as if Google is looking to start a digital war -- or at least get back at Microsoft for using its minor patents to battle AndroidEarlier this month, we reported on a significant Windows bug that Google, through its Project Zero site, exposed to the world after Microsoft failed to patch it up within Google's strict 90-day window. That led to some cheers for Google from some, and sympathy for Microsoft from others.

Well, Google balks at that sympathy. This week, it released two more Windows bugs through Project Zero, as they also exceeded their 90-day windows. You might think that after the last incident, Microsoft would do whatever it could to avoid it from happening again, but that's a little tough when there were already outstanding bugs that were creeping close to that 90-day trigger.

CryptProtectMemory Code
Snippet of code from James Forshaw's proof-of-concept

The more serious of these two bugs was discovered by James Forshaw, the same researcher who found the elevation-of-privilege bug we talked about earlier this month. It involves the CryptProtectMemory mechanism, which encrypts and secures data in memory to prevent other applications from seeing it. If exploited, the impersonation check is bypassed, and secured data is revealed.

To Microsoft's defense, it wanted to issue a fix with this month's Patch Tuesday (which just passed), but due to compatibility issues, it had to be pulled. A situation like this raises the argument that Google should be a little more lenient with how it automatically discloses bugs. I think that if Microsoft (or any company) pleads its case, the deadline should be extended.

While it's nice to force companies to fix severe bugs, I think it's downright irresponsible to have no leniency whatsoever. Microsoft obviously agrees, with Chris Betz stating earlier this week, “Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”