Google Pegs Microsoft The Bird, Discloses More 0-Day Vulnerabilities
Well, Google balks at that sympathy. This week, it released two more Windows bugs through Project Zero, as they also exceeded their 90-day windows. You might think that after the last incident, Microsoft would do whatever it could to avoid it from happening again, but that's a little tough when there were already outstanding bugs that were creeping close to that 90-day trigger.
Snippet of code from James Forshaw's proof-of-concept
The more serious of these two bugs was discovered by James Forshaw, the same researcher who found the elevation-of-privilege bug we talked about earlier this month. It involves the CryptProtectMemory mechanism, which encrypts and secures data in memory to prevent other applications from seeing it. If exploited, the impersonation check is bypassed, and secured data is revealed.
To Microsoft's defense, it wanted to issue a fix with this month's Patch Tuesday (which just passed), but due to compatibility issues, it had to be pulled. A situation like this raises the argument that Google should be a little more lenient with how it automatically discloses bugs. I think that if Microsoft (or any company) pleads its case, the deadline should be extended.
While it's nice to force companies to fix severe bugs, I think it's downright irresponsible to have no leniency whatsoever. Microsoft obviously agrees, with Chris Betz stating earlier this week, “Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”