Google Goes Public With Windows 8.1 Exploit, Microsoft’s Patch Is MIA
That's just what's happened with the latest elevation-of-privilege vulnerability that affects at least Windows 8.1 (no other OSes were tested by the submitter). This is a local-only bug, so it's not classified as severe, but it still raises some concern. If exploited, anyone with a non-administrator account would be able to escalate their privileges to gain administrator rights, effectively giving them full control over the machine and its services.
This raises some big questions. Is Google in the right to not only expose the bug, but publish the code required to exploit it, before Microsoft patches it up? Or should all of the blame be put on Microsoft, which had three full months to tackle it, but didn't?
I'm personally in the camp that blames Microsoft, because while this isn't a remote vulnerability, it's one that could have some serious consequences -- all you'd need is a disgruntled employee with good software knowledge. Three months is far more than enough time to tackle a bug like this, so why exactly the company sat on the bug so long, it's hard to gather.
Because the bug is finally out there, Microsoft has been forced to take action. According to a statement provided to Engadget, the company says:
We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.
Was that so hard, Microsoft?