Google Project Zero Discloses Windows 10 S Bug After Denying Microsoft's Extension Request
Google's Project Zero team has discovered a 'medium' security vulnerability that primarily affects Windows 10 S, a stripped down version of Windows 10 that is "streamlined for security and superior performance." While it does not appear to present a major threat to users—remote code execution is not possible in this instance, for example—part of what's interesting here is the ongoing tug-of-war between Project Zero and companies whose products have flaws.
Project Zero, you might recall, is the same division of Google that made public Meltdown and Spectre. Under normal conditions, Project Zero gives firms 90 days to fix security flaws it discovers before disclosing them publicly. The idea is to incentivize companies to fix security issues in a timely manner.
That said, companies can request an extension to have more time to fix a security issue, and in some cases Project Zero will oblige. In this case, however, it chose not to. According to Neowin, Google told Microsoft about the flaw on January 19. Microsoft was unable to plug the security hole before April's Patch Tuesday roll out, and so it asked for a 14-day extension, saying a fix will be included in May's Patch Tuesday.
Project Zero denied the request in part because Microsoft's planned roll out would exceed even the extended deadline. The team also reportedly told Microsoft that the issue is all that serious, and that even if it were to fixed in the Redstone 4 update, there is no firm release date. On top of that, "RS4 wouldn't be considered a broadly available patch."
So, the flaw is now public. It has to do with executing arbitrary code on a system with user mode code integrity (UMCI) enabled, such as Device Guard found in Windows 10 S. Device Guard is how Microsoft whitelists apps for Windows 10 S. Leveraging the security flaw, an attacker could add registry keys to load malicious unapproved code.
The risk of this happening is fairly low, however, as it can't be exploited remotely. If someone with malicious intent already has local access to a machine, then security has already failed at that point.