CATEGORIES
home IT/Enterprise

Google Pegs Microsoft The Bird, Discloses More 0-Day Vulnerabilities

by Rob WilliamsFriday, January 16, 2015, 01:10 PM EDT
It's as if Google is looking to start a digital war -- or at least get back at Microsoft for using its minor patents to battle AndroidEarlier this month, we reported on a significant Windows bug that Google, through its Project Zero site, exposed to the world after Microsoft failed to patch it up within Google's strict 90-day window. That led to some cheers for Google from some, and sympathy for Microsoft from others.

Well, Google balks at that sympathy. This week, it released two more Windows bugs through Project Zero, as they also exceeded their 90-day windows. You might think that after the last incident, Microsoft would do whatever it could to avoid it from happening again, but that's a little tough when there were already outstanding bugs that were creeping close to that 90-day trigger.

CryptProtectMemory Code
Snippet of code from James Forshaw's proof-of-concept

The more serious of these two bugs was discovered by James Forshaw, the same researcher who found the elevation-of-privilege bug we talked about earlier this month. It involves the CryptProtectMemory mechanism, which encrypts and secures data in memory to prevent other applications from seeing it. If exploited, the impersonation check is bypassed, and secured data is revealed.

To Microsoft's defense, it wanted to issue a fix with this month's Patch Tuesday (which just passed), but due to compatibility issues, it had to be pulled. A situation like this raises the argument that Google should be a little more lenient with how it automatically discloses bugs. I think that if Microsoft (or any company) pleads its case, the deadline should be extended.

While it's nice to force companies to fix severe bugs, I think it's downright irresponsible to have no leniency whatsoever. Microsoft obviously agrees, with Chris Betz stating earlier this week, “Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”

Tags:  Microsoft, Google, security, vulnerability, NASDAQ: GOOG, NASDAQ: MSFT
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment