CATEGORIES
home News

Google Project Zero Discloses Windows 10 S Bug After Denying Microsoft's Extension Request

by Paul LillyFriday, April 20, 2018, 11:33 AM EDT
Windows Laptop

Google's Project Zero team has discovered a 'medium' security vulnerability that primarily affects Windows 10 S, a stripped down version of Windows 10 that is "streamlined for security and superior performance." While it does not appear to present a major threat to users—remote code execution is not possible in this instance, for example—part of what's interesting here is the ongoing tug-of-war between Project Zero and companies whose products have flaws.

Project Zero, you might recall, is the same division of Google that made public Meltdown and Spectre. Under normal conditions, Project Zero gives firms 90 days to fix security flaws it discovers before disclosing them publicly. The idea is to incentivize companies to fix security issues in a timely manner.

That said, companies can request an extension to have more time to fix a security issue, and in some cases Project Zero will oblige. In this case, however, it chose not to. According to Neowin, Google told Microsoft about the flaw on January 19. Microsoft was unable to plug the security hole before April's Patch Tuesday roll out, and so it asked for a 14-day extension, saying a fix will be included in May's Patch Tuesday.

Project Zero denied the request in part because Microsoft's planned roll out would exceed even the extended deadline. The team also reportedly told Microsoft that the issue is all that serious, and that even if it were to fixed in the Redstone 4 update, there is no firm release date. On top of that, "RS4 wouldn't be considered a broadly available patch."

So, the flaw is now public. It has to do with executing arbitrary code on a system with user mode code integrity (UMCI) enabled, such as Device Guard found in Windows 10 S. Device Guard is how Microsoft whitelists apps for Windows 10 S. Leveraging the security flaw, an attacker could add registry keys to load malicious unapproved code.

The risk of this happening is fairly low, however, as it can't be exploited remotely. If someone with malicious intent already has local access to a machine, then security has already failed at that point.
Tags:  Microsoft, Google, security, Project Zero, (nasdaq:msft), (nasdaq:goog), windows 10 s
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment