A Google Researcher found an unpatched security vulnerability in Windows 8.1 and he posted the bug on Google Security Research page and it was subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. With this policy, Google published the vulnerability information on the web. At that time, Microsoft confirmed that they requested Google to delay this process for 2 days until they release their fix. But, Google declined the request happily without worrying about millions of users. Yesterday, Google released another security vulnerability in Windows 8.1. But, Microsoft has released an fix for this bug yesterday.
This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. A local attacker who successfully exploited this vulnerability could run arbitrary code on a target system with elevated privileges. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.
Here is the update from Google on releasing vulnerability information to the public,
> Microsoft confirmed that they are on target to provide fixes for these issues in February 2015. They asked if this would cause a problem with the 90 day deadline.
< Microsoft were informed that the 90 day deadline is fixed for all vendors and bug classes and so cannot be extended. Further they were informed that the 90 day deadline for this issue expires on the 11th Jan 2015.
Download the security update from Microsoft here.
via: Graham Cluley