On March, Google’s Project Zero engineers reported a security flaw on the Windows kernel that affects Windows 7 to Windows 10 (32-bit). The flaw in Windows’ nt!NtNotifyChangeDirectoryFile system essentially allowed unauthorized users to get access to a small portion of the kernel memory. As some of you may know, Google’s Project Zero usually offers a 90-day timeframe before the bug is disclosed to the public. Once the bug was reported to Microsoft, the company’s Security Response Center requested an expansion of the 90-day period in order to fix the issue. Redmond later claimed to have fixed the bug on Windows 7 to Windows 10 with the Patch Tuesday that was released earlier this month.
As it turns out, the security hole actually wasn’t patched properly. In fact, a Google engineer claimed late last week that the issue was still reproducible in Windows 7 to Windows 10 with the latest Patch Tuesday installed. Today, Microsoft’s Security Response Center confirmed that the fix for the issue that was released with the Patch Tuesday was “incorrect” and wasn’t able to address the bug correctly. As a result, Google has already disclosed the bug to the public and the company has also released a proof-of-concept program that allows anyone to reproduce the bug in Windows.
Microsoft, on the other hand, is now planning to actually fix the issue with the Patch Tuesday either in July or August. The security hole could be patched as early as July 11 or the 8th of August, which is when Microsoft is expected to release new Patch Tuesday updates for Windows. The security hole discovered by Google doesn’t necessarily pose any real threat to the end-user, but Microsoft will probably want to get it fixed as early as possible. We’ll make sure to keep an eye on this and let you know once it gets fixed.