Google’s Project Zero security researchers drop another bomb on Microsoft

It seems Microsoft is not only having to battle hackers but also Google to keep Windows secure.

The company’s Project Zero security research wing has once again released a zero-day vulnerability into the wild.

The bug, in Microsoft’s GDI library, is currently unpatched with a proof of concept available.

It affects Windows Vista Service Pack 2 all the way up to Windows 10 but fortunately requires physical access to exploit.

The bug allows hackers to steal information from memory, and affects any apps using the GDI library.

This issue is the second round for this vulnerability. On the first occasion Microsoft was informed of the vulnerability on the 9th of June 2016 and released a fix on the 15th June. Unfortunately  the solution did not solve the problem completely and Google reported the new issue on the 16th November 2016. Microsoft failed to issue a patch in the 3 months allotted, and Google therefore released the vulnerability to the wild today.

While on this occasion Microsoft may have been a bit slow to respond, last year Google gave Microsoft less than 10 days to patch a critical bug, suggesting a rather adversarial relationship which does not have the security of Windows users at heart.

Hopefully the bug will be fixed either this month or next, but it is clear Microsoft can not count on Google giving them any slack in the security department.

Comments