Google re-publishes details of Windows leak without patch present

Google’s Project Zero security team has again released details of a vulnerability in Windows, without Microsoft developing a patch. Google gives the severity of the leak an estimate of ‘average’.

Google researcher James Forshaw writes in a post on the bug tracker that the .Net vulnerability applies to versions of Windows 10 that use the Device Guard technique for protection against malware, for example Windows 10 S. He reports that the vulnerability is allows code execution, but that this is not possible remotely, nor is it a technique for acquiring higher rights on a system. An attacker should already be able to execute code on the system to exploit the vulnerability. Forshaw cites the example of an rce leak in the Edge browser.

He reported the leak to Microsoft on January 19, which informed him on February 12 that there would be no patch in the monthly patch round in April. It then asked for a delay and later said it would release a patch with the release of Redstone 4. The researcher said there is no exact date for that release and that the problem is not particularly serious as there are other techniques that use the same thing. goal, which also would not have been solved by Microsoft yet. Google has a 90-day deadline.

This has previously led to the publication of Microsoft vulnerabilities without a patch being available. For example, the same phenomenon occurred last year and at the end of 2016, to which Microsoft responded with criticism in the latter case. Google would have created a risk for users with the decision to publish.