Google’s Project Zero is known to track software vulnerabilities and then report them to vendors. It gives vendors a 90-day window to fix the issue. But now it looks like Google is going ahead and publishing unpatched problems before the vendor fixes them. At least that is what happened with Microsoft.
According to Engadget, Google has openly published a Windows 8.1 vulnerability that gives low-level users administrator rights. Given that the security flaw has been revealed without any fix, it could pose a threat to some Windows users.
On the other hand, Google says it gave Microsoft enough time to fix the problem before the codes went public on 29 December. It further said that Microsoft was informed about the issue on September 20 and its been 90 days since the security issue was brought to its notice.
“On balance, Project Zero believes that disclosure deadlines are currently the optimal approach for user security — it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face,” Google told Engadget.
Microsoft has said that attackers would require ‘valid logon credentials and be able to log on locally to a targeted machine.” This may limit the damage, but doesn’t mean someone with fairly good programming skills cannot cause harm.
Now, it has issued a statement that reads:
We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer.
0 comments:
Post a Comment