Microsoft’s recent “call for better coordinated vulnerability disclosure” seems to have hit a brick wall, with Google as quick as ever to expose yet another Windows security glitch. Rated medium for severity, the bug may just be the most troublesome of the three broadcasted this past month.
It’s not (necessarily) that evil hackers will be using the “impersonation check bypass” to wreak havoc on millions of systems running Windows 7 or 8.1, but they could do a lot of harm, and have plenty of time to plan their attacks.
Unlike the previous two vulnerabilities made public by Google, this is to be dealt in a matter of weeks… at best. Specifically, on the second Tuesday of February, i.e. the 10th, i.e. the next Patch Tuesday.
As usual, the finder of the malfunction, James Forshaw, followed procedure, posting his discovery on the Google Security Research channel for only authorized eyes to see. That was on October 17, 2014, at which time Microsoft got a note containing the concern and presumed issue’s description.
Of course, the clock began to tick immediately, and Redmond had exactly 90 days to fix things before the post would automatically be derestricted. On October 29, it was confirmed the defect “might constitute a security feature bypass.”
Initially, a universal fix was scheduled to roll out last week, alongside the eight efficient solutions for unrelated “important” and “critical” Windows bugs. But alas, mysterious “compatibility issues” forced a delay for February.
Which brings us to today, and the latest “gotcha” moment in a series of decisions Chris Betz of Microsoft’s Security Response Center deemed “right for Google but not right for customers.” A matter of principle, the search giant would probably reply, and then we’d go back and forth between the equally rational claims of the two arch-rivals.
On one hand, the people have a right to know, but on the other, they’re better off kept in the dark until all is milk and honey again. Or, you know, as close as Windows could ever get to an invulnerable, impenetrable security paradise.
Speaking of your right to know, here’s the bug’s full mind-bending explanation.