Google is once again dropping the same bomb on Microsoft - disclosing a vulnerability publicly after the company failed to patch it in time.
Microsoft keeps failing to patch critical security flaws in Windows
The Redmond software giant was expected to a send a security update on Patch Tuesday last week. However, it failed to do so and said that the updates will now be released "as part of the planned March Update Tuesday," on March 14, 2017 - a whole month after they were supposed to go live.
Even before this delay, a security researcher released a Windows Server zero-day exploit on GitHub after Microsoft failed to release a fix, despite being warned three months ago. The public release of zero-day security vulnerability triggered a security advisory from the US-CERT Coordination Center (CERT/CC). When asked if the public disclosure of the security vulnerability was irresponsible on the part of Laurent Gaffie (security researcher responsible for the detection of the bug) he had said the responsibility lies with Microsoft.
That wasn't the first time Microsoft failed to patch a critical vulnerability despite being warned. In October last year, Google’s Threat Analysis group disclosed details of a critical Windows security vulnerability in a public post on the company’s blog. The search giant had said the zero-day Windows bug was being actively exploited in the wild, and that Microsoft had failed to patch it in time - Google has a 7-day policy, after which it publicly shares the vulnerability information, something that Microsoft and others absolutely hate.
Coming back to present
Google's Project Zero security research department has once again released a zero-day vulnerability in the wild. However, this time it didn't just wait for 7 days, but revealed the vulnerability after Microsoft failed to patch it within the 90-day window given by the company.
The latest bug affects the Windows GDI (Graphics Device Interface), which is a library that enables applications to use graphics and formatted text on both the video display and a local printer. The bug enables hackers to steal information from memory and affects Windows versions from Windows Vista Service Pack 2 to the very latest Windows 10.
While last November, Microsoft's Terry Myerson had called Google's actions as "disappointing" because it "puts customers at increased risk" of exploitation, he can't say the same now. Last year, Google had released the information after just 10 days, however, the company has now disclosed information after giving Microsoft over 90 days.
"This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public," the advisory reads.
More details on the bug can be found here.
