Google’s Project Zero might not be on Microsoft’s Christmas card list after once again sticking to their 90 day deadline policy when they released information on another Windows bug. Microsoft were informed on October 17th 2014 about the bug, and as per Googles policy were given 90 days to release a patch before Google revealed it to the general public.
The bug which affects Windows 7 and 8.1, allows attackers to impersonate a user and also decrypt or encrypt data for a logon session. Full details of the bug can be found here.
A Project Zero member stated last week that they “Asked Microsoft for information on whether they were going to fix this issue and timescales of it. Notified them that the current deadline is the 15th January.” They also said “Microsoft informed us that a fix was planned for the January patches but has to be pulled due to compatibility issues. Therefore the fix is now expected in the February patches.”
Another bug which only affects Windows 7 and allows attackers to impersonate a user, and access the computers power settings was briefly revealed before Microsoft and Google agreed that it was not a major issue. No patch has been planned yet, but one could be released. Google released a brief statement saying “Microsoft have stated that this issue is not considered serious enough for a bulletin release as it only allows limited information disclosure about power settings. It will be under consideration for fixing in future versions of Windows. We agree with this assessment and will remove the view restriction on the issue.”