Google discloses another Windows 10 security flaw before a patch is ready

Google disclosed a flaw in Microsoft Edge earlier this week, after Microsoft failed to patch the bug in time. Now Google’s Project Zero team of security researchers are disclosing yet another Windows 10 security flaw that Microsoft has again failed to patch before Google’s imposed 90-day period. Neowin spotted that Google reported two bugs to Microsoft in November, but the company only addressed one of them with its recent Patch Tuesday fixes.

The latest unpatched issue is an Elevation of Privilege which allows a normal user to gain administrator privileges on a system. Microsoft has rated the flaw as “important,” but not “critical” as it can’t be exploited remotely. It’s still an important issue to fix, as an attacker could potentially combine this with a separate unknown remote code execution to gain administrator access, although that’s an unlikely scenario unless Microsoft doesn’t address it promptly.

It’s not clear when Microsoft intends to address the latest security flaw in Windows 10, and the company still needs to solve the Edge vulnerability that was disclosed by Google earlier this week. Google and Microsoft have a history of disagreements over Google’s approach to vulnerability disclosures. Microsoft hit back at Google’s approach to security patches last year, after discovering a Chrome flaw and “responsibly” disclosed it to Google so the company had enough time to patch.

Google’s policy to disclose after 90 days without a patch is often criticized and applauded in equal measure. There’s plenty of evidence to suggest security vulnerabilities are increasing in Windows and across the industry, and Microsoft has clearly struggled to fix these two issues with plenty of notice. It can also be argued that Google is making rival software more secure with its efforts, making everyone’s software secure. However, Google also has competitive commercial interests, and Project Zero has been unusually aggressive in finding and publishing new vulnerabilities.

Reports suggest Google’s Project Zero security team originated from the fallout around the 2009 Google hack, an intrusion blamed on an unpatched flaw in Microsoft’s Internet Explorer 6 browser.

Google makes exceptions to its strict rules, with grace periods, and can even disclose much sooner if the vulnerability is being actively exploited. Google disclosed a major Windows bug back in 2016 just 10 days after reporting it to Microsoft, and the company has revealed zero-day bugs in Windows in the past before patches are available.