Project Zero, Google’s software vulnerability tracking program, has discovered another exploit. This time, they’ve come across one for Windows 8.1 that could give even the lowest-level users complete administrative control. Typically, Project Zero gives their discovery to the company who built the software so they can patch it up. The vendor has 90 days to fix it before Google releases their findings to the world. Microsoft didn’t act accordingly, and now we know all about it. Rather than a fix, Microsoft has excuses.
According to Microsoft, “for a would-be attacker to potentially exploit a system, they would need to have valid logon credentials and be able to log on locally to a targeted machine” before completely exploiting a system, but that’s not too far-fetched for some entities. Google made it fairly easy, too, publishing both the details of the exploit alongside the code they used to run it.
Google says they reached out to Microsoft on September 30, and urged them to act within 90 days.
Users don’t seem so keen on Project Zero’s actions here, either. One response to the code suggested Google’s Project Zero was “irresponsible” to mandate a fix happen in 90 days, with another noting users “deserve a more responsible behavior” from both Microsoft and Google.
It might not matter in the long run, though. one user claims to have run the exploit on a system running Windows 10 to no avail. For now, the exploit is real and working. with windows 10 a long way off, we’ll have to play the waiting game for a fix from Microsoft.