Google revealed details of another Windows security hole that will leave users exposed at least until February 10th.
The new vulnerability allows hackers to impersonate a user and decrypt or encrypt data on Windows 7 and 8.1.
This discovery was done under Project Zero, Google’s initiative to locate and report vulnerabilities. Bugs discovered by Project Zero are only reported to the software’s vendor and given 90 days to patch it or disclose it. If the vendor does nothing, Google reveals them online.
Microsoft was notified of the bug on October 17 and had planned to fix it during January’s Patch Tuesday. However, the fix had to be postponed due to compatibility issues. Google stuck to their 90-day public disclosure deadline.
Now Microsoft’s calling Google a telltale – Bad Google, bad Google – and security experts are saying Microsoft should stop whining and face their “inability to adapt and fix bugs in a timely fashion” (Robert Graham, Errata Security).
By the way, this is the third unpatched Windows vulnerability that Project Zero has publicly disclosed over the past month.