Sunday, 18 January 2015

Google at it again, reveals more Windows bugs

Google has made more Microsoft security bugs public as part of its Project Zero even after the Redmond giant's scathing criticism of the company's move.

The search giant has made public a bug found in CryptProtectMemory memory-encrypting feature found in Windows 7 and 8.1 after its deadline of 90 days passed.

Describing the bug on the Google Security Research page, the project member James Forshaw posted that the function CryptProtectMemory allows an application to encrypt memory for one of three scenarios, process, logon session and computer. However, due to the security bug attackers could impersonate a user and decrypt or encrypt data on Windows 7 and Windows 8.1 systems.

He later posted that Microsoft had informed that a fix was planned for the January patches but had to be pulled due to compatibility issues. The fix is now expected in the February patches.

Another bug that has been reported is related to a potential attacker being able to see information related to the system's power settings. Both Microsoft and Google have acknowledged it's not a critical issue and Microsoft will not roll out a fix for it.

Google had first made a Windows 8.1 bug public on January 11, 2015 as part of its Project Zero. This project is aimed at compelling software makers to improve upon the response time to software flaws and make the web and computers more secure to use. Google gives such software companies a lead time of 90 days before making the flaws public.

Microsoft had criticized the online search titan for revealing the Windows vulnerability before the former could release a fix.

Chris Betz, the chief of Microsoft Security Response Center, in a blog post had said that the company asked Google to hold off the revealing the flaw for two more days as it needed a couple of more days to develop a fix.

He slammed Google's decision to reveal the software issue by writing, "The decision feels less like principles and more like a "gotcha", with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."

No comments:

Post a Comment