When Microsoft Says It’s Fixing Windows 10 Bugs But Doesn’t Really Do That…
The duel between Microsoft and Google's security teams continues with Google doing the most damage to the Redmond software giant. This week alone the company's world-famous Project Zero team has dumped two bug reports without any fix from Microsoft in sight. After disclosing a security issue in Microsoft Edge earlier in the week, Project Zero disclosed yet another security vulnerability before Microsoft could fix it. Both the reports were published after Microsoft failed to issue a fix within Google's 90-day disclosure period.
The latest bug is an elevation of privilege issue in Windows 10 which lets a normal user gain administrative privileges on an affected system. While Microsoft rates the flaw as “important,” Google considers it as “high” severity. Regardless of its severity, it is unclear why the company hasn't issued any explanation on the lack of patches coming for these reported security issues.
The flaw affects Windows Storage Services that manages file transfers and storage operations on the operating system. Google researchers said that the vulnerability affects the SvcMoveFileInheritSecurity function that is called every time a file is moved. This function, however, can be used to elevate privileges using two methods - one of which was fixed by Microsoft in this month's security patches.
Microsoft doesn't even want to respond to Google's latest bug disclosures
Project Zero suggests that the Redmond tech giant fixed only the first method, as the second one to leverage that function to gain system privileges still works. "After reviewing the patch for this issue MS have not fixed it even though the report was quite specific about not forgetting about this edge case," security researchers wrote. "Therefore as it's not actually fixed the status has been reverted to New."
The Windows maker had actually asked Google for a deadline extension, confirming that the bug fixes will be delivered in the February Patch Tuesday updates. All of this happened back in November. Since the February security patches only brought fixes to one of the reported methods, Google disclosed the bug publicly without waiting any further.
James Forshaw of the Project Zero security team explained that Microsoft doesn't consider it critical since to gain system privileges, the attacker would need to have access to the system as it cannot be done remotely. He added yesterday that the bug only affects Windows 10 and not any earlier versions of Windows such as 7 or 8.1. "However I've not verified that to be the case but there's no reason to believe it's incorrect," he wrote.
- We have tried to reach out to Microsoft for a clarification on this. While the company is usually prompt to respond, it appears to be taking its time to explain why this bug wasn't fixed.