Google Project Zero Team Discloses Windows 10 Flaw Before Microsoft Can Fix It

Advertisement
By Sumit Chakraborty | Updated: 21 April 2018 18:28 IST
Highlights
  • Google had reported the bug in January this year
  • Microsoft had asked for a deadline, which Google denied
  • The flaw affects Windows 10 machines with UMCI enabled
Google Project Zero Team Discloses Windows 10 Flaw Before Microsoft Can Fix It

Google's Project Zero team has publicly disclosed a flaw in Windows 10, even though Microsoft wanted to keep it under wraps until it came up with a fix. The flaw affects Windows 10 S, which is a version of the operating system that the company had designed as a safer platform for educational institutions and other establishments by only allowing apps from the Microsoft Store to be installed. It also affects any Windows 10 system that has UMCI enabled. The move to disclose a flaw before a company is ready with a fix is not something unusual for the Google Project Zero team, which has shamed Microsoft with similar disclosures in the past.

According to the Project Zero team, the latest flaw targets any Windows 10 user with user mode code integrity (UMCI) enabled - commonly implemented in enterprise systems with Device Guard (DG) virtual container - which is a default setting in Windows 10 S. This issue enables arbitrary code to be run. Project Zero researcher James Forshaw has released a detailed description and proof-of-concept code for the bypass that allows attackers to gain persistent code execution on a PC or laptop. The bug is said to be within the .NET framework and how it works within the Windows Lockdown Policy (WLDP). It is also said to be amongst two other known and as yet unfixed Device Guard bypasses in the .NET framework.

Forshaw says, "It's not an issue which can be exploited remotely, nor is it a privilege escalation. An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through an RCE such as a vulnerability in Edge." However, he adds, "There's at least two known DG bypasses in the .NET framework that are not fixed, and are still usable even on Windows 10 S so this issue isn't as serious as it might have been if all known avenues for bypass were fixed."

Google had first reported the bug to Microsoft on January 19 this year. In February, Microsoft confirmed it and said it could not be fixed by April's Patch deadline due to an "unforeseen code relationship". Again in April, the two companies haggled over disclosure dates. Microsoft had asked for an extension of two weeks on the 90-day disclosure deadline - something that the Google Project Zero denied. It again asked Google to hold off the disclosure of the bug until May's Patch that Google denied yet again.

Advertisement

From disclosing a Windows 10 Bug in 2016, to going public with a 'high severity' bug in Microsoft Edge and Internet Explorer last year, and more recently revealing an Edge Browser bug, engineers at the Google Project Zero have not shied away from publicly disclosing flaws in Microsoft products before the Redmond giant was able to fix them. To recall, the Google Project Zero team has a 90-day deadline for disclosing flaws from the date it informs the concerned company about the issue. It's no secret that the two companies have a not so pleasant history, as even Microsoft has had taken jabs at Google for its security vulnerabilities.

 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. OnePlus 13s With Snapdragon 8 Elite Chip to Launch in India on This Date
  2. iQOO Neo 10 Pro+ Battery and Charging Details Revealed Ahead of Debut
  3. Samsung Galaxy S25 FE Tipped to Retain Galaxy S24 FE Rear Cameras
  4. Apple AirPods With Built-in Camera Tipped to Launch Next Year
  5. Realme GT 7T Design, Specifications Leaked Ahead of May 27 Launch
  6. Realme P3 5G Series to Get a Limited Period Discount in India
  7. Vivo S30, S30 Pro Mini, Pad 5, TWS Air 3 Launch Date, Key Features Confirmed
  1. Acer AI TransBuds With Ear-Hook Design Unveiled at Computex 2025
  2. Honor 400 Series China Launch Date Revealed; Confirmed to Offer Battery Upgrade Over Predecessors
  3. Acer FreeSense Ring With AI-Powered Health Tracking Features Unveiled in Seven Size Options
  4. Acer Swift Go 14 AI, Swift Go 16 AI Copilot+ PCs Launched at Computex 2025 Alongside Swift Edge 14 AI
  5. Delhi Metro Ticketing Goes Live on Uber App; More Cities, B2B Logistics Up Next
  6. Google Chrome Security Flaws Could Grant Hackers Unauthorised System Access: CERT-In
  7. Realme P3 5G Series to Receive a Limited Period Discount in India: Offers, Availability
  8. Gemini Nano-Enabled API Released to Android Developers Ahead of Google I/O 2025
  9. Vivo S30, S30 Pro Mini Launch Date Set for May 29; Vivo Pad 5, TWS Air 3 to Tag Along
  10. HP OmniBook 5 Series AI PCs With Snapdragon X Series Chipsets Launched: Price, Specifications
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.