Google Reveals 2 More Windows Bugs After Microsoft's Public Criticism

After publicly criticising Google's decision to disclose a vulnerability in Windows 8.1 two days before Microsoft planned to issue the fix, it was expected that the two company will resolve further issues behind curtains. But last week, Google again went ahead and disclosed two more bugs of Windows 7 and Windows 8.1 to public as per its Project Zero policy.

Out of the two bugs was reported to Microsoft on October 17 last year, the first allows Windows 7 and Windows 8.1 attackers to impersonate a normal user at identification level and decrypt or encrypt data for a logon session, and the second allows Windows 7 attackers to see power settings information only.

Commenting on the impersonation and logon bug, a Project Zero member noted on Wednesday, "Asked Microsoft for information on whether they were going to fix this issue and timescales of it. Notified them that the current deadline is the 15th January."

"Microsoft informed us that a fix was planned for the January patches but has to be pulled due to compatibility issues. Therefore the fix is now expected in the February patches," added project member on the forum.

For the power settings information bug, both companies have agreed to the issue not being that much of a problem, so no patch has been planned as yet, though it will remain under consideration, noted Google's forum, "Microsoft have stated that this issue is not considered serious enough for a bulletin release as it only allows limited information disclosure about power settings. It will be under consideration for fixing in future versions of Windows. We agree with this assessment and will remove the view restriction on the issue.

To remind you, Microsoft's Senior Director of the Microsoft Security Response Center, Chris Betz, had published an official blog post last week, criticising Google's irresponsible action of disclosing a 90-day-old bug before the company not only planned a fix for the problem on January 13, but also asked Google not to go public until that day.

But for Google, the disclosure was made as a part of its Project Zero security initiative that stipulates a 90-day deadline for the fix before the public disclosure of the bug.