Google keeps up pressure, reveals three more Windows bugs
However, Microsoft said that none would be patched with a security update.
Since Dec. 29, Google's Project Zero has revealed several bugs in Windows before Microsoft was able to patch them. Project Zero is composed of several Google security engineers who investigate not only the company's own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically publicly posts details and sample attack code if the vulnerability has not been patched.
One of the earlier disclosures prompted Microsoft to lash out at Google for putting Windows customers at risk.
Google lifted the viewing restrictions of the three newest bugs on Friday, making details public on the Project Zero bug tracker after Microsoft said it did not intend to patch them.
"Microsoft have concluded that the issue does not meet the bar of a security bulletin," the tracker for one of the bugs read. "They state that it would require too much control from the part of the attacker."
Google reported the three bugs to Microsoft on Oct. 27, Nov. 5 and Nov. 10, and classified them as either information disclosure flaws or possible elevation of privilege vulnerabilities.
Under Microsoft's usual threat rating system, none of the trio would have been ranked higher than "Important," its second-from-the-top rating.
In all three cases, however, Microsoft will not be patching the Google-found bugs. "The cases publicly disclosed offer no serious security implications, and we do not plan to address them with security updates," a Microsoft spokesman said late Sunday in an email reply to questions.
All of the Windows bugs revealed so far by Project Zero have been uncovered by James Forshaw, who joined the team last August. Forshaw is a noted Windows vulnerability researcher who, while with U.K.-based firm Context Information Security, was handed $100,000 by Microsoft for demonstrating a new way to circumvent Windows' defensive technologies.
Forshaw received an additional $9,400 from Microsoft in 2013 for digging up four bugs in Internet Explorer 11 (IE11) during a short-term bounty program the Redmond, Wash. company ran that summer. He has also earned prize money at the annual Pwn2Own hacking contest, including $20,000 in March 2013 for exploiting Oracle's Java.
Although it's impossible to view bugs that have been reported but have not reached the 90-day deadline, it's clear that Google will not retreat from its policy to go public if vulnerabilities have not been patched, Microsoft's complaint notwithstanding.
On Dec. 31, in response to a debate over the first vulnerability Google disclosed before Microsoft patched it, Ben Hawkes, also on the Project Zero team, defended the 90-day policy, but left the door open to changes.
"On balance, Project Zero believes that disclosure deadlines are currently the optimal approach ... it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face," Hawkes wrote. "With that said, we're going to be monitoring the effects of this policy very closely -- we want our decisions here to be data driven, and we're constantly seeking improvements that will benefit user security."