Google discloses zero-day Windows flaw

This security update resolves vulnerabilities in Adobe Flash Player if Flash Player is installed on any supported edition of Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, Windows 8.1, or Windows RT 8.1. But Microsoft was also discontinuing Security Bulletins this month.

This Flash Player vulnerability affects all operating systems and Adobe released updates to resolve the issues last week. However, those February security updates were deferred till March, possibly because Microsoft had some kind of backend technical glitch happening.

The Register is yet to detect a response from Microsoft on this releases. That switch is supposed to happen sometime this month.

Google has disclosed the existence of a security flaw within a Windows library, days after Microsoft delayed the release of its latest batch of Windows patches by a month. They are rated "Moderate" for Windows Server 2012 but "Critical" for Windows Server 2016.

No other security updates are scheduled for release until the next scheduled monthly update release on March 14, 2017.

Which is a shame - not least because it's possible that Microsoft's planned update might have addressed a security flaw in its code that Google's Project Zero team went public about on Tuesday February 14th.

Google claims that it has uncovered multiple bugs affecting the Windows Graphics Component GDI library (gdi32.dll), which the company claims could be used by an attacker to use EMF meta-files to access memory. The problem concerns MS16-074, which fixed some flaws but still permits a "device independent bitmap" bug that could let attackers gain access to information, according to the Project-Zero description. Our standard policy is to provide solutions via our current Update Tuesday schedule. The creators update (code-named "Redstone 2") is expected to arrive this spring. I am wondering if they were those updates holding the main releases from the last 7-8 days? That notion is based on a screenshot taken from the Microsoft Ignite Australia event, which took place earlier this month.

"Microsoft fought hard against the 90-day disclosure window when Project Zero announced a privilege escalation bug affecting all versions of Windows past year, but with the Google team unaffected by the pressure, I find it highly doubtful that they'll change the policy for future bugs they unearth".

Related:

Comments


Other news