Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

Google Once Again Discloses Windows 10 Flaw Before Microsoft Can Fix It

Google Once Again Discloses Windows 10 Flaw Before Microsoft Can Fix It
Google's Project Zero team publicly revealed a flaw in Windows 10, even though Microsoft wanted to keep it secret until Until it appears with a fix. The flaw affects Windows 10 S, which is a version of the operating system that the company had designed as a safer platform for educational institutions and other institutions by only allowing the installation of Microsoft Store applications. This also affects any Windows 10 system on which UMCI is enabled. The decision to disclose a flaw before a company is ready with a fix is ​​not something unusual for the Google Project Zero team, which has shamed Microsoft with similar disclosures in the past.

According to the Project Zero Team The latest flaw targets any Windows 10 user with UMCI (User Mode Code Integrity) – commonly implemented in enterprise systems with the Device Guard virtual container (DG) – a default setting in Windows 10 S. This problem allows the execution of arbitrary code. Project Zero researcher James Forshaw has released a detailed description and a proof of concept code for the workaround that allows attackers to obtain persistent code execution on a PC or laptop. The bug is said to be in the frame. NET and how it works in the Windows Lock Policy (WLDP). It is also mentioned as part of two other known and unresolved Device Guard bypasses in the .NET framework.

Forshaw says, "This is not a problem that can be exploited remotely, nor escalating privileges.An attacker should already have code running on the machine for install the registry entries needed to exploit this problem, although this can be done via a NCE such as a vulnerability in Edge. "However, he adds," there are at least two known DG derivations in the .NET framework which are not corrected, and are still usable even on Windows 10 S so this problem is not as serious as it could have been if all known avenues the workarounds have been corrected. "

Google first reported the bug to Microsoft on January 19 of this year. In February, Microsoft confirmed and stated that it could not be corrected before the April deadline due to an "unexpected code relationship". In April, both companies negotiated disclosure dates. Microsoft had asked for a two-week extension on the 90-day disclosure deadline, which Microsoft Project Zero refused. He again asked Google to suspend the disclosure of the bug until the May Patch that Google refused again.

To disclose a Windows 10 bug in 2016, to make public a "high severity" bug in Microsoft Edge and Internet Explorer last year, and more recently revealing a bug in the Edge browser, engineers Google Project Zero did not hesitate to publicly disclose the flaws of Microsoft products before the Redmond giant could fix them. As a reminder, the Google Project Zero team has a period of 90 days to disclose the flaws from the date on which it notifies the company concerned of the problem. It's no secret that both companies have a not-so-nice story because even Microsoft has taken Google's jabs for its security flaws.

->

[19459] ]


Like what you read? Follow us on Facebook, Follow us on Twitter, Follow us on Instagram and Subscribe via FeedBurner.


Enter your email address:

Delivered by FeedBurner

Google's Project Zero team publicly revealed a flaw in Windows 10, even though Microsoft wanted to keep it secret until Until it appears with a fix. The flaw affects Windows 10 S, which is a version of the operating system that the company had designed as a safer platform for educational institutions and other institutions by only allowing the installation of Microsoft Store applications. This also affects any Windows 10 system on which UMCI is enabled. The decision to disclose a flaw before a company is ready with a fix is ​​not something unusual for the Google Project Zero team, which has shamed Microsoft with similar disclosures in the past.

According to the Project Zero Team The latest flaw targets any Windows 10 user with UMCI (User Mode Code Integrity) – commonly implemented in enterprise systems with the Device Guard virtual container (DG) – a default setting in Windows 10 S. This problem allows the execution of arbitrary code. Project Zero researcher James Forshaw has released a detailed description and a proof of concept code for the workaround that allows attackers to obtain persistent code execution on a PC or laptop. The bug is said to be in the frame. NET and how it works in the Windows Lock Policy (WLDP). It is also mentioned as part of two other known and unresolved Device Guard bypasses in the .NET framework.

Forshaw says, "This is not a problem that can be exploited remotely, nor escalating privileges.An attacker should already have code running on the machine for install the registry entries needed to exploit this problem, although this can be done via a NCE such as a vulnerability in Edge. "However, he adds," there are at least two known DG derivations in the .NET framework which are not corrected, and are still usable even on Windows 10 S so this problem is not as serious as it could have been if all known avenues the workarounds have been corrected. "

Google first reported the bug to Microsoft on January 19 of this year. In February, Microsoft confirmed and stated that it could not be corrected before the April deadline due to an "unexpected code relationship". In April, both companies negotiated disclosure dates. Microsoft had asked for a two-week extension on the 90-day disclosure deadline, which Microsoft Project Zero refused. He again asked Google to suspend the disclosure of the bug until the May Patch that Google refused again.

To disclose a Windows 10 bug in 2016, to make public a "high severity" bug in Microsoft Edge and Internet Explorer last year, and more recently revealing a bug in the Edge browser, engineers Google Project Zero did not hesitate to publicly disclose the flaws of Microsoft products before the Redmond giant could fix them. As a reminder, the Google Project Zero team has a period of 90 days to disclose the flaws from the date on which it notifies the company concerned of the problem. It's no secret that both companies have a not-so-nice story because even Microsoft has taken Google's jabs for its security flaws.

->

[19459] ]


Like what you read? Follow us on Facebook, Follow us on Twitter, Follow us on Instagram and Subscribe via FeedBurner.


Enter your email address:

Delivered by FeedBurner

The post Google Once Again Discloses Windows 10 Flaw Before Microsoft Can Fix It appeared first on News Doses.



This post first appeared on News Doses, please read the originial post: here

Share the post

Google Once Again Discloses Windows 10 Flaw Before Microsoft Can Fix It

×

Subscribe to News Doses

Get updates delivered right to your inbox!

Thank you for your subscription

×