You already know that Google Project Zero is that project that searches for vulnerabilities in products and services. The saying “I sell advice that I don’t have” could apply to this situation. The way to go is to give the affected company an extendable period of time to resolve the vulnerabilities.
If it is not met, Google will reveal the vulnerability and how to use the vulnerability. It’s something we’ve seen frequently, but this time they’ve revealed a vulnerability in the middle of the Christmas holidays.
Google Project Zero puts Windows 10 engineers in deadlock over Christmas
The bug you publicly disclosed is a security bug in Windows. If exploited, it can lead to an elevation of privilege.
Here’s how it works: A malicious process can send Local Procedure Call (LPC) messages to the splwow64.exe Windows process. Thanks to which an attacker can write an arbitrary value in a memory space of an arbitrary address in the memory space of splwow64. Essentially, this means that the attacker controls that destination address and any content copied to it.
The defect in question is not entirely new. In fact, a Kaspersky security researcher reported earlier this year and Microsoft corrected it in June. However, this fix has now been deemed incomplete by Maddie Stone of Google Project Zero. Maddie says Microsoft’s patch only changes points in offset. Which means that an attacker can still exploit it by using the offset value.
Day Zero was privately reported to Microsoft by Google Project Zero on September 24, with the standard 90-day deadline expiring on December 24. Microsoft originally planned to release a fix in November, but that release deadline slipped to December. After that, he told Google that he identified new issues in his testing and will now release a fix in January 2021.
Project Zero could be more uncompromising in 2021
On December 8, the two sides met to discuss progress and next steps. When it has been determined that the 14 day grace period cannot be offered to Microsoft. The company plans to release the patch by January 12, 2021, six days during the grace period. Stone said that while he doesn’t think an incomplete solution deserves another 90-day deadline, it has always been followed by default.
The Project Zero team plans to review their policies next year, but publicly disclosed the vulnerability with proof of concept code. The white paper doesn’t know what versions of Windows it affects. But Kaspersky’s report from a few months ago says attackers have used it to attack new versions of Windows 10.