Google outs Windows flaw after Microsoft misses a patch deadline

Microsoft has been stung anew by Google’s Project Zero wasps after the latter’s researchers made public a Windows 10 vulnerability which has yet to be patched.

The flaw in the Windows GDI’s gdi32.dll was supposed to have been patched with last June’s MS-16-074 bulletin, but according to Project Zero researcher Mateusz Jurczyk, that fix was only partial.

Jurczyk resubmitted his vulnerability report on November 16, which gave Microsoft 90 days to issue a fix under Google’s Project Zero protocol for non-critical flaws. With no patch forthcoming by the cut-off, he felt justified in making the issue public.

Normally, this would be merely annoying for Microsoft if the date of the deadline, February 14, had not also been the day it unexpectedly pulled its regular monthly update (formerly Patch Tuesday) due to an unspecified “last-minute issue”.

Worse still, not only was dropping a patch day unprecedented in a system stretching back to 2003, but Microsoft unsettled customers by pulling it completely until March 14.

It’s not certain that a fix had been prepared for February but the long delay pushes it back by weeks unless an out-of-band patch is issued, something reserved only for serious flaws that are being exploited.

If Google embarrassing Microsoft over unpatched vulnerabilities sounds familiar, it is. Barely three months ago, the pair crossed swords after Google disclosed a zero-day flaw days in advance of a patch. As Microsoft’s Terry Myerson complained at the time:

We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.

Further back, in early 2015, barely six months after Google set it up, Project Zero was heavily criticised by Microsoft after it released details of a privilege escalation flaw in Windows 8.1 under its 90-day protocol even though a Patch Tuesday fix was due two days later.

Stung, Google revised its policy to allow for an extension of up to 14 business days where a fix was on its way.

These ongoing spats boil down to whether Google’s disclosure policy is in the interests of the public as opposed to the convenience of an affected vendor, in this case Microsoft.

Google works to three timescales: the 90-day rule applied to the latest vulnerability, which drops to 60 days if the flaw is rated critical, and seven days if it is being exploited.

As Google says in a 2015 blog, timescales are always a balancing act. The vendor must have some time but not too much or there is no incentive to issue a fix quickly.

US CERT/CC works to an even more aggressive 45-day policy, Yahoo 90 days, while TippingPoint’s old Zero Day Initiative (ZDI) assumed 120 days. Arguably, by this measure, Google is being overly generous. Google explained:

We’ve chosen a middle-of-the-road deadline timeline and feel it’s reasonably calibrated for the current state of the industry.

Microsoft has yet to respond the latest Project Zero disclosure but it could be that with an extraordinary one-month update delay to cope with, this is simply the least of its worries.