A report in the Project Zero directory has denoted the security flaw as “high” in terms of severity. The vulnerability has been tested on Windows 10 version 1709 and has passed Google’s 90-day deadline: Google Project Zero was created to find zero-day flaws in Google software and services from other companies. It has been running since 2015, and Google says it is supposed to push companies into responsibility over security. Perhaps it is ironic Google was one of the companies complicit in hiding the Meltdown and Spectre CPU flaw. When it finds a flaw, Project Zero will warn the vendor and give them 90 days to create a patch. If that 90-day limit passes, Google will disclose the flaw publically. This is not the first time that Google Project Zero has targeted one of Microsoft’s services, something the Redmond giant has been critical of. The company has often been critical of Google Project Zero. Microsoft’s problem with Google Project Zero has not been that the team finds vulnerabilities, but how it reports them. In this case, the Windows 10 flaw is in the SvcMoveFileInheritSecurity remote procedure call (RPC). If an attacker exploited the flaw, an arbitrary file could be assigned to an arbitrary security descriptor, and could get control of a system. Microsoft applied for the deadline to be extended and has since issued a fix through this month’s Patch Tuesday.
Chrome Flaw
Back in October, Microsoft turned the tables on Google by disclosing a problem in Chrome. Terry Myerson, Executive Vice President, Windows and Devices Group, previously said Google’s 90-day limit ultimately puts customers at risk: “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.” Microsoft believes its method of warning companies and working with them to find a fix is a better approach.