Google publishes more Windows bugs before a fix

Google has published details of two new Windows security flaws before Microsoft has patched them, days after Microsoft called on its rival for more time to react to bug reports before they are disclosed.

The two bugs - including one that could allow attackers to impersonate an authorised Windows 7 or 8.1 user and then encrypt or decrypt data - were revealed last week over Google's Project Zero tracker.

Google currently discloses vulnerabilities discovered by its Project Zero team 90 days after informing the vendor, while Microsoft typically pushes out patches for non-critical bugs on the first Tuesday of every month.

According to the Project Zero bug tracker entry, Google has been informed that a fix to the bugs had been planned for the January patches but was pulled due to compatibility issues. This means a fix will not be pushed out to customers until 10 February.

The second bug is far more minor, as it could allow an unauthorised user to retrieve information about a Windows 7 PC's power settings. The bug tracker notes that it is unclear whether this has a serious security impact.

This marked the fourth time in three weeks that Project Zero has published details of Windows flaws before a patch was available.

After the second of the bugs was made public before a fix was applied, Microsoft Security Response Center Senior Director Chris Betz publicly called on the company to revise its policy on disclosures to ensure end users are protected. But Google appears to have been unmoved by the request.

Image courtesy of Mike Goren under CC