Microsoft not planning a fix in July or even August

Jun 28, 2017 06:24 GMT  ·  By

Google Project Zero engineers have discovered another security flaw in Microsoft’s Windows operating system, but this time all details have been posted online as the software giant failed to address it before the 90-day disclosure deadline.

According to Project Zero guidelines, vendors have 90 days to repair vulnerabilities reported as part of the program, otherwise all details would be published online.

Google engineers first came across the vulnerability in the Windows kernel in March 2017, and the team even agreed to provide Microsoft with an extension to the standard 90-day deadline, only to give the company more time to create a patch. The update was shipped to all users as part of the June 2017 Patch Tuesday, but it looks like the vulnerability is still there even on patched systems.

All Windows versions now vulnerable

Google says that the vulnerability allows anyone to access kernel memory and to eventually get around exploit mitigation systems integrated into Windows 10. The flaw was labeled with a medium severity risk.

As reported by Neowin, the vulnerability exists in all Windows versions that are still getting support, starting with Windows 7 and ending with Windows 10. Only 32-bit versions of Windows seem to be affected.

The worst thing is that Microsoft does not appear to be in a rush to deliver a fix. The company only wants to ship a new patch that would finally address the vulnerability on the next Patch Tuesday taking place on July 11 or even in August, even though all details have already been disclosed online.

“MSRC has indeed confirmed that the fix released on June Patch Tuesday is incorrect and doesn't resolve the bug properly. As such, the vulnerability still reproduces on Windows 7-10 with the original proof-of-concept program. A revised fix is expected to be shipped in the July (7/11) or August (8/8) Patch Tuesday at the latest,” Google says in an update to its original report.