Microsoft wasn’t pleased when Google revealed a Windows security hole that would allow hackers to gain control of computer systems last week. Now Google’s Project Zero has disclosed two more Microsoft bugs. That makes at least four disclosures against Microsoft in the last few weeks.
Project Zero has discovered a bug in the CryptProtectMemory memory-encrypting function found within Windows 7 and 8.1, and made its disclosure public after its Project Zero deadline of 90 days passed. The bug was found by James Forshaw, who also discovered a privilege elevation flaw in Windows 8.1, the disclosure of which drew the ire of Redmond earlier this week.
Project Zero is composed of several Google security engineers who investigate not only the company’s own software, but that of other vendors as well. After reporting a flaw, Project Zero starts a 90-day clock, then automatically publicly posts details and sample attack code if the bug has not been patched.
The team’s previous disclosures of Windows bugs — one on Dec. 29, 2014, the second on Jan. 11, 2015 — led Microsoft to blast Google for putting its Windows customers at risk because neither vulnerability had been patched by the deadlines.
Microsoft fixed those flaws on Tuesday.
