Google Project Zero has uncovered several vulnerabilities in Microsoft services recently. We reported on a confusion flaw in Microsoft Edge, while Project Zero has also found a problem with Windows 10. Microsoft has yet to patch these vulnerabilities, but the Windows 10 flaw has been solved by a third party.
As a recap, Google Project Zero was created to find zero-day vulnerabilities in services. The company warns software providers of the flaw, giving them 90 days to solve it. When the 90 days pass, any unsolved vulnerabilities are made public.
The two flaws found in Microsoft services last month passed the limit without a fix. Google says Project Zero exists to promote openness and to push software providers to solve problems. In terms of the Windows 10 gdi32.dll vulnerability, the team said Microsoft was informed last year and an attempt to fix it did not work.
Third-party security firm 0patch has created a solution that could solve the issue. The group is a project create by ACROS Security experts and has built a patch for the memory disclosure bug. 0patch updates will move beyond this flaw and will be released when a vendor has yet to solve an issue.
The 0patch for the Windows 10 vulnerability is the first.
Of course, the 0patch solution would be temporary until Microsoft issues its own fix. The most likely timeframe for an official patch is March 14, when Windows gets its monthly Patch Tuesday release.
“Microsoft will likely fix this issue with their next Patch Tuesday (March 14), so ours is the only patch available in the World until then. We'll also try to micropatch the other 0-day revealed by Google,” the group says.
The company suspended February's Patch Tuesday because of an unnamed flaw that could not be solved in time. While Microsoft has not said what the issue was, it could have been the Windows 10 problem found by Google Project Zero.