Google Project Zero has often been at odds with Microsoft over the way it reports bugs in services. With that in mind, Microsoft will likely be unhappy to see the latest report about a Windows 7 vulnerability that is being used in conjunction with a Google Chrome exploit.
Google Project Zero was created to find zero-day flaws in Google software and services from other companies. It has been running since 2015, and Google says it is supposed to push companies into responsibility over security.
When it finds a flaw, Project Zero will warn the vendor and give them 90 days to create a patch. If that 90-day limit passes, Google will disclose the flaw publicly.
Google says it has already patched the exploit in Chrome (CVE-2019-5786) last Friday. Users should be on version 72.0.3626.121 of higher to avoid the problem. However, Microsoft’s Windows 7 is still vulnerable due to the flaw in the win32k.sys kernel.
This link has more context on the 0day attack observed against Chrome. Separately, I want to expand on why it was important to call out this attack more prominently than previous 0day attacks against Chrome. [1/3] //t.co/9rGkXa6BoI
— Justin Schuh 🤬 (@justinschuh) March 7, 2019
Project Zero describes the vulnerability as an escalation of privilege attack. The team believes it only affects Windows 7, Microsoft’s aging OS that will sunset in January 2020. Microsoft’s improved security on newer Windows 8.1 and Windows 10 platforms ensures those OS’s are safe.
Microsoft knows about the vulnerability and Google says the company is working on a fix, although it is not available yet. Until mitigations are launched, Google says users to update to Windows 10 to avoid the problem.
Project Zero and Microsoft
Microsoft’s problem with Google Project Zero has not been that the team finds vulnerabilities, but how it reports them. Project Zero has previously found issues in Windows 10 and the Microsoft Edge browser.
Under Project Zero’s model, the team gives companies 90-days to fix a problem before making it public. Microsoft has criticized this approach, suggesting Google should work with companies to find fixes instead of imposing deadlines upon them.