Google has announced Project Zero in July 2014, being the name of a team formed from security analysts in charge with finding zero-day vulnerabilities. The latest issue disclosed by Google and found in Microsoft’s products hasn’t been patched within the 90-day window that the Redmond giant had at its disposal to find a solution.
Google and Microsoft are old time enemies, but now the war has been taken to another level. Windows users panicked after Google disclosed a serious vulnerability, and Microsoft had an angry reaction because the public was informed about it 10 days after it was reported to the Redmond giant. Microsoft didn’t do its job properly, because a security issue that affected Windows 10 and older versions, even Windows Vista Service Pack 2, hasn’t been fixed yet.
Security researcher “mjurczyk” posted on the Project Zero website about a vulnerability in Windows’ GDI library which could have led to data theft if attackers would have exploited it. It seems that this vulnerability would have allowed attackers to steal information from the memory and each program that used this library was affected. Thankfully, this vulnerability was reported to Microsoft on June 9, 2016, and it was fixed six days later.
But not all bugs in the GDI library have been fixed, because the same researcher has contacted Microsoft again and showed a proof of concept on November 16. Microsoft should have fixed the issue within three months, but the grace period is over and all details of this vulnerability are now known to the public. Google has even given information about the attackers, but this time, there’s no reason to panic, because in order to perform an exploit, hackers need physical access to the host system. But this doesn’t mean that Microsoft can forget about it, because attackers can develop sophisticated exploits and make some real damage.