In a controversial move to raise awareness of zero-day security bugs, Google researchers have released details of a vulnerability in Windows 8.1 before Microsoft was able to release a patch. The exploit code has been published by Google’s highly lauded Project Zero Group, according to a report by Graham Cluley.
The security hole purportedly enables users with restricted rights to become administrators.
Google has justified its decision to release details of the breach by stating that the bug was reported to Microsoft on 30 September 2014, and that its 90-day disclosure deadline had already passed.
Critics have argued that Google’s behaviour is synonymous to bullying – rather than publishing details of the bug on the Internet, making it available for anyone to exploit, the company should have rather alerted the media to the fact that the bug had not yet been fixed.
According to Microsoft, however, the bug does not pose a severe security risk, saying that the attacker would need to have “valid logon credentials and be able to log on locally to a targeted machine.”
Do you want to find out how to reduce risks related to cyber security?
Look no further. vsRisk™ is the industry-leading risk assessment software that helps you to save time, effort and expense by simplifying and speeding up your information security risk assessments.