Microsoft ships incorrect patch for Windows kernel vulnerability
According to the guidelines laid down in Project Zero, vendors have 90 days to repair vulnerabilities which have been published online.
Another security flaw has been discovered in Microsoft’s Windows operating system. The discovery was made by Google Project Zero engineers, but this time all details have been posted online because the software giant did not address the issue before the 90-day disclosure headline.
According to the guidelines laid down in Project Zero, vendors have 90 days to repair vulnerabilities which have been published online.
Google engineers came across this vulnerability present in the Windows kernel in March 2017. The team who found the issue agreed to provide Microsoft with an extension to the standard 90-day deadline, only to give the software giant more time to create a patch. The update was shipped to all users as part of the June 2017 Patch Tuesday, but it looks like the vulnerability is still present on the patched systems.
Google has stated that the vulnerability allows anyone to access kernel memory and to eventually get around exploit mitigation systems integrated into Windows 10. The flaw was labelled with a medium severity risk.
According to a report from Neowin, the vulnerability exists in all Windows versions that are still getting support, starting with Windows 7 and ending with Windows 10. Only 32-bit versions of Windows seem to be affected.
One of the problems which we see here is that Microsoft does not appear to be in a rush to deliver a fix for the vulnerability. The company only wants to ship a new patch that would finally address the vulnerability on the next Patch Tuesday taking place on July 11 or even in August, even though all details have already been disclosed online.
“MSRC has indeed confirmed that the fix released on June Patch Tuesday is incorrect and doesn't resolve the bug properly. As such, the vulnerability still reproduces on Windows 7-10 with the original proof-of-concept program. A revised fix is expected to be shipped in the July (7/11) or August (8/8) Patch Tuesday at the latest,” Google says in an update to its original report.