Google reveals another flaw in Windows 7 and Windows 8.1

19 Jan 2015

Google has revealed yet another flaw after facing flak for disclosing Windows 8.1 security bugs earlier this week (See: Microsoft slams Google for revealing security vulnerability in Windows).

Google revealed two bugs, of which, one allowed attackers to impersonate a user and decrypt data on Windows 7 and Windows 8.1 machines.

The company's Project Zero scoured the internet to identify vulnerabilities around the web, in apps and in communication services, before bringing them to light and possibly quashing them.

Google gave companies 90 days to address issues and reveal them to the public if they did not. Google reported the bug in the Windows operating system on 17th October 2014, after Microsoft had well passed the 90-day deadline.

Attackers could use the second vulnerability, which affected only Windows 7 to impersonate a user and access the machine's power functions. The bug was also reported on 17 October, 2014.

Google had been slammed by Microsoft for revealing vulnerabilities earlier this week, just two days ahead of Microsoft sending out a patch.

Chris Betz, senior director of the Microsoft Security Response Center said in an  official blogpost, , ''We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix.

Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a ''gotcha'', with customers the ones who may suffer as a result. What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.''

Meanwhile, The Times of India reported that the search giant had made public a bug found in CryptProtectMemory memory-encrypting feature found in Windows 7 and 8.1 after the passing of its deadline of 90 days.

Describing the bug on the Google Security Research page, the project member James Forshaw posted that the function CryptProtectMemory allowed an application to encrypt memory for one of three scenarios, process, logon session and computer.

However, thanks to the security bug, attackers could impersonate a user and decrypt or encrypt data on Windows 7 and Windows 8.1 systems.

He later posted that Microsoft had informed that a fix was planned for the January patches but had to be pulled out due to compatibility issues. The fix was now expected in the February patches.

Another bug that had been reported was related to a potential attacker being able to see information related to the system's power settings. Both Microsoft and Google had acknowledged it was not a critical issue and Microsoft would not roll out a fix for it.

Project Zero was aimed at compelling software makers to improve upon the response time to software flaws and make the web and computers more secure to use.