Google drops more Windows 0-days. Something’s gotta give->Winfows 7 ? Google's security researchers have published another pair of Windows security flaws that Microsoft hasn't got a fix for, continuing the disagreement between the companies about when and how to disclose security bugs. The first bug affects Windows 7 only and results in minor information disclosure. Microsoft says, and Google agrees, that this does not meet the threshold for a fix. Windows 8 and up don't suffer the same issue. The second bug is more significant. In certain situations, Windows doesn't properly check the user identity when performing cryptographic operations, which results in certain shared data not being properly encrypted. Microsoft has developed a fix for this bug, and it was originally scheduled for release this past Tuesday. However, the company discovered a compatibility issue late in testing, and so the fix has been pushed to February. Had the fix worked correctly, Microsoft would have released a patch prior to disclosure. But thanks to the compatibility issue, Google's 90-day deadline was reached yesterday, prompting the advertising company to publish the bug. Last time this happened, Microsoft wrote a blog post criticizing Google's decision. This time around, the company's response is more reserved. It issued a statement saying: READ MORE HERE http://arstechnica.com/information-...rstechnica/index+(Ars+Technica+-+All+content)
Google has released details of another Windows exploit before it is patched A few weeks ago, a Google security researcher released the details of a vulnerability in Windows and refused to wait a couple moredays until 'Patch Tuesday' to release the information pertaining to the exploit. In that case, Microsoft had a patch ready to be released a couple days after the 90-day waiting period elapsed but in this latest release, that is not the case. The latest vulnerability to be detailed by Google is titled an "Impersonation Check Bypass With CryptProtectMemory and CRYPTPROTECTMEMORY_SAME_LOGON flag"; this vulnerability is said to impact Windows 7, 8.1 Update and both the 32/64bit flavors. The exploit allows an attacker to impersonate another ID at the identification level and decrypt or encrypt data during that login session. As with the other exploit that was released by Google, you can download a file to execute the flaw. READ MORE HERE http://www.neowin.net/news/google-h...-another-windows-exploit-before-it-is-patched