Google’s Project Zero team of bug hunters has found a flaw in Windows 10 S, publicly disclosing the issue despite Microsoft wishing to keep it under wraps until it fixed it.
Project Zero looks for exploits in software, either made by Google, or from other companies, and if one is found the team usually alerts the developers of the software in private, giving them 90 days before going public.
Not only is the finding of the flaw embarrassing enough for Microsoft, but apparently it primarily affects Windows 10 S, a version of the operating system that is designed to be more locked down and secure than other versions by only allowing apps from the Microsoft Store to be installed.
According to Project Zero, the flaw targets users with user mode code integrity (UMCI) and Device Guard enabled – which Windows 10 S has by default. This allows arbitrary code to be run, something that Windows 10 S was specifically designed to prevent.
90-day window
Because the flaw only affects a minority of PCs, and even then hackers would need to physically access the PC, Project Zero only deems this a “medium” security flaw, and gave Microsoft the usual 90 days grace period to fix the issue before it was made public.
However, as Neowin.net reports, Google alerted Microsoft to the flaw way back on January 19, and after Microsoft was not able to issue a fix after those 90 days, in time for April’s Patch Tuesday, Microsoft asked for a 14-day extension.
However, Google refused, and apparently Microsoft again asked for an extension of the deadline so that it could be included in the Redstone 4 update (also known as Spring Creators Update). However, with that update being delayed without a new date set in stone, Google has again refused the extension, and has now made the flaw public.
It’s a bit embarrassing for Microsoft, and we can understand why it was keen to avoid the flaw being made public, but hopefully Google’s move will force Microsoft to get a fix out as soon as possible.