Google's Project Zero team has outed another Microsoft security flaw, this time in Windows 10 S.
The flaw, which is rated as "medium" in terms of severity, impacts systems with Device Guard enabled and it can't be executed remotely, so it's not easily exploited. Google explains:
This issue only affects systems with Device Guard enabled (such as Windows 10S) and only serves as a way of getting persistent code execution on such a machine. It's not an issue which can be exploited remotely, nor is it a privilege escalation. An attacker would have to already have code running on the machine to install the registry entries necessary to exploit this issue, although this could be through an RCE such as a vulnerability in Edge. There's at least two know DG bypasses in the .NET framework that are not fixed, and are still usable even on Windows 10S so this issue isn't as serious as it might have been if all known avenues for bypass were fixed.
Google's standard disclosure guidelines state that it will publicly disclose vulnerabilities after 90 days if they haven't been addressed. Microsoft was alerted to the issue in January, but had told Google in February that it would not be fixed in time for the April Patch Tuesday rollout. Microsoft requested extensions in early April, explaining that the issue will be fixed with the release of the Redstone 4 (spring) update. However, because there is no firm release date for Redstone 4, Google turned down the request.
This isn't the first time Google's disclosure policy has been a source of contention between the two companies. The two companies butted heads over the disclosure of a zero-day vulnerability in 2016, leading to an expression of frustration from Microsoft. That followed a similar clash between the two in 2015 over a Windows 8.1 vulnerability. More recently, Google disclosed flaws in Windows 10 and Microsoft Edge in February.
