This article is more than 1 year old
Google reveals bug Microsoft says is mere gnat
Chocolate Factory says Redmond can't be bothered fixing hard-to-exploit flaw
Google has reported a local file flaw affecting Windows 7 and 8.1 32 and 64 -bit systems in the third vulnerability dropped since a spat with Microsoft erupted last week.
The vulnerability that allowed a malicious Server Message Block version 2 server to force a client to open arbitrary local files was marked high severity by researcher James Forshaw and led to information disclosure but would not be patched by Microsoft.
"Microsoft have concluded that the issue does not meet the bar of a security bulletin," Foreshaw said in an advisory.
"They state that it would require too much control from the part of the attacker and they do not consider group policy settings as a security feature."
The new disclosure followed a Google bug notice issued last week affecting Windows 7 and 8.1 and leading similarly to information disclosure.
Google appears determined to continue revealing vulnerabilities on its 90-day schedule, despite that policy ruffling Redmond's feathers.
Google's Forshaw said the new flaw isn't easy to exploit, .
"[Exploitation] allows a malicious SMBv2 server to force a client to open arbitrary local files," Forshaw said.
"For example it might be possible to serve a HTML file from the share and use XMLHttpRequest to access local files through this vulnerability. Also even though mount points are supposed to only be used with directories once the buffer is in the object manager it doesn't make such a distinction, so this can be used to open files or directories." ®
Biting the hand that feeds IT
