Google reveals bug Microsoft says is mere gnat
Chocolate Factory says Redmond can't be bothered fixing hard-to-exploit flaw
Google has reported a local file flaw affecting Windows 7 and 8.1 32 and 64 -bit systems in the third vulnerability dropped since a spat with Microsoft erupted last week.
The vulnerability that allowed a malicious Server Message Block version 2 server to force a client to open arbitrary local files was marked high severity by researcher James Forshaw and led to information disclosure but would not be patched by Microsoft.
"Microsoft have concluded that the issue does not meet the bar of a security bulletin," Foreshaw said in an advisory.
"They state that it would require too much control from the part of the attacker and they do not consider group policy settings as a security feature."
The new disclosure followed a Google bug notice issued last week affecting Windows 7 and 8.1 and leading similarly to information disclosure.
Google appears determined to continue revealing vulnerabilities on its 90-day schedule, despite that policy ruffling Redmond's feathers.
Google's Forshaw said the new flaw isn't easy to exploit, .
"[Exploitation] allows a malicious SMBv2 server to force a client to open arbitrary local files," Forshaw said.
"For example it might be possible to serve a HTML file from the share and use XMLHttpRequest to access local files through this vulnerability. Also even though mount points are supposed to only be used with directories once the buffer is in the object manager it doesn't make such a distinction, so this can be used to open files or directories." ®
Broader topics
Narrower topics
- Android
- App stores
- Authentication
- Azure
- Bing
- Black Hat
- BSoD
- Chrome
- Chromium
- Common Vulnerability Scoring System
- Cybercrime
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- DDoS
- Digital certificate
- Encryption
- Excel
- Exploit
- Firewall
- Google AI
- Google Cloud Platform
- Google Nest
- G Suite
- Hacker
- Hacking
- Identity Theft
- Infosec
- Internet Explorer
- Kenna Security
- Kubernetes
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- NCSC
- .NET
- Office 365
- Outlook
- Palo Alto Networks
- Password
- Patch Tuesday
- Phishing
- Pluton
- Privacy Sandbox
- Ransomware
- REvil
- SharePoint
- Skype
- Spamming
- Spyware
- SQL Server
- Surveillance
- Tavis Ormandy
- TLS
- Trojan
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Vulnerability
- Wannacry
- Windows
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox
- Xbox 360
- Zero trust