Google has published a zero-day exploit in Windows 10 S , the version of Windows that Microsoft has tried to sell as “ultra secure” in large part because it does not accept apps facilities outside of the company’s official store.
Although the failure is of average severity, it was found on Windows 10 systems that use Device Guard , a function that just restricts the operating system to execute only code that is signed by trusted signers, and which is supposed to make everything more secure .
The flaw that was found by what must already be Microsoft’s least favorite group of researchers, Google Project Zero, allows an attacker to bypass the Windows lock policy by using a bug in .NET that allows arbitrary code execution .
As has happened before, with Microsoft Edge and Windows Defender , Google found the vulnerability and informed Microsoft giving the 90 days that are already standard for the company to solve the failure. Microsoft ran out of time (again) and Google has made the bug public .
Microsoft was informed of the vulnerability on January 19 and although they managed to reproduce it on February 10, they asked Google for a 14-day extension that Google denied. Microsoft again requested an extension period promising to fix the ruling with Redstone 4, but also refused .
No doubt another story for the list of outrages that the Redmond have already suffered thanks to Google’s security researchers. While the latter say that it is the only way for some companies to take the security of their products seriously, Microsoft believes that it is irresponsible and harms users that Google unveils these failures before they have a solution.