The Channel logo


By | Darren Pauli 20th January 2015 23:28

Google reveals bug Microsoft says is mere gnat

Chocolate Factory says Redmond can't be bothered fixing hard-to-exploit flaw

Google has reported a local file flaw affecting Windows 7 and 8.1 32 and 64 -bit systems in the third vulnerability dropped since a spat with Microsoft erupted last week.

The vulnerability that allowed a malicious Server Message Block version 2 server to force a client to open arbitrary local files was marked high severity by researcher James Forshaw and led to information disclosure but would not be patched by Microsoft.

"Microsoft have concluded that the issue does not meet the bar of a security bulletin," Foreshaw said in an advisory.

"They state that it would require too much control from the part of the attacker and they do not consider group policy settings as a security feature."

The new disclosure followed a Google bug notice issued last week affecting Windows 7 and 8.1 and leading similarly to information disclosure.

Google appears determined to continue revealing vulnerabilities on its 90-day schedule, despite that policy ruffling Redmond's feathers.

Google's Forshaw said the new flaw isn't easy to exploit, .

"[Exploitation] allows a malicious SMBv2 server to force a client to open arbitrary local files," Forshaw said.

"For example it might be possible to serve a HTML file from the share and use XMLHttpRequest to access local files through this vulnerability. Also even though mount points are supposed to only be used with directories once the buffer is in the object manager it doesn't make such a distinction, so this can be used to open files or directories." ®

comment icon Read 26 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe