The Channel logo

News

By | Darren Pauli 20th January 2015 23:28

Google reveals bug Microsoft says is mere gnat

Chocolate Factory says Redmond can't be bothered fixing hard-to-exploit flaw

Google has reported a local file flaw affecting Windows 7 and 8.1 32 and 64 -bit systems in the third vulnerability dropped since a spat with Microsoft erupted last week.

The vulnerability that allowed a malicious Server Message Block version 2 server to force a client to open arbitrary local files was marked high severity by researcher James Forshaw and led to information disclosure but would not be patched by Microsoft.

"Microsoft have concluded that the issue does not meet the bar of a security bulletin," Foreshaw said in an advisory.

"They state that it would require too much control from the part of the attacker and they do not consider group policy settings as a security feature."

The new disclosure followed a Google bug notice issued last week affecting Windows 7 and 8.1 and leading similarly to information disclosure.

Google appears determined to continue revealing vulnerabilities on its 90-day schedule, despite that policy ruffling Redmond's feathers.

Google's Forshaw said the new flaw isn't easy to exploit, .

"[Exploitation] allows a malicious SMBv2 server to force a client to open arbitrary local files," Forshaw said.

"For example it might be possible to serve a HTML file from the share and use XMLHttpRequest to access local files through this vulnerability. Also even though mount points are supposed to only be used with directories once the buffer is in the object manager it doesn't make such a distinction, so this can be used to open files or directories." ®

comment icon Read 26 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'