Google’s Project Zero team of bug hunters has found a flaw in Windows 10 S, publicly disclosing the issue despite Microsoft wishing to keep it under wraps until it fixed it.
Project Zero looks for exploits in software, either made by Google, or from other companies, and if one is found the team usually alerts the developers of the software in private, giving them 90 days before going public.
Not only is the finding of the flaw embarrassing enough for Microsoft, but apparently it primarily affects Windows 10 S, a version of the operating system that is designed to be more locked down and secure than other versions by only allowing apps from the Microsoft Store to be installed.
According to Project Zero, the flaw targets users with user mode code integrity (UMCI) and Device Guard enabled – which Windows 10 S has by default. This allows arbitrary code to be run, something that Windows 10 S was specifically designed to prevent.
Because the flaw only affects a minority of PCs, and even then hackers would need to physically access the PC, Project Zero only deems this a “medium” security flaw, and gave Microsoft the usual 90 days grace period to fix the issue before it was made public.
It’s a bit embarrassing for Microsoft, and we can understand why it was keen to avoid the flaw being made public, but hopefully Google’s move will force Microsoft to get a fix out as soon as possible.
News Source techradar