Good guy Google here to help? The search engine giant has a little unit called Project Zero, and that team has made a name for itself when it comes to discovering vulnerabilities in software.
Software developed by Google and other companies.
You know, like Microsoft.
These guys follow a methodology that involves identifying security flaws in programs and privately reporting them to vendors, giving them 90 days to fix these before publicly disclosing them. Depending upon the complexity, this grace period can be extended.
This time around, these folks found a vulnerability in various versions of Windows, of medium severity, that they say was not completely fixed by Microsoft in the most recent Patch Tuesday updates.
The flaw was first reported to Redmond on May 5, 2020. And it involves applications to bypass network authentication via a user’s credentials even when they don’t have that capability. In other words, this can be misused by the wrong hands.
If you are good with the technical details, you can read more about this flaw here.
But basically, a local attacker can utilize this vulnerability by using Classic Edge to access localhost services due to the backdoor in Firewall APIs, and then finding a system service to escape. Hence the medium severity.
Anyway, Project Zero gave Microsoft the standard 90 days deadline to fix this vulnerability, and followed that up with a grace period on July 31 so that the software titan could fix it in the August Patch Tuesday cycle.
Microsoft did, in fact, do so, via the rollout of CVE-2020-1509 yesterday.
But only partially.
As such, Google has now publicly revealed the flaw in accordance with its policies. And this particular problem impacts numerous versions of Windows, including Windows Server 2012, 2016, 2019, Windows RT 8.1, along with Windows 8.1 and versions of Windows 10 all the up to version 2004.
In other words, be careful out there.