Google has been actively finding new security vulnerabilities in Microsoft's products through its Project Zero research wing. The company has now disclosed an issue with Windows, which Microsoft hasn't patched within the 90-day window given by Google after reporting it to the Redmond giant.
Last time around Google played foul and disclosed a serious Windows vulnerability to the public just 10 days after revealing it to Microsoft. However, this time the Redmond giant is to blame for not fixing a security issue affecting its operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10.
As per the Project Zero website, security researcher 'mjurczyk' reported a vulnerability in Windows' GDI library that could be exploited by attackers to steal information from memory and affects any program that uses this library. The initial report was sent to Microsoft on the 9th of June last year, and the company released a fix for the issue on 15th June.
However, it seems that Microsoft did not fix all the bugs in the GDI library and the researcher once again reported it to the company with a proof of concept on 16th of November. Now that the three-month grace period since the report is over, the details of the vulnerability are available to the public, which also includes attackers. It might not seem like a panic situation yet, as attackers will need physical access to the host system to perform an exploit, but Microsoft will have to release a fix on priority before sophisticated exploits are developed.
It remains to be seen when Microsoft will be releasing a patch for the issue, or whether it would have been a part of the delayed Patch Tuesday updates from this week.