Microsoft misses Google-found flaw in Patch Tuesday updates

Despite rolling out five security updates, Microsoft missed out a patch for a zero-day flaw in Windows. And it just so happened it was discovered by its main rival in the business space.

Image: CNET

This month's Patch Tuesday saw five updates in total — one rated "critical" and four "important." But a key Windows vulnerability discovered weeks ago by a Google engineer still hasn't been patched.

Google information security engineer Tavis Ormandy discovered a bug in Windows 2000, Windows XP, and above, including Windows Server 2003 and 2008, that affects the user privileges of the logged-on user.

He made the zero-day flaw public, citing Microsoft as being "often very difficult to work with," and "treat[ing] vulnerability researchers with great hostility."

The software giant said it was not aware of any attacks and had not issued an advisory confirming the flaw.

It's not the first time Ormandy has published his discoveries on disclosure lists following the sluggish reactions by some companies. The rinse-repeat situation happened in mid-2010 on a zero-day vulnerability with Windows Help & Support, and in the same year disclosed a flaw in Java, which Sun failed to patch given adequate time.

Microsoft on Thursday confirmed the Google-discovered bug was not included in June's Patch Tuesday.

Microsoft Trustworthy Computing group manager Dustin Childs said in an emailed statement to ZDNet, "Microsoft carefully investigates newly discovered vulnerabilities and rigorously tests security updates on the affected operating systems and applications, and delivers solutions once they are ready."

Clear as mud, then.