Google Discloses Windows 10 Flaw Against Microsoft’s agreement


Google, as part of routine research into bugs and exploits that are in the Chrome browser or can affect it, has found an exploit that bypasses the UMCI cryptographic code-signing framework on certain Windows 10 systems, and the company has denied Microsoft’s requests to delay disclosing the bug to the public.

To give this some context, when a bug like this is discovered in somebody else’s product, Google has a firm policy that the bug stays classified for 90 days. The company will report the bug to the responsible party immediately, then release its full details 90 days later so that the wider security community can benefit from the information. This particular bug has been known to Microsoft for over 90 days, so despite the responsible company’s requests to hold off, Google has released the full details of the exploit.

To be certain, this is not a matter of dire seriousness. This exploit only applies to systems with UMCI, such as Windows 10 S and older Windows RT systems, and is just one among multiple ways to bypass UMCI and run whatever code you please on those systems. It can also only be run from within an application that’s already running, meaning that any application approved for the Windows Store likely won’t have this exploit present and it thus poses almost no danger to normal users.