The tech news has been abuzz recently about a Windows security vulnerability that has been published by Google’s Project Zero. The interesting thing here is that the details of the flaw are relatively unimportant. What is important is the way in which the vulnerability was published.
One of the key concepts behind Project Zero is that when a vulnerability is found and reported to the vendor, the vendor has a 90 day window in which to release a patch. The details of the vulnerability are kept secret until either a patch is released, or the 90 day window has elapsed.
The controversy here is that the is that with this particular vulnerability, the 90 day window ran out before Microsoft had come up with a fix. This means that the details of a zero-day vulnerability have been made available to all and sundry, including a proof of concept exploit. This is obviously Not A Good Thing™. Continue reading Project Zero publishes an unpatched Windows security flaw
<rant> 