A member of Google's "Project Zero" has made public a critical bug in Windows that Microsoft didn't fix in the 90-day window after the private disclosure of the bug to Microsoft.
Project Zero is a team of security experts Google put together to focus on making the Internet safer by finding vulnerabilities in critical Internet infrastructure. Project Zero has found multiple critical vulnerabilities in other operating systems as well, including Android, Linux, iOS and Mac OS X.
The bug in question here seems to give a user (or malware) Administrator privileges simply by clicking on an .exe file. Even Administrator users are protected by the UAC (the window that keeps popping up when you install something) in order to prevent giving malware automatic higher privileges to the system. This bug, however, makes it possible to auto-elevate the privileges for the malware. According to the researcher who found it, so far the bug has only been tested in Windows 8.1, but it may also work in Windows 7.
Microsoft hasn't yet said why it hasn't patched this critical vulnerability since it was notified by the Google engineer about it all the way back on September 30. The next planned "Patch Tuesday," the day in which Microsoft usually updates Windows, will be on January 13, but Microsoft hasn't said whether this bug will be fixed then, sooner, or when it will happen exactly. It did, however, admit the bug's existence in a public statement:
"We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid log on credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."
Usually, there are two ways to disclose bugs: either right away, to force companies to fix it as soon as possible, or privately to allow companies time to address the bug.
There are major downsides with each option. In the first case, the bug may not be easy to fix, and if it's a serious one it could allow malicious attackers to exploit it to its fullest until it's patched. In the second, companies may not want to disclose the bug publicly at all, fearing that it could cause a major PR scandal for them. For instance, a bank may not want to say that its services had a bug that could allow its customers' funds to be stolen, because that could threaten its business by scaring away customers.
Some security researchers, such as Google's Project Zero team, have adopted a compromise: They don't disclose bugs publicly as soon as they're discovered, but they also don't wait indefinitely for companies to get around to fixing them. Project Zero has a 90-day disclosure policy, which seems like plenty of time to fix the vast majority of bugs, especially in a time when the number of computer hacks seems to be increasing.
For some reason, Microsoft hasn't gotten around to fixing this critical bug. It's unlikely the company was afraid of a PR scandal, considering how many of these bugs are discovered and disclosed for Windows all the time, including by the company itself.
Either Microsoft had other more important bugs to fix (although it's unlikely there are too many other bugs more important than privilege escalation), or it's a bug that's hard to fix without breaking something else in Windows. This should become more clear when Microsoft eventually releases a fix.
Microsoft also has a policy of disclosing the bugs it discovers for Windows to the NSA, CIA, FBI and other government agencies, in a type of "early alert" system that is supposedly meant to protect these agencies against those vulnerabilities as soon as possible. The practice also gives Microsoft and other companies access to classified information, and it possibly makes it easier for them to obtain other lucrative contracts with other government agencies.
However, as Snowden has revealed, and Microsoft itself knows, these vulnerabilities are usually used by the intelligence agencies to hack into foreign institutions that use Microsoft's software, putting Microsoft's foreign customers at a disadvantage compared to its U.S. government customers.
The most fair policy would seem to be for Microsoft to release a patch as soon as possible for all of its customers.