Google Project Zero shames Microsoft over security flaws that should have been patched last week

No company too big, or too small, to be "security shamed" by Google

Microsoft has been "security shamed" - and not for the first time - by Google's Project Zero unit after the software giant had to pull its monthly Patch Tuesday last week.

The patches were expected to deliver security fixes for a long-running series of flaws that Microsoft claimed had been patched last year, but which Google's Project Zero claimed hadn't been properly fixed.

Microsoft pulled its February Patch Tuesday at the eleventh hour last week, claiming that one of the bug fixes might cause problems on some systems.

Google claims that it has uncovered multiple bugs affecting the Windows Graphics Component GDI library (gdi32.dll), which the company suggests could be used by an attacker to use EMF meta-files to access memory and, hence, to spill data.

While Microsoft issued a Security Bulletin (MS16-074) and patches to excise the bug back in June 2016, Google's Mateusz Jurczyk suggested that the Bulletin didn't fully fix the problem and described new exploits he had developed back in November, when Microsoft was also informed.

Jurczyk provided a detailed explanation of the security flaws on the Project Zero bulletin board. However, because no fix was forthcoming within the strict three month deadline, Google published details of the security flaws over the weekend.

Indeed, Google's Project Zero has a no-ifs, no-buts policy of disclosing vulnerabilities within 90 days of reporting them to the vendor: "This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public," warns Project Zero

It is not the first time that Google has embarrassed Microsoft over security patches. In 2015, Project Zero twice went public on flaws in Windows, with Microsoft reportedly "begging" for more time to fix the second one after flunking the deadline on the first.

The very public flogging for Microsoft helped encourage it to issue a mega-patch the next month.

Microsoft's decision to roll-up all patches into one mega-patch - making it all the easier to wrap-up unwanted updates into necessary security updates - may also have meant that the whole patch release had to be postponed when late problems were found with one of the patches.