Earlier in the week, Google managed to raise the ire of Microsoft by publishing details of a vulnerability in Windows before a patch had been published. Now the same thing has happened again, but this time it's a double whammy. Google Security Research has revealed two more security holes that Microsoft is yet to fix.
Just as was the case a few days ago, Microsoft had been warned about the security problems and Google agreed to keep details private for a period of 90 days. Now the three months is up, details of the security issues have been automatically published, running the risk that users could be targeted.
One of the problems affects both Windows 7 and Windows 8, while the other is regarded a less serious and only affects Windows 7. The Windows 7 security vulnerability is, as pointed by Ars Technica, not regarded as serious enough to warrant a fix from Microsoft, but it's a different story for the second problem that has been exposed -- a problem with the CryptProtectMemory function. This particular problem could lead to user data becoming exposed due to it not being properly encrypted.
There's something of an irony in the fact that while Microsoft kicked up a stink after Google exposed one vulnerability two days before the patch was scheduled to be released, this second serious problem was also due to be fixed in the same Patch Tuesday update. Unfortunately for Microsoft, and possibly for users of Windows, a problem was discovered with the patch itself so it was pulled at the last minute.
This means that, unless Microsoft is willing to release the fix out of schedule -- which it seemed reluctant to do last time around -- users are going to be exposed to the problem until the next Patch Tuesday rolls around in February. But even if the patch release date is pulled forward, details of the problem are now out in the wild and there is potential for this information to be misused.
Microsoft has yet to issue a statement about this particular batch of revelations, but judging by the ire generated earlier in the week, it's safe to assume that the company will be unimpressed.